The EU Commission and the US Government have announced a deal on a new Safe Harbor arrangement to allow personal data transfers to take place from the EU to America. This will be re-badged as the EU-US Privacy Shield.

In fact, much remains to be worked out in terms of the details, and indications are that the new arrangement will not be available until April 2016 at the earliest. Even then it looks almost certain to be challenged by privacy advocates in the EU.

Prior to the formal adoption of the EU-US Privacy Shield, uncertainty also remains about whether EU Data Protection Regulators will take action against organisations which continue to engage in transatlantic data transfers following the expiry of the “amnesty” over enforcement steps at the end of January 2016.

The EU Commission has said that the Privacy Shield will provide for the following:

  • US businesses signing up to it will have to commit to robust obligations on data processing and individual’s rights, backed by auditing from the US Department of Commerce. We wait to see what those commitments are and whether US businesses find them acceptable;
  • The US Government has agreed to put in place clear limitations, safeguards and oversight around access to personal data for national security and law enforcement purposes. The effectiveness of this will be reviewed annually between the EU Commission and the US Government; and
  • EU citizens are to be given effective redress mechanisms to complain directly to organisations processing their data, or via regulators or, where processing of EU personal data is undertaken by US officials, to a newly created Ombudsman in the US State Department.

The Article 29 Working Party (the group of national EU Data Protection Regulators) have also commented on the proposed deal. Whilst welcoming the conclusion of the EU-US negotiations on the principles, they have reserved judgment until they see the full details of the arrangements. They have called on the EU Commission to provide those details by the end of February 2016.

At the same time the Working Party has set out four essential guarantees to be considered when processing personal data for intelligence activities and which will apply to transatlantic data transfers: is it clear that such processing may occur?; has the requisite balance been achieved between the rights of the individual and the national security objectives?; is there sufficient independent judicial or other oversight?; and can the individual effectively assert their rights? Rather pointedly, the Article 29 Working Party has stated that it still has concerns that the current US legal framework does not sufficiently address these guarantees.

The Article 29 Working Party have remained silent on whether EU data protection regulators will continue the amnesty over enforcement pending the adoption of the Privacy Shield. Given that there is still much detailed work and negotiating to be done over the new mechanism before it can be adopted, and the fact that it is almost certain to be challenged by privacy advocates, organisations should still look to put in place Standard Contractual Clauses wherever this is possible.