On 12 July 2016 the European Commission gave the go ahead to a new framework for transferring personal data to the US. This new Privacy Shield framework replaces the now obsolete Safe Harbor regime, and aims to provide enhanced protection for the privacy rights of EU citizens in light of concerns about intrusive surveillance by US security services.
The US Department of Commerce started accepting Privacy Shield self-certifications from US companies on 1 August 2016 and the European Commission published a guide for citizens on 4 August 2016.
A key principle of EU data protection law is the requirement that any personal data transferred outside the EU must be “adequately” protected. Broadly this means the personal data must have the same level of protection as it would within the EU.
The laws of some countries have been approved by the European Commission as providing adequate protection, but in a lot of cases it is left to the parties making the transfer of personal data to ensure that they follow a regime that is approved as providing the necessary level of protection. Where this comprises intra-group data transfers by multinational corporations the approved regime is known as Binding Corporate Rules. Where the data transfers are between two parties then they can enter into a contract including pre-approved clauses obliging them to provide an adequate level of protection. These are often known as “model clauses”. A further regime that had been considered acceptable was that used in the US and known as Safe Harbor. This permitted US entities to self-certify that they provided an adequate level of protection. All three of those regimes have now been called into question, but most particularly the Safe Harbor regime.
The Edward Snowden revelations highlighted the level of surveillance undertaken by certain US security services and the amount of personal data that they had access to. In October 2015, a case brought by Max Schrems against Facebook, in connection with the personal data being made available to US security services, effectively dismantled the Safe Harbor regime as the European Court of Justice found that it did not adequately protect the data of EU citizens which had been transferred to the US. Clearly, if there is not an acceptable way of transferring personal data from the EU to the US it is a significant impediment to transatlantic trade and commerce. The European Commission therefore sought to urgently work with its US counterparts to agree a replacement regime.
So what is the Privacy Shield?
The European Commission has stated that the new Privacy Shield will effectively protect the rights of EU citizens by providing for strong obligations and monitoring of US organisations processing personal data transferred from the EU and by setting out clear limitations, safeguards and oversight mechanisms on access to that data by the US government.
The Privacy Shield comprises a package of materials from various US bodies, including the Department of Commerce, which will administer the new framework. These cover a set of principles, with which organisations relying on the Privacy Shield must self-certify their compliance on an annual basis. There is a lot of background detail to the principles, but broadly speaking they deal with the following:
- the publication of privacy policies and links to Privacy Shield information;
- ensuring that personal data is only processed for the purpose for which it was collected;
- the provision of mechanisms which enable data subjects to confirm what processing of their data is taking place and the ability to correct or delete that data;
- the provision of consent and opt-out mechanisms;
- the implementation of appropriate security measures;
- accountability for onward transfers of personal data; and
- the implementation of complaints procedures and means of redress for individuals.
The package further details how the regime will be monitored and organisations actively verified and it also sets out a general framework for dealing with alleged violations of the principles. A key facet of this has been obtaining commitments from the US that the ombudsman charged with the responsibility of dealing with national security related complaints is actually sufficiently independent from the security services.
Problems with the new framework and what this means for you and your business
The various data protection authorities of individual countries within the EU – collectively known as the “Article 29 Working Party” – had a number of reservations about the new framework. While a number of these were resolved during further negotiations concerns do remain as to whether it sufficiently meets the high standards for data protection that exist within the EU. Even though the European Commission has approved the new framework further legal challenges do seem likely and some data protection activists, including Max Schrems, have indicated their intent to mount such a challenge.
This all somewhat dilutes the benefit of this urgently negotiated new framework. It can be complex and expensive for organisations to ensure that their policies and procedures allow them to self-certify their compliance with the Privacy Shield and there will be an obvious reluctance to do so if they are only going to once again be told that it is not sufficient. However, it may nevertheless be the best solution, even if it is only temporary. While Binding Corporate Rules are an alternative solution, they are not suitable for all organisations and can be even more complex and expensive to implement. They are also, along with the “model clause” alternative, subject to further legal challenge and so may provide no more a permanent or long term solution.
The overall uncertainty therefore continues to be unhelpful for organisations with transatlantic business or relationships. All the solutions may be temporary, but the Privacy Shield does offer improved protection and does not require separate agreements to be entered into for each data transfer. It is therefore likely to be the preferred option for many.