The EU and US have just agreed the “EU-US Privacy Shield” framework for data transfers from the EU to the US. This is an important development for businesses that previously relied on Safe Harbor for transatlantic data flows and that have not yet found an alternative. But the reality is that many have already learned to live without Safe Harbor, and will be focussed on preparing for the General Data Protection Regulation (for more on which click here).
What is the Privacy Shield?
The “EU-US Privacy Shield” (formerly dubbed “Safe Harbor 2.0”) will replace the Safe Harbor framework struck down by the EU Court of Justice (CJEU) last October. The European Commission announced details of the political agreement on 2 February 2016 and hopes that two key developments will address the CJEU’s concerns about indiscriminate mass surveillance and inadequate remedies for individuals: written assurances from the US Government, and a new three-step dispute resolution process for EU citizens.
- Safeguards on US government access to data The US Government will offer binding written assurances on data protection, including a commitment to ban indiscriminate mass surveillance of EU citizens’ personal data that flows to the US. Compliance and the ongoing adequacy of the EU-US Privacy Shield will be subject to an annual joint review by the Commission and the US Department of Commerce.
- A three-step dispute resolution process for EU citizens In the first instance, EU citizens will be able to lodge their complaints with the relevant US businesses under the scheme. If that does not resolve the issue, EU citizens will have access to a free alternative dispute resolution process to resolve the complaint within a reasonable timeframe, and arbitration is available as a last resort. A separate process for complaints relating to the US intelligence agencies’ access to personal data will be overseen by a new, independent US Government Ombudsman.
What does this mean for my business?
While the announcement is a welcome step towards restoring one of the options for lawful EU-US personal data transfers, your business may already have implemented alternative arrangements for transatlantic data flows (ie model contracts, binding corporate rules and/or consent processes). You may be more focused now on preparing for the General Data Protection Regulation (for more on which click here) and on firming up your contractual data arrangements. Those alternatives may be less flexible, but facilitate compliance without the red tape that may end up putting dents in the new shield.
If you think the Privacy Shield has a place in your data compliance strategy, consider the following:
- increased compliance obligations – US businesses that join the scheme will need to comply with stricter rules on processing Europeans’ personal data under US Department of Commerce supervision (with the Federal Trade Commission being tasked with enforcement). For HR data, businesses will need to comply with EU national data protection authority decisions;
- complaints handling – your business will be the first port of call for personal data related complaints from EU data subjects and you will need a process to deal with these; and
- legal uncertainty – despite the Commission’s claims of legal certainty for businesses, the Commission views the EU-US Privacy Shield as a “living mechanism”, reviewed annually and subject to change if the safeguards aren’t working. Moreover, it’s not yet clear whether US Government assurances will be enough to address the CJEU’s concerns, making the new shield potentially vulnerable to further legal challenges.
The Commission has promised a formal “adequacy decision” in the next few weeks, and the US will also need time to prepare for implementation of the scheme. Some of that work has already started: a legal mechanism for EU citizens to sue in US courts for violations of the US Privacy Act is already making its way through the US legislature.
Want to know more?
We’re likely to hear more on the new EU-US Privacy Shield soon and will keep you posted on developments. In the meantime, we’d be happy to discuss. Click here for more information on data issues generally, and for details of our upcoming international seminars on ‘dealing with data’.