On 08 October 2015, the Court of Justice of the European Union in its ruling in Schrems declared the European Commission’s US Safe Harbor decision invalid and ruled that such Commission decisions do not prevent a supervisory authority of a Member State from examining an individual’s claim concerning his or her rights and freedoms relating to his or her personal data and its transfer from a Member State to a third country.
In July 2016 the Commission adopted Implementing Decision 2016/1250 (the “Decision”) which recognizes that the USA ensure an adequate level of protection for personal data transferred from the EU to organisations in the USA under the EU-U.S. Privacy Shield.
The Privacy Shield framework comprises the principles annexed to the Decision (the “Principles”) together with the official representations and commitments by various U.S. authorities also contained in the annexes to the Decision. It is based on a system of self-certification by which U.S. organisations commit to the Principles and applies to both controllers and processors. U.S. companies wishing to avail of the Privacy Shield framework for data transfers must sign-up with the U.S. Department of Commerce which will monitor their compliance. They will be registered on the Privacy Shield list (which comprises 1346 organisations as at early January 2017) and must self-certify that they meet the data protection standards set out by the arrangement. They will also be obliged to renew their registration every year.
The Privacy Shield imposes stronger obligations compared to the Safe Harbor on companies handling personal data particularly in relation to the publication of privacy statements and onward transfers of data. It also contains safeguards and transparency obligations in relation to US government access. The Privacy Shield relies on an undertaking by the U.S. Director of National Intelligence that the bulk collection of data will only be used according to specific preconditions and indiscriminate mass surveillance will no longer take place. Individual rights receive a more effective protection – the Privacy Shield envisages direct resolution of a complaint by a Privacy Shield Company, free alternative dispute resolution and arbitration before the Privacy Shield Panel which may award non-monetary equitable relief such as correction, access, deletion. An annual joined review mechanism is also provided for in an attempt to ensure that there is continuous monitoring of the function of the framework with particular emphasis on the commitments given with respect to access to data for law enforcement and national security purposes.
Regardless of the heightened compliance requirements, many data protection activists are sceptical about the practical implementation of the Privacy Shield. The Article 29 Working Party, which is an independent EU advisory body on issues of data protection, has made a public commitment to monitoring its effectiveness in practice.
Indeed, the Irish privacy advocacy group Digital Rights Ireland (“DRI”) has brought an action before the General Court of the European Union against the European Commission seeking the annulment of the Decision. DRI relies on a number of grounds in support of its action, including that the Decision does not adequately ensure that the EU citizens’ rights under European law are fully provided for where their data is transferred to the USA and that it contravenes the Data Protection Directive, the Charter of Fundamental Rights of the European Union and the general principles of European law. You will be hearing more about this on TILT over the coming months.
The uncertainty caused by the demise of the Safe Harbor framework encouraged many companies to consider the other mechanisms for international data transfers, namely the binding corporate rules and the model clauses. With respect to the latter, a hearing concerning their validity has been scheduled for February 2017 in the Irish Commercial Court following objections Max Schrems raised with the Irish Data Protection Commissioner. You will also be hearing more about this on TILT over the coming months.
It should also be noted that the General Data Protection Regulation (the “GDPR”), which will come into force in 2018, introduces changes to the international data transfers mechanisms, which will concern all transfers, not only those between the EU and the US.
Between the preparations for the coming into force of the GDPR and the heightened public awareness, 2017 promises to be yet another exciting year for data protection and privacy.