The European Commission has announced the adoption of the EU-US Privacy Shield to replace Safe Harbor as a means of transferring EEA personal data to the USA. Certification applications will be processed from 1 August 2016.
What’s the issue?
The European Commission announced agreement of a new EU-US Privacy Shield to replace the Safe Harbor regime in early February 2016. The announcement was greeted with cautious optimism by businesses but the Article 29 Working Party, EDPS and European Parliament, all raised issues with the original proposals.
Chief among the concerns were access to the data by national security agencies, the consistency of protection in terms of data protection rights, and the independence of the proposed ombudsperson.
What’s the development?
The EC has announced the adoption of the Decision to give effect to the EU-US Privacy Shield The EC now believes that that the Privacy Shield addresses the issues raised by it and the CJEU.
What does this mean for you?
If you are a US organisation wishing to import personal data from the EEA, you will be able to apply for certification under the Privacy Shield from 1 August 2016. Compliance with the Shield will mean you are presumed to provide adequate protection of EEA personal data for EU data protection purposes. EU organisations transferring personal data to the USA should have the comfort of knowing that there will be no barriers to data transfers where a US organisation has signed up to the Privacy Shield and complies with its requirements.
While this is a great step forward following the shock demise of Safe Harbor, it is not necessarily the end of the story on EU-US data transfers. Max Schrems, who brought the original challenge to Safe Harbor, has begun court action to get a similar process of review underway with regard to the use of model clauses and Binding Corporate Rules (BCRs). It is also possible that the Privacy Shield itself will be subject to legal challenge (see comments made by Schrems today), either in the near future or further down the line if it is seen as insufficiently robust. Having said that, Commissioner Jourová and the US Secretary of Commerce said that the Privacy Shield had been designed to take into account the CJEU ruling in the Safe Harbor case which gave them confidence that it would not be open to further legal challenges.
Much will also depend on the attitude of the regulators. The EC does not need the agreement of the EU data protection regulators to adopt the Privacy Shield but without their backing, the Privacy Shield is unlikely to give any real comfort to businesses because regulators have the ability to investigate data exports irrespective of any adequacy decision by the Commission. The Article 29 Working Party said it did not know what would happen if the Commission were to go ahead with the Privacy Shield as originally drafted and it remains to be seen what its views on the finalised version will be. It is also yet to give its opinion on the validity of model clauses and BCRs following the Safe Harbor judgment.
For now, at least though, the EU-US Privacy Shield joins model clauses and BCRs as a solution to enable the lawful transfer of personal data from the EEA to the USA, which businesses affected by the Safe Harbor ruling should welcome.
The EC says the Privacy Shield now provides:
- strong obligations on companies and robust enforcement;
- clear limits and safeguards with respect to US government access;
- protection of EU citizens’ rights through new redress possibilities;
- an independent ombudsperson to oversee compliance and help deal with complaints; and
- an annual review mechanism to ensure the continuing effectiveness of the scheme.
Key requirements for US companies signing up to the Privacy Shield will be to:
- self-certify annually that they meet their obligations under the Privacy Shield;
- comply with Privacy Principles: these include providing data subjects with key information about their data; allowing them to opt out where data is to be disclosed to a third party; limiting the processing to what is relevant for the purpose; complying with data subject access requests; complying with rules relating to onward transfers of data; keeping personal data secure; deleting personal data which is no longer being used for the purposes for which it was originally collected; providing robust mechanisms to ensure compliance; and providing recourse for EU data subjects;
- reply promptly to any complaints (within 45 days); and
- cooperate and comply with European data protection authorities (DPAs) if handling human resources data.
The EC says it has addressed the concerns of regulators and MEPs by securing:
- a written commitment from the White House stating that bulk collection of data sent from theEEA to the USA can only take place subject to specified preconditions and that any such collection must be as targeted and focused as possible, complying with principles of necessity and proportionality. The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement.
- a further commitment that the ombudsperson will be independent from national security services; and
- strengthened and clarified obligations on companies concerning data protection rights, including data retention so that data must be deleted when it no longer serves the purpose for which it was originally collected.