The European Commission has announced an agreement for a new framework for the transatlantic transfer of personal data. This has been greeted with cautious optimism by businesses and with slightly less optimistic caution by the EU regulators.
What’s the issue?
EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations used to be able to demonstrate an adequate level of protection was by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the Federal Trade Commission (FTC). In October 2015, a shock judgment from the CJEU effectively ended data transfers under Safe Harbor and, indirectly, cast doubt on other data transfer mechanisms to the USA.
The European Commission had already been trying to re-negotiate Safe Harbor after the Snowden revelations but efforts to agree a Safe Harbor 2.0 were re-doubled, especially around the main sticking points – the lack of judicial redress afforded to EU citizens in the USAfor misuse of their personal data, and the lack of transparency over the data gathering activities of US intelligence agencies in relation to EU data.
The Article 29 Working Party (WP) comprised of European data protection regulators, had asked the Commission to conclude negotiations by the end of January 2016 in order to inform its decision as to the effectiveness of the remaining data transfer tools in light of the CJEUjudgment.
What’s the development?
The European Commission has announced a new EU-US Privacy Shield. It is intended to replace Safe Harbor as a framework for transatlantic data flows and to address the issues which led to the demise of Safe Harbor. While the full details are yet to be published (and likely yet to be negotiated), the Commission has said that the US government will provide guarantees to protect EU citizens from mass surveillance and to give them means of redress for misuse of their data. In addition, oversight mechanisms will be introduced and US organisations processing EU personal data will be subject to robust obligations and enforcement mechanisms.
The Article 29 Working Party (comprised of European Data Protection regulators) (WP) has said, in a press release here, that it will hold off giving an opinion on the legality of existing data transfer mechanisms to the USA until it has had time to consider the impact of the Privacy Shield. In particular, the WP needs to see the detail of the new arrangement and assess legal enforceability of the various commitments made by the USA. After such review period, which is likely to be concluded in March/April, the WP will consider whether alternative transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S. In the meantime, the WP considers that this is still the case for existing transfer mechanisms.
What does this mean for you?
The devil is always in the detail and we need to know more in order to assess how effective this initiative will be and whether it will be a relatively straightforward compliance path for US organisations which will have to “commit to robust obligations”.
In terms of longevity much depends on the seriousness with which the framework is taken in the USA and whether genuine protection is provided.
Even though the WP considers Binding Corporate Rules and EU Standard Contract Clauses to still be valid transfer mechanisms for EU data flowing to the USA, when – in a press conference on Wednesday – pressed on the question of enforcement against those organisations previously relying on Safe Harbor which have not yet put an alternative transfer mechanism in place, it was suggested that it would be up to individual Member State regulators to decide how to respond to complaints, although a clear answer was not forthcoming.
It is to be hoped that the WP will gain sufficient comfort from the Privacy Shield to be able to endorse transfers of data to the USA under the existing transfer tools but we will have to wait a few more months for that certainty.
The new arrangements under the Privacy Shield shall include:
- Strong obligations on companies handling European personal data and robust enforcement: compliance will be monitored by the Department of Commerce and obligations will be enforced by the Federal Trade Commission FTC. Crucially, any company processing European employment data will have to agree to comply with decisions by European regulators in relation to that data.
- Clear safeguards and transparency obligations on US government access: the US has given the EU written assurances that the access to EU personal data for law enforcement and national security purposes will be necessary and proportionate and indiscriminate mass surveillance will not occur. Compliance will be assessed on an annual basis by the European Commission, the US Department of Commerce, national intelligence experts and European data protection regulators.
- Effective protection of EU rights with avenues for redress: there will be a new Ombudsperson to deal with complaints around access to data by US intelligence agencies. In addition, European regulators can refer complaints to the Department of Commerce and the FTC. ADR will be available free of charge and companies will have to respond to complaints within certain time periods.
The Commission will now prepare a draft adequacy Decision over the next few weeks. The WP and Member State representatives will be consulted before the decision is voted on by the Commission College, while the USA is expected to begin preparations to put the new framework in place.
In the meantime, the WP has asked the Commission to provide the details of the Privacy Shield so that it can begin its analysis as soon as possible.
The WP has said that the European standard for data transfers, both within the EU and outside it, requires four essential guarantees in terms of access to data by intelligence agencies:
- processing shall be based on clear, precise and accessible rules: anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
- access to EU citizen data for intelligence purposes shall be subject to necessity and proportionality with regard to the legitimate objectives pursued: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- an independent, effective and impartial oversight mechanism shall be implemented, such as a judge or another independent body; and
- effective remedies for individuals before independent bodies must exist.
The WP will analyse the Privacy Shield in the light of these requirements to determine whether it addresses the concerns raised by the CJEU in the Schrems decision and satisfies the requirements of EU law, before giving its final assessment on the validity of data transfer tools for EU/US transatlantic data flows in the spring.