As safe harbor sinks into the Puerto Rico trench, rise the era of the EU-US Privacy Shield! Destined to protect and defend the privacy rights of EU Citizens as determined by the Court of Justice. 

If this sounds a bit like the beginning of a, too good to be true, superhero cartoon, you would not be the first reader to think that. With nothing in the way of documented certainty and plenty in the way of skeptical uncertainty, Commissioner Jourová appears to have an uphill battle ahead of her to convice citizens and the EU Data Protection Regulators (in the form of the Article 29 Working Party (WP29)) that the EU-US Privacy Shield (Privacy Shield) is the answer to the now defunct safe harbor. 

Where are we? 

Following the Court of Justice of the European Union (CJEU) decision in the Schrems Case, there was a great deal of uncertainty regarding the status of personal data transfers to the US. Given this, the WP29 set the European Commission a deadline of the end of January 2016 to come up with a new solution to the “safe harbor predicament”, before the various EU Data Protection regulators started to take action against business in relation to transfers to the US. The statement by Commissioner Jourová that a deal was close on 1 February 2016, followed by the announcement on 2 February 2016 that there is “political agreement” and a mandate has been given to prepare documents for the creation of the Privacy Shield enabled it to just about sneak under the bar of the WP29 review meeting deadline. But is it enough? 

As mentioned by Commissioner Jourová in her statement on 1 February, the devil is in the detail and what we appear to have at present, is an agreement to agree. Every lawyer worth their salt knows that such agreements should be treated with care and this is exactly the approach which the WP29 took to the announcement. At their press conference on 3 February, the WP29 were at pains to say they would wait to see the detail in the documentation, and did not give much away in terms of their initial view on the proposed Privacy Shield, save to comment that the idea of an Ombudsman was a good sign. 

So what do we actually have? What is this proposed EU-US Privacy Shield? 

Privacy Shield Proposals 

From the limited information available, the proposals do give an indication of some significant changes from the now defunct safe harbor regime. Whether the proposals actually deliver on their promise remains to be seen. What are the proposals? 

  • Strong obligations on companies handling EU personal data and robust enforcement.
    • This will include robust obligations (no details were given as to what these would be) on companies regarding data processing, as well as certain obligations regarding data subject rights (which rights is not known).
    • The above requirements will be monitored by the US Department of Commerce (DOC) with enforcement of the obligations under US law by the Federal Trade Commission (FTC).
    • US companies processing EU human resources personal data from the EU will not only be required to comply with the above mentioned US law requirements, but also decisions issued by EU Data Protection Authorities.

At present, we do not know what the robust obligations will be, or what data subject rights will have to be complied with, but the fact that compliance with these will be enforceable by US law sounds promising from an EU perspective. How long it will take for such a law to make it through the US legislative process is cause for some concern, especially with the US presidential elections on the horizon.

In relation to US companies complying with the decisions of EU Data Protection Authorities, this is a little more perplexing. How would this work in practice? Would such decision have to be legally binding on US entities, if so, how would this be enforced, where would it be enforced and by whom? Given that there are multiple EU Data Protection Authorities, it is unclear how this is intended to apply to the US. After all, at present the decisions of one EU Data Protection Authority are not binding on another EU Data Protection Authority which begs the question, is the US being placed under greater obligation than other EU jurisdictions are subject to.

There may be political agreement to enter into a new arrangement, but the potential wide reaching impact on US companies may put up some very serious objections to the political will from the US side of the Atlantic. 

  • Clear safeguards and transparency obligations on US government access
    • US assurances that access to EU personal data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
    • Access to EU personal data for law enforcement or national security purposes must be necessary and proportionate and the indiscriminate mass surveillance of EU citizens by the US will not be allowed.
    • Annual review of the above and the Privacy Shield agreement by the EU Commissioners and the DOC, with national intelligence experts being invited to the reviews, as well as input from the EU Data Protection Authorities.

Just how these commitments and assurances manifest themselves in the final documented agreement is something which will be closely scrutinised by all parties. This is fundamental to meeting the requirements of the CJEU decision. On the limited information provided above, there are a lot of doubts as to whether the requirements have been met, but we (like the WP29) reserve judgement pending sight of the written documentation.

  • Effective protection of EU citizens’ rights with several redress possibilities
    • US companies will have to comply with EU citizen complaints within certain deadlines.
    • EU Data Protection Authorities will have the ability to refer EU citizen complaints to the DOC or the FTC for resolution.
    • A free-of-charge Alternative Dispute mechanism will be set up.
    • An Ombudsman will be created to deal with concerns regarding access to EU personal data by the national intelligence authorities in the US.

This is a significant step change from safe harbor where EU citizens did not have rights of recourse against the US entities processing their personal data. The fact that an EU citizen could now have up to 4 different mechanisms for enforcing their rights against US entities certainly shows willing on the part of the negotiating parties, but we cannot help but wonder how this will actually be implemented and whether it will be effective. Additionally, while this sets up different mechanisms for enabling EU citizens to enforce their rights, the information provided does not give any detail as to the consequences of taking such actions for US companies.

We wait with baited breath to see just how these enforcement mechanisms will work and assist EU citizens, as well as obtaining a better understanding of the possible consequences for US entities which find themselves on the wrong end of any such complaint.

Do we have the certainty we had hoped for? 

The short answer is – No. Certainly not yet. When will we get this certainty, well that depends on the Commission and when it can prepare the documentation necessary to prepare the adequacy decision which Commissioner Jourová advised would be “in the coming weeks”. It also will depend on the position taken by the WP29 given its comments at its press conference on 3 February 2016. 

In issuing its reserved comments on the Privacy Shield, the WP29 also made it clear that it was not only looking at the Privacy Shield arrangement, but more widely at all other international transfer mechanisms to the US. In other words, the outcome on Privacy Shield will impact the WP29 considerations in relation to EU model clause agreements (EMC) and Binding Corporate Rules (BCR) as well! The WP29 was quick to point out that until it had made a decision on the Privacy Shield and its impact on the EMC and BCR, that these mechanisms remain valid. The question then becomes, for how long? 

So what next? 

The WP29 have requested that the Commission provide all the necessary documentation on the Privacy Shield by the end of February 2016. This will give the WP29 time to consider the detail of the documentation against the Schrems decision and the 4 essential guarantees which the WP29 considers the Schrems decision has highlighted when it comes to intelligence activities, namely: 

  • the right that processing be by such agencies be on clear, precise and accessible rules;
  • the fact that such activities must be proportional and necessary with regard to legitimate objectives which have to be demonstrated;
  • the obligation that such organisations and activities need to be subject to an independent oversight mechanism; and
  • the requirement that effective remedies must be available to EU citizens to enforce their rights in relation to their data.

If the Commission documentation is provided to the WP29 by the end of February, it will provide the WP29 with time to consider the material ahead of the WP29 extraordinary plenary meeting which has been called for the end of March to further discuss international transfers. The output of this meeting could mean a decision on international transfers to the US by the middle of April 2016. In regards to transfers to other jurisdictions, it is yet another case of “watch this space”. 

What should you do about transfers to the US now? 

The WP29 made it clear that any current transfers relying on the defunct safe harbor are unlawful. They were also very clear that transfers to the US under current EMC or BCR remain lawful in the eyes of the WP29 and in the eyes of the Commission and should be used to enable the transfer to the US. However, once such documents have been signed, you should keep a watching brief on this space, as changes and updates are likely to happen thick and fast, as this week has proved. 

Closing comments 

Rather than having a “crash” “pow” “wollop” end to safe harbor and international transfer uncertainty, we have a story of multiple parts and a case of, to be continued ....