The uncertainty for companies that transfer personal data from Europe to the USA looks set to continue as doubts have been raised over the proposed new Privacy Shield
The transfer of personal data concerning citizens living in EU member states is governed by the EU Data Protection Directive 1995 (Directive). The Directive also applies to three members of the European Economic Area (EEA).
Whilst personal data can be freely transferred from within the EEA, Article 25(1) of the Directive provides that transfers of personal data outside of the EEA are only permitted if there is adequate protection for that personal data in the receiving country. Only, nine countries (Andorra, Argentina, Canada, Switzerland, The Faroe Islands, Israel, Guernsey, The Isle of Man and Jersey) have been designated as adequate for this purpose by the European Commission (EC).
Given large corporates such as Google and Facebook, which EU citizens use on a daily basis, store and process their users' personal data in the USA, which is not designated as adequate by the EC, what frameworks are in place to ensure there is adequate protection for this personal data?
Safe Harbor was an agreement between the EU and the USA, which required US companies to self-certify that they would protect EU citizens' personal data when transferred to, stored and processed in the USA.
Previously, if a US company was registered as Safe Harbor it was, in brief, considered safe for an EU-based company to transfer personal data to it. However, in May 2013, Edward Snowden leaked details of internet and phone surveillance by the US National Security Agency (NSA).
Amongst other breaches, Mr Snowden revealed that the NSA had tapped into the servers of nine large internet firms, all of whom were Safe Harbor registered, in order to monitor online communication in a mass surveillance programme which became known as Prism. This led to the well-publicised case of Maximillian Schrems v Data Protection Commission (2015) and the resulting decision that Safe Harbor is invalid.
The Privacy Shield
The Privacy Shield is the EC's response to the call for clear guidance from national data protection authorities on how to deal with data transfers to the USA following the Schrems case. We considered the new framework in our previous article.
The Privacy Shield aims to implement, amongst other things:
- an annual joint review by the EC and US Department of Commerce following which a public report will be produced
- a US ombudsman to deal with complaints
- written commitments from the US Office of the Director of National Intelligence that EU citizens' personal data will not be subject to mass surveillance; and
- limits placed on what the US government can do with personal data.
While the Privacy Shield has generally been accepted by companies on both sides of the Atlantic, the European Article 29 Working Party has highlighted a number of concerns, including its lack of protection from bulk collection and mass surveillance by US government agencies such as the NSA.
Recently, Giovanni Buttarelli, the European Data Protection Supervisor, has called for significant improvements before the agreement receives political approval and the European Parliament has passed an official Resolution demanding changes to be made.
Given this, it may be sometime before we have a suitable and certain replacement for Safe Harbor.
What, therefore, are the options available to companies wanting to transfer personal data outside of the EEA into the USA?
- Binding Corporate Rules (BCRs) are often used by groups of companies particularly where intra-group transfers happen frequently. They are a set of internal rules, such as a Code of Conduct, adopted by a multi-jurisdictional group of companies which sets out the group's global policy regarding transfers of personal data to countries which are not automatically designated as providing adequate protection for this purpose. Companies must demonstrate that their BCRs provide adequate safeguards for protecting personal data. The new General Data Protection Regulation (GDPR) (referred to briefly below) recognises BCRs as a way of legitimising transfers of personal data within a multi-jurisdictional group.
- EU Model Clauses can also be used. There are different versions of Model Clauses and it is important to know which ones to use. Despite being widely accepted as providing adequate protection of personal data the Irish regulator has recently announced that it has notified both Mr Schrems and Facebook of its plan to proceed to the Irish High Court and ask the ECJ to provide a legal assessment of data transfers made by means of Model Clauses. This will therefore be a key development to watch.
A new EU data protection framework has now been agreed and it looks as if it will take direct effect in each member state's national legislative system on 25 May 2018. For further information see our recent article.
Companies will be pleased to know that the outright ban on transfers to foreign countries without the approval of the relevant data protection agency (DPA) has been removed from the original wording of the GDPR.
Whilst there has been little change to the rules concerning international transfers of personal data, one significant change is that DPAs will be able to impose fines for infringements relating to international transfers of up to 4% of the infringing company's annual worldwide turnover.
As a result of the current uncertainty surrounding the transfer of personal data from within the EEA to the USA and the forthcoming GDPR, we would recommend that companies seek advice prior to a particular transfer as well as start familiarising themselves with the GDPR and the potential impact this will have on their organisation.