After months of negotiations with the U.S. government, the European Commission (the EU’s executive arm) has announced a new scheme for data transfers, the EU-U.S. Privacy Shield. This is intended to replace the Safe Harbor framework and address some of the concerns following a landmark ruling of the Court of Justice of the European Union in October which made it much more difficult for businesses to transfer personal data from Europe to the United States.
Under European Union law, personal data may only be transferred outside of the European Economic Area to countries that ensure an “adequate” level of protection of the data. From 2000 to 2015, one of the key mechanisms for achieving such protection was the EU-U.S. Safe Harbor Scheme, which was relied on by over 4,000 companies. In a judgment in October 2015, Schrems v Data Protection Commissioner (Case C-362/14) (reported in our previous article), the Court of Justice of the European Union (CJEU) held that the Safe Harbor scheme did not offer an adequate level of protection.
The decision was largely driven by the CJEU’s views that the United States did not offer “adequate” data protection in light of reports about the National Security Agency’s data collection activities. This was arguably based more on perception than reality, and the CJEU’s analysis of the activities of the U.S. intelligence services (and the extent of the checks and balances) was heavily criticized.
Many companies found that a previously valid transfer mechanism could no longer be used, for reasons entirely beyond their control. This ultimately required a political compromise between the U.S. and EU governments.
The pressure to reach an agreement was increased by EU data protection regulators who issued a joint statement following the Schrems decision that, if no appropriate solution was found by the end of January 2016, they would take all available coordinated enforcement activities. Industry bodies also pressed for an agreement due to the critical importance of transatlantic data flows.
The New EU-U.S. Privacy Shield
EU negotiators have emphasised that the new EU-U.S. Privacy Shield is intended to provide a very different level of protection compared to the Safe Harbor Agreement agreed in 2000. The political, technological, business and security climate in 2000 was very different, including fewer opportunities for (or at least the practice of) large-scale data collection by government and private sector companies alike.
The Privacy Shield is intended to impose stronger obligations on the U.S. to protect personal data imported from the EU and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.
Details have yet to be finalised, but according to the outline issued by the EU Commission, the Privacy Shield will include:
- Robust obligations for U.S. companies importing personal data with respect to how personal data is processed and individual rights are guaranteed
- Monitoring and enforcement of such commitments by the Department of Commerce which will be enforceable under U.S. law by the U.S. Federal Trade Commission
- Obligations to comply with decisions of European data protection regulators when importing human resources data from Europe
- Binding written assurances from the U.S. to the EU from the Office of the Director of National Intelligence that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms
- An annual joint review by the European Commission and the U.S. Department of Commerce with input from national security experts from the U.S. and European Data Protection Authorities
- More effective redress mechanisms for individuals, and in particular:
- Strict deadlines will be imposed for companies to respond to complaints from data subjects
- European data protection authorities will be able to refer complaints from EU data subjects to the Department of Commerce and the Federal Trade Commission for resolution
- If such complaints are not resolved, there will be an arbitration mechanism
- A new Ombudsperson will be set up in the U.S. State Department to hear complaints on possible access by national intelligence authorities
There are a number of steps required before the Privacy Shield takes effect.
- Details of the new Privacy Shield will need to be finalised to reflect the broad political agreement.
- The European Commission will draft a new adequacy decision, to replace the decision which was invalidated by the CJEU Schrems.
- The new scheme will be subject to the advice and comments of the Article 29 Working Party – the consultative committee of European privacy regulators. Its enforcement threats were one of the main catalysts to the proposed Privacy Shield agreement, and they are likely to have their own views.
- The U.S. Department of Commerce and Federal Trade Commission will need to implement the new scheme, together with the monitoring and complaints mechanisms.
It is unclear as yet what the requirements will be under the Privacy Shield and whether existing Safe Harbor certifications will need to be amended. Details of any transition provisions or grandfathering arrangements will need to be worked out over the coming weeks. The EU Commission has estimated at least a three-month period to implement the new arrangements, which is likely to be a conservative estimate.
In addition, enactment by the U.S. of the Judicial Redress Act is seen as a required element for this new framework. The Act, which remains pending in the U.S. Congress, provides certain data protections and remedies to EU citizens.
The new Privacy Shield will not be immune from challenge. The legal basis for transfers of data from the EU to the U.S. will be the Commission’s new finding of adequacy (which is currently being drafted). This new finding of adequacy, like its predecessor which was invalidated in the Schrems case, could be subject to an adverse court ruling. Privacy campaigners are still likely to question the new scheme and argue that there has been no actual change in U.S. surveillance laws. It remains to be seen whether the safeguards introduced by the Privacy Shield will be adequate.
In the short term, companies are likely to continue relying on a number of different mechanisms to ensure that data transfers are legally compliant, including data transfer agreements incorporating EU-mandated model clauses. These are often the only immediate practical solution, particularly where an EU-based counterparty insists on putting such measures in place as condition of doing business. Until the Privacy Shield’s details are announced and formally approved and, equally important, until the new scheme gains business and consumer trust, businesses will need to pragmatically apply a range of solutions.