Data exports

EU-US Privacy Shield

Anyone dealing with personal data travelling from the EU to the USA cannot fail to be aware of the fallout since the CJEU declared the Safe Harbor scheme (one of the recognised data export mechanisms) to be invalid. The European Commission moved relatively quickly to replace Safe Harbor, giving adequacy to the new self-certification scheme, the EU-US Privacy Shield, in July 2016.

Perhaps the main advantage of signing up to the Privacy Shield is that it avoids the need to sign individual contracts with each organisation from which data is received. An organisation with a Privacy Shield certification can be presumed to afford adequate protection to EU personal data. The adoption of the Privacy Shield, therefore, provides US organisations with an additional legal mechanism to enable lawful transatlantic data flows from the European Union.

The Article 29 Working Party (WP) (representing the EU data protection regulators) has broadly welcomed the Privacy Shield which should provide comfort to US businesses considering certifying. However, the WP has also expressed doubts about the scheme and has stated its intention to reassess its views further down the line. The WP sees the independence of the Ombudsperson who will oversee the scheme, and evidence that the Privacy Shield has teeth with real sanctions for non-compliance, as key factors in determining its success. It is worth remembering that it is open to the EU regulators to investigate data exports, regardless of any EU Commission decision of adequacy.

In addition, although the Privacy Shield provides a set of more robust and enforceable protections for the personal data of EU individuals, it may still be subject to legal challenge before the European courts, despite the view of the Commission and the US Department of Commerce that the flaws in the Safe Harbor scheme have been addressed. Two challenges from privacy groups in Ireland and France are underway in the lower court of the CJEU for an annulment of the Commission’s adequacy decision which gives effect to the Privacy Shield. The challenges, brought under Article 263 TFEU, contend that the Privacy Shield does not contain adequate privacy protections (precise details are not available). It is likely to take over a year for the court to rule on the issue if the applications are admitted (which requires that the applicants be held to be directly concerned with the Privacy Shield). Other challenges would most likely relate to the use of EU personal data by US law enforcement agencies but could nonetheless have implications for all organisations signing up to the Privacy Shield. Max Schrems continues to agitate and the High Court of Ireland recently ordered the Irish Data Protection Commissioner to look into his latest complaint.

US organisations need to consider the benefits of the Privacy Shield carefully, taking into account their business needs and practices and weighing the Privacy Shield up against the other available data transfer mechanisms from the EEA to the US. Legal advice should be sought at the outset of the decision making process.

Other data transfer mechanisms

The future of the other data transfer mechanisms to the USA remains under question with legal actions progressing through the courts. Many of the concerns which led to the CJEU’s decision to strike down Safe Harbor, also apply to EU model clauses and Binding Corporate Rules. The Commission is, therefore, working to address some of the concerns by proposing amendments to the Decisions which give effect to model clauses and which give some third countries a declaration of adequacy for data protection purposes.

Documents appearing to show Article 31 Committee proposals to amend the Commission Decisions relating to model clauses and individual country adequacy decisions suggest changes will relate mainly to regulator influence. The proposed amendments to the model clauses Decision remove qualifications on the regulator’s rights to suspend or prohibit transfers taking place using model clauses. A similar amendment is proposed in respect of transfers taking place under country adequacy Decisions. In addition, there is a proposed requirement for the Commission to set up a continuous monitoring of the data protection regimes of countries benefitting from adequacy Decisions and a sharing of information between regulators and the Commission in terms of lack of adequate protection for individuals or excessive access by law enforcement and national security agencies.

For now though, the end of 2016 sees the situation for data exports to the USA in much better shape than the start.