EU-US Privacy Shield: The Long and the Short
The European Commission this month reached a political agreement on a new EU-US data transfer agreement. Safe Harbour is no more and in its place had risen the ‘EU-US Privacy Shield’. We here at techUK have been looking at what this deal is and what it means for companies transferring data internationally.
The Long – The shield in is a strong statement of intent by the EU and the US
First off, the new agreement is still in the draft stages but over the coming weeks, we expect to see the details fleshed out. Both the EU and the US need to firm up this agreement to withstand a review by the European Court of Justice (CJEU). techUK has called on the European Commission and US Administration to show total commitment to implementing this agreement.
At this stage, it is important to wind back the clock and ask how we got here and what is at stake? The Safe Harbour agreement was an agreement which set out a framework of data protection standards for data being transferred from the EU to the US. Thousands of companies used Safe Harbour to transfers data across the Atlantic. Thousands more rely on International data transfers that underpin services right across the economy from small farmers receiving tailored weather reports to companies sharing data to protect consumers from cyber-attacks and fraud.
In October 2015, the European Court of Justice (CJEU) issued a ruling declaring Safe Harbour was invalid as a legal basis for transferring data across the Atlantic. This was the result of a case brought by Maximilian Schrems who believed his data was not being protected to an adequate level in the US.
The ruling created a legal blackhole in the heart of the EU-US data trade and empowered individual European Data Protection Authorities (DPAs) to unilaterally investigate data flows. This could potentially lead to a fragmentation of Europe’s data protection framework.
Transatlantic data flows are vital to countless services and business right across the economy, from a tourist using a credit card, booking a hotel online to a company paying its employees across Europe. These all involve data transfers.
Rise of the Privacy Shield
The Privacy Shield is a political agreement between the EU and the US that seeks to address the issues raised the CJEU’s ruling on Safe Harbour. The deal proposes a number of reforms for both European and the US:
- New obligations on companies handling Europeans’ personal data and more oversight from the Federal Trade Commission and US Department of Commerce
- Written assurances by the US that the access to data by public authorities for law enforcement and national security proposes will be subject to clearer rules and oversight
- A new Ombudsperson will be created to address complaints by European citizens against US intelligence agencies.
- An annual joint review over the agreement to ensure it is being respected
- Increased redress opportunities for European citizens including deadlines for companies to respond to complaints. European DPAs can also refer complaints to the Department of Commerce and the Federal Trade Commission and a new arbitration panel will include representatives from both the EU and the US
The scope of this agreement shows a clear signal of intent that the negotiations are working hard to find a way to bridge two very different legal systems.
Will the shield pass muster?
Europe’s DPAs have welcomed the agreement between the EU & US. However, the DPAs will now wait to receive the official documents from the Commission to understand the ‘legal binding nature’ of the new agreement. The Commission have until the end of February to share these details. After which the DPAs will analyse the agreement to see whether the privacy shield addresses the wider concerns raised by the CJEU Safe Harbour ruling.
The DPAs have completed an assessment of the US data protection framework using four guidelines.
These guidelines form what the DPAs view as a European Standard.
- Processing should be based on clear, precise and accessible rules
- Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
- An independent oversight mechanism should exist, that is both effective and impartialEffective remedies need to be available to the individual
- Effective remedies need to be available to the individual
The DPAs highlighted that, prior to the EU-US Privacy Shield announcement, they had concerns on the above relating to the US legal framework specifically involving scope and remedies.
What about Standard Contract Rules and other transfer mechanisms?
A new deal means new rules, as such the DPAs will analyse to what extent the new Privacy Shield will provide legal certainty for the other transfer tools such as SCC and BCRs. Europe’s DPAs will meet again in February to discuss what the Privacy Shield means for these transfer mechanisms.
It is still the case that companies can use existing transfer mechanisms for transfers from the EU to the US.
The short – the devil is in the details
Companies will be looking for further detail on how the agreement will work. The Privacy Shield represents the great progress made by the EU and the US in finding common ground between two very different data protection regimes. For the time being business can rely on alternative legal mechanism to transfers data but we will have to wait until the end of February. Then we will have to wait and see how Europe’s DPAs react to the detail of the agreement.
The clear goal now is for the EU, US, European governments and Europe’s DPAs to come together and play a constructive role in making this agreement work.