Since the "EU-US Safe Harbor" framework was declared invalid by the CJEU back in October, representatives from the US Department of Commerce, the US Federal Trade Commission and the EU Commission have been locked in negotiations. They have agreed a new framework which meets the legal requirements specified by the CJEU in the highly publicised Schrems judgment.
In a press release issued by the EU Commission on 2 February 2016, the Commissioners confirmed that they have approved a political agreement which they believe will both protect the fundamental rights of European citizens where their data is transferred to the US and ensure legal certainty for businesses when transferring data to the US. The College of Commissioner's have given a mandate to Vice-President Ansip and Commissioner Jourová to prepare the necessary steps to put the new framework in place.
What has been agreed?
The Commission stated, in their press release of 2 February 2016, that the new arrangement will contain the following three key elements:
- Strong obligations on companies handling Europeans' personal data and robust enforcement: US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under US law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European [Data Protection Authorities].
- Clear safeguards and transparency obligations on US government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.
- Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European [Data Protection Authorities] can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, alternative dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsman will be created.
The press release is lacking in detail and there are already concerns that it will prove difficult for all Member States to reach agreement on the new "EU-US Privacy Shield".
Over the next few weeks Vice-President Ansip and Commissioner Jourová will draft an 'adequacy decision'. The Article 29 Working Party and a committee composed of representatives of the Member States will then assess whether the new framework addresses the wider issues raised in the Schrems judgment.
At the same time the US will make the 'necessary preparations' to put in place the new framework, monitoring mechanisms and Ombudsman.
Whilst this sounds promising, the text of the agreement is yet to be published and the press release has been met with some criticism and scepticism. It is also important to remember that the Article 29 Working Party is made up of representatives from Data Protection Authorities of each Member State, some of whom have been very vocal about their concerns around any transfers of personal data to the US, not just those that relied on the "EU-US Safe Harbor" framework.
On 3 February 2016 the Article 29 Working Party issued a statement in which they have asked the Commission to communicate all documents pertaining to the Privacy Shield arrangement by the end of February so that they can make an informed assessment of the new arrangement. After assessing the Privacy Shield arrangement they will turn their attention to Binding Corporate Rules and Model Clauses. They have said that Binding Corporate Rules and Model Clauses remain suitable for transatlantic data transfers until they decide otherwise.
There are a number of questions that will need to be answered including the ability of any new framework to withstand a legal challenge following the Schrems judgment.
What should you do?
Unfortunately the Commissions' announcement has not totally alleviated the current legal uncertainty surrounding transfers of personal data to the US.
It is likely that it will take up to 3 months for the Privacy Shield to be implemented and even then it is still unclear how each Data Protection Authority will assess its adequacy.
For now organisations should:
- Assess what data is being transferred overseas and consider what the organisation is relying on to determine adequacy.
- Not rely on Safe Harbor as a mechanism for determining adequacy. It has been invalid for 4 months and if an organisation is still relying on Safe Harbor it is only a matter of time before a Data Protection Authority takes enforcement action.
- Continue to rely on Binding Corporate Rules or Model Clauses.
It is important for all organisations to monitor the progress of the "EU-US" Privacy Shield, both before and after its implementation.
Anyone transferring personal data to the US needs to keep aware of this fluid area of law and if you are transferring data from multiple jurisdictions within the EEA to the US you need to be alive to the fact that the approach taken by the various Data Protection
Authorities may differ from jurisdiction to jurisdiction.