Regular readers of this blog will be aware that, last fall, the Court of Justice of the European Union struck down the Safe Harbour framework which permitted the lawful transfer of personal information from the EU to the US through a self-certification model. Negotiations between the European and US authorities to update or replace the framework were already underway prior to this decision, but the Court’s intervention raised the stakes dramatically. The Article 29 Working Party (WP29) had set a deadline of the end of January after which European Data Protection Authorities (DPAs) might begin coordinated enforcement actions against organizations continuing such data transfers based solely on Safe Harbour self-certification. (See previous posts on this subject here, here and here.) That deadline recently passed, without any agreement.
However, on February 2, 2016, the European Commission (EC) and the US Department of Commerce and Federal Trade Commission (FTC) each announced that a new framework agreement, dubbed the EU-US Privacy Shield, had been reached in principle. The agreement has apparently been recorded at the political level via an “exchange of letters”, rather than a full-blown international agreement. No text of any agreement has been released, nor has any timeline for publication been announced. However, the goal is to complete the work to implement the framework within approximately 3 months (or, roughly, by the end of April).
Elements of the Framework
According to the EC announcement, the framework involves the following elements.
- US companies wishing to import personal data from Europe will need to make public and, at least theoretically, enforceable commitments to certain “robust obligations” for the processing and handling of that data. Companies handling “human resources data” will be required to commit to comply with decisions by European DPAs.
- The US government has provided a written commitment that state-level access to personal information of EU citizens for law enforcement and national security purposes will be subject to “clear limitations, safeguards and oversight mechanisms”. The EC announcement states that the US has “ruled out” indiscriminate surveillance. However, on February 1 (the day before announcing the agreement) Commissioner Jourová (who has responsibility for Justice, Consumers and Gender Equality and who has played a lead role in the negotiations) acknowledged in a briefing to the European Parliament that the US had reserved a discretionary right to “generalized access” in certain circumstances.
- Redress and enforcement mechanisms for European citizens will be extended and strengthened. This will include mandatory deadlines for responses by the US organizations to complaints from individuals, as well as some form of mandatory, no-cost alternative dispute resolution. A US Ombudsperson will be responsible for fielding complaints about possible access to personal information by national intelligence authorities. In addition, European DPAs will be able to refer complaints to the US Department of Commerce and FTC.
- Beginning in 2017, the EC and the US Department of Commerce will conduct annual joint reviews of the functioning of the framework, including the issue of national security access to data.
The European College of Commissioners has approved the framework agreement and tasked Commissioner Jourová and Vice-President Ansip to draft an “adequacy decision”. This would be the legal vehicle by which the EC would acknowledge that the protections offered by the Privacy Shield framework satisfied the obligations of European law. This adequacy decision will be subject to review by the WP29 and a committee composed of representatives of the EU member states and, ultimately, approval (or rejection) by the College of Commissioners. As noted above, this process is anticipated to take around three months.
Once adopted by the College, the adequacy decision will effectively be part of EU law, but it will remain subject to review by the CJEU. It was the similar decision acknowledging the adequacy of the Safe Harbour framework that the Schrems decision of the CJEU struck down in October 2015. By the same token, it is this document that will be subject to future challenges, and which will have to articulate how the Privacy Shield satisfies the tests set out by the Court.
On the US side, the road ahead is less clear. None of the US announcements refer to any legislative or executive process to implement the agreement.
Reaction and Implications
The WP29 has reacted cautiously to the announcement, noting that many critical details, including the actual legal status or enforceability of the agreement, remain quite uncertain. The WP29 has expressed concern that the framework may not go far enough to meet the standards of adequacy mandated by the Schrems decision. But the European DPAs have effectively agreed to allow more time to finalize and review the agreement, postponing the threat of any enforcement action for at least a few more months.
Based on the information that has been released so far, this cautious approach seems justified. The Schremsdecision put significant emphasis on the enforceability of the framework commitments and rights of redress for European citizens, and was more or less unequivocal that generalized access to personal information, even for national security purposes, was problematic. It is not entirely clear that the new framework will meet the standards required by the CJEU.
There will be significant practical and political pressure to declare victory and allow the flow of consumer data (which is fundamental to many businesses and services) to continue. However, if the new adequacy decision cannot withstand scrutiny by the CJEU, this will be an illusory victory at best.
Much will depend on the US implementation of the framework, which may be politically challenging in an election year. It remains somewhat unclear to what extent the US is actually prepared to make any substantial changes to its legal regime, or whether it is merely hoping to rely on a political commitment and a better explanation of what protections that regime already provides.
In either case, while organizations which transfer data from the EU to the US will benefit from another few months of grace as a result of the agreement in principle, it seems clear that this story is far from over. We will continue to monitor and report on developments as they arise.