Data protection: the “EU-US Privacy Shield” – will it be a shield of any substance?
After much uncertainty, on 2 February this year the European Commission announced that it had reached agreement with the US to replace the Safe Harbor framework. However, anyone hoping that the announcement would bring clarity will be disappointed – there is still a long way to go before a replacement for Safe Harbor becomes a workable reality.
Under the Data Protection Directive the transfer of personal data outside the EEA is restricted unless an adequate level of data protection is in place in the destination country. In 2000, to enable US businesses to receive and process data from Europe, an agreement was reached, known as Safe Harbor, under which US companies could self-certify that they treated incoming European data in accordance with a set of principles that complied with EU data protection law.
The Safe Harbor arrangement seemed a sensible and pragmatic solution to enable data transfers to the US, but all that changed in the Autumn last year following a complaint to the Irish data protection authority about the way personal data was being processed in the US. The complaint led eventually to the Court of Justice for the EU which ruled in October 2015 that the Safe Harbor arrangement was invalid (for a more comprehensive look at the complaint and decision, please see the previous Knowledge article from October 2015 entitled “Data Protection: US Safe Harbor – no longer quite so safe”). The Court’s decision created widespread uncertainty not only for both US processors of EU data, but also for many organisations and businesses within the EU which had been relying on Safe Harbor to ensure that they were complying with their data protection obligations as data controllers.
The Privacy Shield
Since before the Court’s decision in October, the European Commission has been trying to reach agreement with the US for a replacement of the now defunct Safe Harbor arrangement. Earlier this month the European Commission announced that an agreement had been reached, providing for the dramatically titled “EU-US Privacy Shield”.
Unfortunately the agreement is lacking detail and so the current uncertainty remains for those who had been taking advantage of Safe Harbor. However, while the fine detail is awaited we outline below some of the points which are understood to have been agreed in principle:
- US companies processing EU data will be required to commit to “robust obligations” on how personal data is processed and individual rights protected.
- The US has given assurances that it will not commit indiscriminate mass surveillance of data transferred under the Privacy Shield and that any access to data will be subject to clear limitations, safeguards and oversight mechanisms.
- The European Commission and US Department of Commerce will conduct annual joint reviews and invite US and European data protection agencies to participate.
- European data protection authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission.
- Mechanisms for redress will be introduced for those who suspect that their data has been misused, to include the establishment of a new ombudsman in the US.
The effectiveness of the Privacy Shield will come down to how the agreed principles listed above develop in the drafting stage of the process and how they are implemented in practice. It is far too early to offer any predictions, but unless the protections offered by the US authorities for the EU data are adequate, the Privacy Shield may never receive the blessing of the various European data protection authorities (called “The Article 29 Working Party”) who are examining the proposals carefully. Moreover, it is to be hoped that the proposed annual reviews to be carried out by the US and EU data protection authorities do not lead to frequent renegotiation and changes to the operation of the Privacy Shield.
The doubt which has arisen in the wake of the Court’s decision to invalidate Safe Harbor continues to be of huge concern to businesses and other data controllers in this country and the rest of Europe. Whilst the Privacy Shield announcement is a step in the right direction, much still needs to be done to restore certainty in this important area of data protection law.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.