Following the declaration of invalidity of the Safe Harbour framework for EU-U.S. data transfers by the Court of Justice of the European Union (“CJEU”) in October 2015, Privacy Shield, the new framework for transatlantic data transfers, has now been adopted by the European Commission on Wednesday, 12 July 2016. With ongoing uncertainty for European organisations looking to do business with or in the U.S., Privacy Shield has been heralded as a key solution. However, uncertainty remains as to whether it will provide a reliable long term means of legal transfer given that further legal challenge may be likely.
The Commissioner’s press release emphasises that the new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.
Privacy Shield is based on the following principles:
- Strong obligations on companies handling data: under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list. The tightening of conditions for the onward transfers of data to third parties will guarantee the same level of protection in case of a transfer from a Privacy Shield company.
- Clear safeguards and transparency obligations on U.S. government access: The U.S. has given various assurances that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms.
- Effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Complaints are to be resolved by the company itself, or ADR solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. An arbitration mechanism exists as a last resort. EU citizens will also benefit from redress mechanisms in the area of national security which will be dealt with by an Ombudsperson independent from the U.S. intelligence services.
- Annual joint review mechanism: Privacy Shield will be monitored by the European Commission, the U.S. Department of Commerce and data protection authorities. The Commission has stated that it will draw on all other sources of information available and will issue a public report to the European Parliament and the Council.
The “Adequacy Decision" was notified to the Member States on 12 July 2016 and entered into force immediately. U.S. companies will be able to certify with the Commerce Department from 1 August 2016 once they can meet certain pre-conditions such as having a dispute resolution mechanism and privacy statement in place.
Businesses are in an ongoing state of uncertainty as to the validity of previous accepted mechanisms for transfers of data to the U.S., particularly given the intention of the Irish Data Protection Commissioner to determine the legal status of data transfers under standard contractual clauses through the referral mechanism to the CJEU. While the European Commission states that Privacy Shield reflects the requirements set out by the European Court of Justice in the Schrems v Facebook ruling, further legal challenge is expected. Strong concerns continue to be voiced by privacy rights groups about the level of protection of European citizens’ data from U.S. government surveillance despite the commitments given. The Article 29 Working Party has been critical of flaws in the earlier draft of Privacy Shield and is due to give its position on the final draft on 25 July 2016.
While it may be attractive to many companies to self-certify under Privacy Shield, a decision invalidating it in the same way as Safe Harbour will necessitate those companies again considering alternative transfer mechanisms. Given this uncertainty, many organisations will be holding back to see what developments take place in this area over the coming months and strategising long term viable solutions and alternatives to support EU-U.S. data transfers.