Announcement of the new ‘EU-US Privacy Shield’
We have previously reported the demise of the US Safe Harbor scheme in our October 2015 and January 2016 Pritchetts Blog reports.
Just after the end of 3 month so called grace period that was introduced to try and find a new compliance mechanism to permit transfer of personal information from the EEA to the USA, the European Commission announced that a new agreement had been reached on 2nd February 2016.
Key Facts about the new US international personal data transfer compliance mechanism:
- The new scheme will replace the previous US Safe Harbor Scheme and is to be called the ‘EU-US Privacy Shield’; It is due to come into force within 3 months - if agreed (see below);
- According to Andrus Ansip, the Vice-President of the European Commission, and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, who made the announcement, the new arrangement reflects the requirements set out by the European Court of Justice in the case of Maximilian Schrems v. Data Protection Commissioner (C-362-14) (which we have reported on previously here); On announcing the new scheme Věra Jourová said: “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
EU negotiators suggested that the new scheme will:
- Create tougher obligations on US companies storing personal data relating to EEA citizens;
- Enhanced enforcement by the US Department of Commerce and Federal Trade Commission;
- More co-operation between the US and EEA data protection regulators;
- Limit access to EEA personal data by US public authorities;
- Create rights for EEA citizens to raise any concerns about the scheme with a new Ombudsman.
The European Commission are to prepare a draft adequacy decision, which is then to be discussed with the EU Article 29 Working Party.
So is that it? Are we all set to use the new ‘EU-US Privacy Shield’ in 3 months’ time?
We have reported previously on the views of the EU Article 29 Working Party (“Art29 WP”) on this issue. That group have continued meeting over the last few months to consider alternative options to the US Safe Harbor Scheme, primarily the use of the approved EC Standard Contractual Clauses and Binding Corporate Rules.
Now, following announcement of the proposed new EU-US Privacy Shield, the Art29 WP has released a statement setting out their current view that although the European Commission have agreed to go ahead with the new EU-US Privacy Shield, the Art29 WP were not involved in negotiations over the new scheme and as a result only have verbal commitments from the European Commission that the issues previously raised by the Art29 WP have been adequately dealt with.
The Art29 WP have set out four key protections that must be put in place, following EEA case law, before any US international personal data transfer takes place:
- Personal data should be processed based on clear, precise and accessible rules, including those allowing individuals to properly understand the various locations where their data are transferred;
- The principles of necessity and proportionality must be exercised in relation to the transfer of personal data. A balancing exercise should be carried out to consider the rights of individuals as well as the purposes for which data are collected and accessed for national security reasons;
- An effective, impartial and independent oversight mechanism should exist to monitor the collection of and access to personal data;
- Effective remedies must be made available to individuals to defend their rights.
The Art29 WP have also:
- Expressed reservations about whether the new scheme will ensure these protections are in place and have made it clear that they would like to see full documentation relating to the proposed new scheme by the end of February 2016 in order to consider these issues further. Only then will it be able to issue a detailed statement on its views;
- Indicated that it has similar concerns about the other compliance mechanisms currently permitting EU-US transfer ( for example, binding corporate rules and the use of the EC model contractual clauses). The group plan to carry out an analysis of these other options also;
- Arranged to hold an extraordinary plenary meeting in late March 2016. Following that group will consider what personal data transfer mechanisms remain valid for US personal data transfers. The Chairperson of the Art29 WP, Isabelle Falque-Pierrotin, hopes that a final decision could be made by the end of April 2016;
- Made it clear that in the meantime personal data transfer to the US cannot carry on relying on the previous Safe Harbor scheme. It encourages organisations to consider putting the other EEA international data transfer compliance mechanisms in place.
The European Parliament have also issued some concerns about the proposed new scheme in its press release stating amongst other concerns that “MEPs also voiced strong concerns over the envisaged safeguards to limit data collection, underlined the need to ensure an independent and individual complaints mechanism as well as access to judicial redress for EU citizens”.
The reaction to this new scheme has been mixed across Europe. One commentator from the Group of the Alliance of Liberals and Democrats for Europe stated: "We urgently need a thorough legal appraisal of the safeguards offered by the US. The legal status of these safeguards is very unclear. It is highly doubtful that they offer meaningful protection to European citizens, or if they meet the standards set by the ECJ."
So what do we do now, especially if we are not even sure that the Privacy Shield will go ahead?
Given the apparent reluctance to commit to the Privacy Shield from many of the European Authorities, it seems that the Privacy Shield is far from a done deal.
No doubt some national data protection authorities will take a more hard line approach to enforcement in this area over the coming months. Although we believe the ICO are likely to take a light touch approach to enforcement action in the short term, ultimately, doing nothing and waiting for a political solution is not really an option for organisations.
As above, it has been made absolutely clear that reliance on the old Safe Harbor scheme is no longer legal. Any organisations who have been taking a ‘wait and see’ approach have therefore a lot to do and fast.
For now, the Art29 WP has confirmed its position that the model clauses and binding corporate rules remain valid transfer mechanisms, pending deeper analysis.
Any organisations that have been relying on these compliance mechanisms to transfer data to the US may therefore decide to continue taking a ‘wait and see approach’ in relation to these approaches. Although, those in jurisdictions with tougher regulatory regimes may find that their regulators begin to take more stringent action, so watch this space.
We set out our thoughts on what compliance action you should consider taking at this stage under the heading ‘How have businesses reacted to the development?’ in our January Blog article. That Blog also sets out the likely changes under the proposed new European General Data Protection Regulation. Our opinion set out in that Blog remains the same after recent announcements.
Please do consider contacting Pritchetts if we can be of any assistance to you in carrying out analysis of your compliance options or indeed helping you put alternative compliance mechanisms in place.