What could have been a major threat to the safe and legal transfer of data between the European Union and the United States has apparently been averted—but enterprises must quickly come to grips with an entirely new legal regime even as it is developed.
On Feb. 2, just days after a soft grace period expired, the European Union and United States agreed on a new political framework for the transfer of data from Europe to the United States, the EU-US Privacy Shield. The Privacy Shield framework itself includes the broad principles that both sides will operate under, but leaves a significant amount of work to be completed on both sides of the Atlantic in the coming weeks. Nevertheless, the agreement will likely avoid large scale enforcement actions by European Data Protection Authorities (the “DPAs”) that were threatened if no agreement was reached.
Even though the text has not been released, based on the details provided by the European Commission, the Privacy Shield will have three major components:
- New Corporate Obligations: United States enterprises receiving data will need to commit to a new set of “robust obligations on how data is process and individual rights are guaranteed.” These obligations have yet to be described, but will no doubt be published in the near future. In addition, much like the former U.S. Safe Harbor, the U.S. Department of Commerce will ensure that these obligations are made publicly available by the enterprise and enforcement will fall under the scope of the Federal Trade Commission.
- E.U. Citizen Redress: E.U. citizens will be given much greater rights to challenge alleged misuse of their data. The preferred route will be to complain directly to enterprises and, if necessary, to rely on a free alternative dispute resolution system that will be established under the Privacy Shield. In addition, citizens will be able to apply to European DPAs who would then forward the complaints to the U.S. Department of Commerce. This was one of the major sticking points during the negotiation and it is closely tied to the Judicial Redress Act, which had been stalled in Congress for months. The Judicial Redress Act is now set for a vote in the Senate and will play a large role in the U.S. government’s implementation of the Privacy Shield.
- Limitations on U.S. Government Access: It was clear from comments by the Commission that access to personal data by the U.S. government, and particularly mass surveillance, was a major concern for European negotiators. The Privacy Shield includes written assurances by the U.S. that access for “law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.”
The agreement is far from complete and significant work remains to be done on both sides. However, the European Commission has already received the support of the College of Commissioners and will be presenting the political framework to the Article 29 Working Party (an influential body made up of regulators from EEA member states) as early as this week. The Commission repeatedly assured the public during a press conference that the political framework both cured the deficiencies identified in the European Court of Justice’sSchrems decision striking down the U.S. Safe Harbor and satisfied the current text of the now-pending General Data Protection Regulation. More details will come out in the next few weeks.
What does this mean for United States enterprises? One thing seems certain: Certification under the old Safe Harbor will not be adequate under the new Privacy Shield and might not even provide previously certified enterprises a head start. One path forward may be found in the Commission’s November 2015 Communication Regarding Data Transfer (the “Communication”) that was issued in response to the Schrems ruling. The Communication encouraged U.S. enterprises to rely on one (or, better yet, a combination) of the following legal mechanisms to transfer data:
- Contractual Solutions: U.S. enterprises may enter into one of the forms of model clauses approved by the Commission for data transfer.
- Binding Corporate Rules (BCRs): For enterprises that rely on significant intra-group transfers, the Commission encouraged the use of BCRs. These are a single set of binding, enforceable rules applied across various entities of a corporate group that have been submitted to, and approved by, European DPAs. Given their complexity and long approval process, these are most appropriate for large, multinational enterprises.
- Derogations: There are also several exceptions to the prohibition on transfer of data including if the data subject “has unambiguously given his/her consent to the proposed transfer” and, in certain instances, when it is necessary for the performance of a contract between the data subject and the enterprise.
Enterprises should not wait until the text of the Privacy Shield has been finalized to begin to put into place alternate mechanisms for the legal transfer of information. There is no guarantee that DPAs will wait before initiating any enforcement actions. Instead, the safest practice will be to adopt one of these solutions while at the same time watching the developments in the E.U. and U.S. to ensure that you are one step ahead of the regulators.