Since the "EU-US Safe Harbor" framework was declared invalid by the CJEU back in October, representatives from the US Department of Commerce, the US Federal Trade Commission and the EU Commission have been locked in negotiations. They have agreed a new framework which meets the legal requirements specified by the CJEU in the highly publicised Schrems judgment.
In a press release issued by the EU Commission on 2 February 2016, the Commissioners confirmed that they have approved a political agreement which they believe will both protect the fundamental rights of European citizens where their data is transferred to the US and ensure legal certainty for businesses when transferring data to the US. The College of Commissioner's have given a mandate to Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put the new framework in place.
What has been agreed?
The Commission stated, in their press release of 2 February 2016, that the new arrangement will contain the following three key elements:
The press release is lacking in detail and there are already concerns that it will prove difficult for all Member States to reach agreement on the new "EU-US Privacy Shield".
What next?
Over the next few weeks Vice-President Ansip and Commissioner Jourová will draft an 'adequacy decision'. The Article 29 Working Party and a committee composed of representatives of the Member States will then assess whether the new framework addresses the wider issues raised in the Schrems judgment.
At the same time the US will make the 'necessary preparations' to put in place the new framework, monitoring mechanisms and Ombudsman.
Whilst this sounds promising, the text of the agreement is yet to be published and the press release has been met with some criticism and scepticism. It is also important to remember that the Article 29 Working Party is made up of representatives from Data Protection Authorities of each Member State, some of whom have been very vocal about their concerns around any transfers of personal data to the US, not just those that relied on the "EU-US Safe Harbor" framework.
On 3 February 2016 the Article 29 Working Party issued a statement in which they have asked the Commission to communicate all documents pertaining to the Privacy Shield arrangement by the end of February so that they can make an informed assessment of the new arrangement. After assessing the Privacy Shield arrangement they will turn their attention to Binding Corporate Rules and Model Clauses. They have said that Binding Corporate Rules and Model Clauses remain suitable for transatlantic data transfers until they decide otherwise.
There are a number of questions that will need to be answered including the ability of any new framework to withstand a legal challenge following the Schrems judgment.
What should you do?
Unfortunately the Commissions' announcement has not totally alleviated the current legal uncertainty surrounding transfers of personal data to the US.
It is likely that it will take up to 3 months for the Privacy Shield to be implemented and even then it is still unclear how each Data Protection Authority will assess its adequacy.
For now organisations should:
It is important for all organisations to monitor the progress of the "EU-US" Privacy Shield, both before and after its implementation.
Anyone transferring personal data to the US needs to keep aware of this fluid area of law and if you are transferring data from multiple jurisdictions within the EEA to the US you need to be alive to the fact that the approach taken by the various Data Protection
Authorities may differ from jurisdiction to jurisdiction.
This isn’t Sparta! Company denied interim injunction for non-compete restrictions contained in an investment agreement
AI webinar: what you need to know about using AI in advertising
Ashfords supports protein bar brand to meet daily regulatory goals
We produce a range of insights and publications to help keep our clients up-to-date with legal and sector developments.
Sign up