The EU-US Privacy Shield has now been formally approved, providing a new mechanism for transferring personal data from the EU to the US, and reducing the legal uncertainty international businesses have been facing – at least for now. This follows a lukewarm reception to previous incarnations of the Privacy Shield, including specific concerns identified by European bodies including the WP29, the European Data Protection Supervisor and the European Parliament, which prompted the EU and the US to carry out further negotiations to agree revisions and a final version to address the concerns. This version has now successfully completed the approval process, culminating in the European Commission issuing its adequacy decision on 12 July.
On 2 February 2016, the European Commission (the "Commission") announced an agreement with the US government on the EU-US Privacy Shield, as a replacement lawful basis for transfers of personal data from the EU to the US, after the Court of Justice of the EU (the "CJEU") decided in October last year that the Commission's previous Adequacy Decision regarding Safe Harbor was invalid.
As we previously reported, EU Data Protection Authorities, which collectively meet as the Article 29 Working Party ("WP29"), identified strong concerns and recommended a number of changes in an Opinion issued on 13 April 2016. The European Parliament subsequently voted on a non-binding Resolution encouraging the Commission to continue negotiations with the US to remedy "deficiencies". As a result, the Commission and representatives from the US went back to the negotiating table to produce a revised deal, which has now been reviewed and approved by the Article 31 Committee (a committee made up of representatives of the 28 EU Member States and chaired by a representative of the European Commission, under Article 31 of Directive 95/46/EC). The Commission has now formally approved the new data transfer mechanism, which finalises the adoption procedure for the EU-US Privacy Shield.
Key changes to the proposed Privacy Shield
The final version of the deal features a number of amendments, mainly to address the WP29's concerns regarding the previous proposal. The most important changes are set out below:
- A requirement for companies to delete personal data that no longer serves the purpose for which it was collected (addressing the WP29's concerns that the Data Retention Principle was not sufficiently addressed).
- A requirement that third party companies processing data on behalf of companies that have signed up to the Privacy Shield must guarantee the same level of protection as the Privacy Shield companies themselves (addressing the WP29's concerns that there were insufficient restrictions on the ability of US organisations that receive personal data under the Privacy Shield to transfer those data onward to third parties).
- Clarifications from the US about when bulk surveillance will be authorised (i.e., only in exceptional circumstances, where targeted collection is not feasible) and such surveillance will be accompanied by additional safeguards to minimise the amount of data collected and subsequent access to the collected data (such access to be targeted and only permitted for specific purposes). This is designed to address criticisms from European bodies that previous representations of the US Office of the Director of National Intelligence did not rule out the possibility of large-scale, indiscriminate collection of personal data originating from the EU.
- Last but not least, the new version also provides clarifications on the Ombudsperson Mechanism to address the WP29's concerns that such an ombudsperson would lack sufficient independence and adequate powers. Such clarifications include, in particular: (a) where an individual's request relates to the compatibility of surveillance with US law, the Ombudsperson will be able to rely on independent oversight bodies with investigatory powers (such as the Inspector-Generals or the Privacy and Civil Liberties Oversight Board); and (b) the US Secretary of State will ensure that the Ombudsperson will have the means to ensure that its response to individual requests is based on all necessary information.
Now that the Commission has adopted the new deal, the final Adequacy Decision will be notified to Member States today and enter into force immediately. In the US, the Privacy Shield framework will be published in the US Federal Register, and once US companies have updated their compliance accordingly, companies will be able to certify with the US Department of Commerce starting 1 August 2016. An EU organisation that wishes to transfer personal data to the US will be able to lawfully transfer those data to any US organisation that is certified under the Privacy Shield. However, businesses should be aware that it may take some time to complete the certification process.
Outlook for businesses
The period of uncertainty regarding the transfer of personal data from the EU to the US may be drawing to a close, now that the Privacy Shield will provide a lawful mechanism for such transfers. However, businesses should keep developments in this area under careful review, as privacy advocates have already suggested that the Privacy Shield is likely to be challenged before the CJEU, and other data transfer mechanisms are also under fire. In particular, as noted previously, the Irish DPA confirmed that it will ask the Irish High Court to refer a question to the CJEU on the validity and legal status of Model Clauses. The question is understood to relate to whether transfers of personal data from the EU to the US pursuant to the Model Clauses provide adequate protection for Europeans against US government surveillance (i.e., the same concern noted by the CJEU in relation to Safe Harbor). The main reason for attacking the validity of the Model Clauses is the fact that the shortfalls of the Safe Harbor Principles might apply equally to Model Clauses. If the Model Clauses are invalidated by the CJEU, then the need for an alternative transfer mechanism will become all the more pressing. For now, it seems that the Privacy Shield fills the urgent need for such an alternative.