Thousands of companies that had used "Safe Harbour" to transfer personal data to the USA had to look for another solution after the framework was declared invalid. In the meantime, companies often turned to standard contractual clauses or binding corporate rules. However, in view of the increased administrative bureaucracy and costs, these means did not prove to be ideal. Hence, an adequate substitute for the "Safe Harbour" framework had to be quickly found that would respond to the decision of Max Schrems, which in fact, led to the cancellation of "Safe Harbour". Unfortunately, not long after introducing the new transfer mechanism, the replacement framework "Privacy Shield" has also become the subject of criticism.
and receiving companies may also use some of the ad hoc instruments, such as standard contractual clauses ("clauses") and binding corporate rules ("BCRs"). The wide application of clauses for transfers to various third countries and the fact that it is not necessary to obtain approval from a national personal data protection authority are an advantage. Nevertheless, their use is connected with certain administrative burdens and high costs. Administrative burdens must also be handled by companies that decide to use BCRs, whose approval is subject to specific authorisation procedures that are handled by the supervisory authority for the protection of personal data in the Czech Republic, the Office for the Protection of Personal Data (the "Czech Office"). According to the Czech Office, a Czech controller that intends to transfer personal data to third countries based on BCRs makes a request with the Czech Office prior to making the transfer abroad for approval of the transfer. The last possibility offered for transferring personal data is prior assessment of the transfer to a third country by the national authority for the protection of personal data.
The end of transferring personal data with "Safe Harbour"
Personal data protection in the EU is characterised by a high level of protection in comparison with legislation from other parts of the world. When transferring personal data to another country, it must be determined whether the transfer is between two EU Member States or to a third country. In accordance with the principle of free movement, the transfer of personal data between EU Member States is not subject to any formal requirements under Directive No. 95/45/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the "Directive"). There are several legal methods for transferring personal data to third countries. The transfer may occur on the basis of an international treaty (Convention No. 108 ratified by 47 countries of the Council of Europe). Another option that controllers could use during data transfer is transferring data on the basis of a decision of EU authority that a specific third party fulfils an adequate level of protection of personal data under the Directive (for example, Israel and Switzerland). Considering that only a small number of countries according to the Commission have complied with this level of protection, transferring
In order to simplify the transfer of personal data of European citizens to the USA, the most important business partner of the EU, the Commission approved Decision No. 200/520 "Safe Harbor" ("Safe Harbor") which allowed the transfer of personal data to recipients in the USA who have undergone self-certification relating to disposition with personal data. As a result of the decision of the Court of Justice of the European Union (the "CJEU") in Case C-362/14 Max Schrems (the "Max Schrems decision"), "Safe Harbour" was terminated more than a year ago, which caused the terms for transferring personal data to the USA to be more strict (see EU Legal News 06/2015).
A preliminary question was posed to the CJEU by the Irish High Court which handled a complaint from an Austrian lawyer against the decision of the Irish Office for the Protection of Personal Data (the "Irish Office"). Max Schrems filed an action to prevent the transfer of personal data from the Facebook subsidiary company to the parent company in the USA, since in his opinion, US legislation did not sufficiently secure the protection of personal data. He came to this conclusion in relation to the medialised unveiling of Edward Snowden, who in May 2013 published information about the PRISM program of the US National Security Agency (the "NSA").
With respect to the concept of "adequate level of protection", the CJEU has stated that, even if the requirement for an adequate level of protection for personal data in the USA was verified at the time of adopting "Safe Harbor", the Commission should verify compliance with this requirement on a regular basis, even after being adopted. In particular, according to the CJEU, it should carry out an inspection in the event of any discrepancies in the protection of the personal data of European citizens processed in the USA.
The CJEU found the protection of privacy in the frame of the "Safe Harbor" scheme to be insufficient. By declaring "Safe Harbor" invalid, the USA lost an exceptional position in the area of cross-border transfer of personal data, and it was now subject to the same rules as other third countries.
Although the Commission immediately started to look for another solution for transferring the personal data of European citizens to the USA after cancellation of "Safe Harbor" and for complying with the CJEU's requirements for European regulation of personal data protection, in the meantime, companies had to transfer personal data by other methods, most often with the use of clauses. However, since there were more than 5,000 companies in the "Safe Harbor" register, implementing clauses presented a large administrative and financial burden. In addition, as we have already informed you in EU Legal News 7/2016, at the end of May 2016, the Irish Office requested at the impulse of Max Schrems clarification of the validity of clauses during proceedings at the Irish Supreme Court.
Adoption of Privacy Shield
In view of the significant flow of personal data from EU countries to the USA, a relatively quick solution was needed that would ensure the desired level of flexibility for transferring the personal data of European citizens. It also had to uphold the protection of privacy. The result of the diplomatic efforts was the adoption on 12 July 2016 of Privacy Shield EU-USA ("Privacy Shield").
Privacy Shield more accurately defined the obligations of companies that process the personal data of European citizens. The US Department of Commerce must regularly update the list of companies that participate in Privacy Shield, especially whether these companies comply with the Privacy Shield rules. If a company breaches the rules, a penalty is imposed and it is deleted from the list. The same level of protection must be upheld under Privacy Shield if personal data is transferred to third parties. There are currently several thousand companies on the list.
In reaction to the criticism of the mass and non-transparent monitoring of personal data by the NSA, the USA has ruled out that it would monitor in the future the personal data of European citizens transferred based on the new mechanism in a random and large-scale manner. In the area of national security, European citizens may now turn directly to the ombudsman at the US State Department. The institution of ombudsman is independent of the NSA.
In areas that do not relate to national security, European citizens who have concluded that their rights to privacy were breached may take advantage of several types of protection that are guaranteed under Privacy Shield. Primarily, the complaint should be handled by the breaching company. If this does not occur, citizens may turn to the national authority for the protection of personal data which must resolve the case in cooperation with the Federal Trade Commission. The last option is arbitration proceedings.
The effective functioning of Privacy Shield should be secured by a joint annual review that will be carried out by the Commission and the US Department of Commerce with the participation US national intelligence experts and professionals from the European authorities for the protection of personal data. The resulting report on the functioning of Privacy Shield will be submitted to the European Parliament and the EU Council.
The end of Privacy Shield?
Despite the fact that Privacy Shield was just recently adopted, the transfer of data according to this mechanism soon once again provoked criticism. In September 2016, Digital Rights Ireland challenged this mechanism based on Article 263 of the Treaty on the Functioning of the European Union (the "TFEU") at the Tribunal (Case T-670/16 Digital Rights Ireland v. the Commission ). In accordance with Article 263 TFEU, private individuals or legal entities are entitled to file suits for invalidity on condition that they are legal acts that are addressed to them or that immediately and personally affect them. Considering that the information is not publicly available on the web pages of the CJEU at this time, it is not clear how Digital Rights Ireland formulated its case for invalidity. The question now is whether the CJEU will assess this case as admissible.
Other interest groups have also decided to follow the example of Digital Rights Ireland by continuing to challenge Privacy Shield before the CJEU. The French group La Quadrature du Net challenged Privacy Shield before the CJEU on 25 October 2016 (Case T-738/16 La Quadrature du Net and others). The uneasiness relating to legal guarantees and especially the practical functioning of Privacy Shield is also significantly affected by the results of the US presidential elections.
There were high expectations for Privacy Shield, supported by the unprecedented activity of the Commission during the negotiations since it managed to negotiate and adopt the mechanism in a record time of a few months. However, it remains to be seen at this point whether it will be a functioning and permanent solution. Thus, a cautious reaction of the exporters of personal data from the EU with respect to this framework is recommended.
However, whether the fate of Privacy Shield will be sealed following the example of its predecessor "Safe Harbor" or whether we will witness certain changes leading to its survival will not be immediately apparent due to the standard length of proceedings before the CJEU.
Even if Privacy Shield is cancelled, companies could still decide to transfer personal data, subject to individual assessment of the situation and needs, using additional mechanisms for transferring personal data with all of their pros and cons. In any case, small changes to the Privacy Shield framework could occur in reaction to the GDPR, as it will need to comply with the requirements of this regulation for transferring personal data. The crosscurrents could indicate that, although the GDPR is based on a high standard of protection of personal data for European citizens, Privacy Shield is a mechanism for transferring personal data to the USA whose legal regulation will apparently always differ from the high level of personal data protection in the EU. We can mention, for example, the European-specific right to be forgotten set out in Article 17 of the GDPR, which does not exist in the USA in this form.