On Monday (29 February), the European Commission published further information on Privacy Shield, the new mechanism proposed by the Commission and the United States to legitimise transfers of personal data to the United states.
What has been published?
The documents published by the Commission include a Communication from the Commission to the European Parliament and Council, correspondence from the US Secretary of Commerce and the Commission’s draft adequacy decision.
The draft adequacy decision is a key step in the process for Privacy Shield becoming a valid means for transferring personal data to the United States. A transfer of personal data outside the EEA will not be unlawful under the eighth data protection principle where it has been made pursuant to a mechanism in respect of which the European Commission has made a finding of adequacy.
Unsurprisingly, the draft adequacy decision concludes that Privacy Shield is indeed adequate for the purposes of the eighth data protection principle.
The Commission goes to particular lengths to explain why it considers Privacy Shield to be more robust than Safe Harbor. The draft decision contains no less than 129 recitals to explain how Privacy Shield addresses the concerns expressed by the European Court of Justice in the Schrems ruling, which declared that the Commission’s adequacy decision in respect of Safe Harbor was invalid.
Perhaps presumptuously, recital 128 (in square brackets) references the Article 29 Working Party’s “favourable opinion on the adequate level of protection provided by the United States for personal data transferred under the EU-U.S. Privacy Shield”.
What will change under Privacy Shield?
Whilst Privacy Shield maintains the self-certification approach of Safe Harbor, there are a number of changes intended to better protect the personal data of EU citizens and give those citizens redress for misprocessing.
The key differences under Privacy Shield are summarised in our previous blogpost. These include:
- enhanced supervision and oversight of compliance with the Privacy Shield principles by US organisations;
- new tiered rights of redress against US organisations, including a right to make a direct complaint, the ability to make a complaint through the individual’s national data protection authority, an alternative dispute resolution mechanism and a final point of escalation to the Privacy Shield Panel, which can issue binding decisions;
- written assurances from the US government that access by national security agencies will be subject to clear limitations, safeguards and oversight, and the establishment of an independent ombudsperson to investigate complaints;
- a new mechanism to monitor the functioning of Privacy Shield (including the adherence to the commitments and assurances given in relation to access to data for law enforcement and national security purposes.
For organisations in the European Union, Privacy Shield would operate in much the same way as Safe Harbor – provided that a US data importer is listed on the Privacy Shield register, organisations can rely upon that as the lawful basis for transferring personal data to that entity.
What happens next for Privacy Shield?
The Privacy Shield proposals must go through a number of steps before there is formal adoption. The proposals will be reviewed by the European Parliament and a committee of representatives of EU member states. The Article 29 Working Party (WP29) and European European Data Protection Supervisor will also provide their opinion.
The WP29 gave a cautious welcome to the Commission’s 2 February announcement that it had reached political agreement with the US on Privacy Shield, but said that it will need to scrutinise the detail – in particular in relation to the effectiveness of the commitments and assurances on government surveillance (the issue at the heart of the CJEU’s decision in Schrems.
Now that the legal texts have been provided, the 29WP and the European Data Protection Supervisor can begin their reviews. The 29WP expects to provide its views next month. It is also expected that the 29WP will give a view on the validity of binding corporate rules and standard contractual clauses for US data transfers.
Should we be taking any action now?
Meantime, organisations that currently export personal data to the US should note the UK Information Commissioner’s most recent update. whilst the ICO has said that it will not be expediting Safe Harbor complaints pending , it will be adopting a risk based approach to complaints. As such, organisations should ensure that they fully understand where they are making international data transfers, the risks to data subjects, and the legal basis for those transfers.