Following support from a majority of EU Member States last week, the European Commission moved swiftly to issue an adequacy decision that formally adopts an agreement finalized with the US Department of Commerce in June concerning arrangements to legitimize the transfer of EU personal data (a broadly defined term under the EU rules) to the US. The much anticipated "EU-US Privacy Shield" arrangements will replace the Safe Harbor regime, which was invalidated by the EU Court of Justice (CJEU) in October 2015. The US Department of Commerce will begin accepting certifications on 1 August 2016, and a number of US companies have already publicly signaled their intention to pursue Privacy Shield status.
Since the CJEU's decision last year, many US companies that "import" EU personal data have found themselves caught in a legal purgatory, with no clear path to legitimacy under the EU framework. Although some companies were able to adopt the EU Standard Clauses or identify other legal justifications as an alternative to self-certification under the Safe Harbor program, these alternatives are not suitable for many US businesses. To complicate matters still further, a legal challenge regarding the legitimacy of the EU-approved Standard Contractual Clauses was lodged in May 2016 and is currently under review.
The path ahead for US companies that may wish to avail themselves of the Privacy Shield option contains a number of pitfalls. Civil rights activists have threatened fresh challenges against the new transatlantic arrangements on the basis that they fail to resolve the main concerns affecting Safe Harbor, particularly those relating to mass surveillance by US law enforcement and national security agencies. Further, a controversial bill in the US (S.3017) that would limit the scope of the US Privacy and Civil Liberties Oversight Board to the protection only of "privacy and civil liberties of United States persons" awaits action in the Senate. If enacted, the bill could have an impact on the mechanisms included in the Privacy Shield arrangements to protect the rights of EU residents whose personal data has been transferred to the US
Apart from potential litigation concerns, the new Privacy Shield contains a number of substantive and procedural requirements that are more rigorous than those provided for under the Safe Harbor framework. These include new rules requiring data erasure and limiting onward transfers to third parties, a free dispute resolution mechanism for data subjects, safeguards and transparency obligations relating to US government access, the creation of an independent US Ombudsman to address concerns raised by EU citizens and a yearly review of the arrangements. For further information, see our February 2016 Client Alert - Privacy Shield Package Released; EU Determination of "Adequacy" Next.
This latter requirement means that the ink will barely be dry on the Privacy Shield decision before the regulatory implications of the new EU General Data Protection Directive, which will be enforceable in May 2018, will need to be considered and addressed.
Potential participants in the Privacy Shield program will also need to consider the fact that stepped-up enforcement and oversight have been promised by officials on both sides of the Atlantic. US companies will need to assess very carefully the costs, benefits and regulatory risks associated with signing up to this option and of not doing so. For example, US companies planning to use the Privacy Shield to cover intra-group transfers of personal data of their employees will need to take into account that their US operations will be directly answerable to national data protection authorities in Europe rather than the US Federal Trade Commission. (This was likewise the case under Safe Harbor though often disregarded by program participants and rarely if ever invoked.) Given the increased activism displayed by national data protection authorities in Europe over the past several months, enforcement issues will need to be evaluated by US companies with eyes wide open. The European Commission also plans to release a "Citizen's Guide", which will list all possible forms of redress available to EU data subjects.
Finally, the impact of Brexit on transatlantic data transfers from the UK will need to be considered. There is likely to be no impact in the near term, as recently confirmed by the UK Information Commissioner's office. However, depending on the Brexit model that is ultimately agreed between the UK and the EU, the longer term repercussions could place the UK in a similar position to that of the US in relation to the EU27. Looming large in that regard is a controversial bill backed by the new Prime Minister during her time as Home Secretary, the Investigatory Powers Bill (dubbed by some "the Snoopers' Charter"), which provides for sweeping new powers of interception of communications based on national security concerns, which has just had its second reading in the House of Lords and has been signaled as a possible future threat to an EU adequacy decision.
In sum, although approval of the Privacy Shield framework will be applauded by many in the business community, its suitability for individual companies will need to be evaluated in the light of each organization's specific circumstances and considering the particular types of data that may be implicated (online, customer data, employee data, etc.).