Further to our blog of 9 February 2016 (see here), the European Commission (the Commission) has published the draft “adequacy decision” and related legal texts that will provide for the EU-US Privacy Shield (the replacement framework for EU-US personal data transfers). The Commission has also issued a “communication” (i.e. a policy document with no mandatory authority) summarising the steps taken over the past few years to restore trust in EU-US data transfers since the Edward Snowden surveillance revelations.
The draft adequacy decision includes the Privacy Shield Principles that participating companies will have to abide by to utilise the new data transfer framework. The Commission has published the US Government’s written commitments on the enforcement of the new framework. Finally, the Commission has issued a communication summarising the steps taken over the last few years to restore trust in EU-US data transfers. This includes finalising the reform of EU data protection rules under the General Data Protection Reform package.
The Article 29 Working Party (WP29) (the EU entity representing national Data Protection Authorities and representatives of the EU member states) haswelcomed the publication of the legal documents and will now assess them “in order to give its opinion on the level of protection afforded by the EU-US Privacy Shield”. The WP29 has not yet given any definitive indication as to whether it thinks the proposed agreement complies with the CJEU’s decision in the Schrems case (Case C 362/14).
Following the adoption of the Judicial Redress Act by the US Congress, signed into law by President Obama on 24 February, the Commission will propose the signature of the umbrella Privacy Shield agreement. The decision concluding the agreement should then be adopted by the Council of the European Union after obtaining the consent of the European Parliament.
What should organisations be doing now?
Firstly, it bears reiterating that Safe Harbor remains unlawful. Organisations should not therefore be relying on this framework for EU-US personal data transfers. Privacy policies and contractual terms should have been amended some time ago.
Secondly, organisations should be cautious in anticipating being able to rely on the EU-US Privacy Shield framework. There is concern that the Commission is being overly optimistic in the legality of the new framework.
Organisations should instead “keep calm and carry on”. The WP29 and the Information Commissioner’s Office have confirmed that organisations can continue to use other tools, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs), for data transfers to the US. That said, the WP29 has indicated that it will consider in the medium-term whether SCCs and BCRs meet the CJEU’s requirements in Schrems. UK entities may therefore wish to contact organisations in the USA to which they transfer personal data to review whether such transfers are entirely necessary.