On 12 July of this year the European Commission (EC) and the US Government adopted a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield. The new framework reflects the requirements set out by the European Court of Justice (EUCJ) in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
In a two-year-old case brought by Austrian privacy campaigner Max Schrems, the EUCJ ruled that the European Commission’s trans-Atlantic data protection agreement that went into force in 2000 was invalid because it did not adequately protect consumers in the wake of the Snowden revelations.
So what was the ‘Safe Harbour’ agreement?
EU privacy law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU.
The safe harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens’ data if transferred by American companies to the US.
It allowed companies to self-certify that they would protect EU citizens’ data when transferred and stored within US data centres. The advantage of safe harbour was that it functioned as a kind of ‘one stop shop’ allowing for the export of personal data to the US, whomever in Europe it came from, without the need to ask for consent, or to enter into bilateral agreements.
So how does ‘Privacy Shield’ provide greater protection for EU citizens?
According to the European Commission Privacy Shield will provide greater protection through the adoption of the following principles
- Stronger obligations on companies handling data: under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they have signed up to. If companies do not comply in practice they face sanctions and removal of their privacy shield authorisation. The tightening of Conditions for the onward transfers of data to third parties have been tightened under the new framework to guarantee the same level of protection in case of a transfer from a Privacy Shield company.
- Clearer safeguards and transparency obligations on US government access: The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms. Everyone in the EU will, also for the first time, benefit from redress mechanisms in this area. The U.S. has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-U.S. Privacy Shield arrangement. The US Secretary of State has established a redress possibility in the area of national intelligence for Europeans through an Ombudsperson mechanism within the Department of State.
- More effective protection of individual rights: Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself; or free of charge Alternative Dispute resolution (ADR) solutions will be offered. Individuals can also go to their national Data Protection Authorities, who will work with the Federal Trade Commission to ensure that complaints by EU citizens are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration Redress possibility in the area of national security for EU citizens’ will be handled by an Ombudsperson independent from the US intelligence services.
- An annual joint review mechanism: this will monitor the functioning of Privacy Shield, including the commitments and assurance as regards access to data for law enforcement and national security purposes. The European Commission and the US Department of Commerce will conduct the review and will issue a public report to the European Parliament and the Council.
So is it all now plain sailing?
Unfortunately for businesses who wish to process personal data on EU citizens in the US it doesn’t appear that everyone is as convinced as the European Commission on the adequacy of the new arrangements.
The Article 29 Working Party which consists of the data privacy authorities from each member state still has significant concerns about what has been agreed. It also appears that the framework might well be challenged by data privacy activists.
Max Schrems, the privacy campaigner behind the legal challenge that brought down Safe Harbour, has been quoted as saying that Privacy Shield is “little more than a little upgrade” to the old system and is “very likely to fail again, as soon as it reaches the CJEU”.
So for businesses it appears that there are still certain unchartered waters to navigate with some possible icebergs on the horizon!!