On 6 October 2015, we reported that the Court of Justice of the European Union (CJEU) had declared the long-standing U.S. Safe Harbor scheme invalid in the case of Maximillian Schrems v Data Protection Commissioner.
Now, four very uncertain months later, Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, announced on 2 February that after tough negotiations, political agreement had been reached on a new framework for transatlantic data flows, called the EU-US Privacy Shield. In her announcement, she explained that the EU-US Privacy Shield both protects the fundamental rights of Europeans and ensures legal certainty for businesses.
In this update, we look at how the EU-US Privacy Shield differs from Safe Harbor, what happens next, and what the practical implications for businesses are.
The key points are that:
- Political agreement has been reached on a new framework for transatlantic data flows – the “EU-US Privacy Shield”. However, it remains subject to further steps before it will be effective.
- There is no text available yet, but we are expecting this to be made available over the next four to six weeks. Consequently, clarity on the exact position will need to await this.
- In the meantime, EU data protection authorities will continue to accept EU Model Clauses and Binding Corporate Rules, at least until April 2016.
- Companies still relying on Safe Harbor may now face enforcement action.
How does the EU-US Privacy Shield differ from Safe Harbor?
Safe Harbor was criticised by the CJEU on a number of grounds. The CJEU’s overarching concern was one that had been shared by many in the years preceding the Schrems judgment: that the U.S. authorities had disproportionate access to European individuals’ personal data and that there were limited effective rights of recourse for breaches of Safe Harbor by US businesses.
While there is no agreed text available as yet, the European Commission’s press release and Věra Jourová’s announcement of the new agreement highlight three key elements of it which aim to address the CJEU’s concerns:
1. Robust obligations and on-going monitoring of U.S. companies processing Europeans’ personal data:
U.S. companies importing personal data from Europe will be subject to strong obligations on the processing of personal data, the protection of individual rights and onward transfers of personal data. Those obligations will be supported by regular updates and reviews by the U.S. Department of Commerce. Non-compliance may result in sanctions and removal from the list of participating companies.
2. Clear limitations, safeguards and oversight mechanisms on the U.S. government’s access to Europeans’ personal data:
Věra Jourová explained that “for the first time ever, the U.S. have given the EU binding assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms“. She was also keen to emphasise that the agreement would be a “living mechanism” and that the U.S. would be held accountable on the commitments made.
Thus, the European Commission and U.S. Department of Commerce will carry out an annual joint review of the functioning of the arrangement, involving U.S. national security experts and EU data protection authorities in those reviews.
3. Effective protection of Europeans’ rights:
European citizens who consider that their data has been misused will benefit from “several accessible and affordable” dispute resolution mechanisms. In the first instance, complaints should be resolved by the company itself. Failing that, individuals will be able to go to European data protection authorities, who will work with the Federal Trade Commission in the U.S. to ensure that complaints are investigated and resolved within a reasonable period. As a last resort, there will be an arbitration mechanism.
There will also be a “new tool“, specifically for the EU-US Privacy Shield, which provides for the possibility of redress in the area of national security for EU citizens. This will be handled by an independent ombudsperson.
This is all in addition to the U.S. Judicial Redress Act, which, when passed, will give EU citizens access to U.S. courts in the context of personal data being used for law enforcement purposes.
There is still some work to be done before businesses can start to rely on the EU-US Privacy Shield. What we have at the moment is just a political agreement – the precise text remains to be published.
The European Commission’s College of Commissioners has mandated Vice President Ansip and Commissioner Vera Jourová to prepare a draft adequacy decision in the coming weeks which will then need to be adopted by the College of Commissioners. In the U.S., there is work required in the next few weeks to make the necessary preparations and formalise all the necessary commitments made to put in place this new agreement.
What do European data protection authorities think?
The ‘big question’ was, and still is, what the European data protection authorities will make of the EU-US Privacy Shield.
The Article 29 Working Party, made up of representatives of the 28 EU Member State data protection authorities, met in Brussels on 2-3 February 2016 to consider whether the new EU-US Privacy Shield addressed their concerns and the requirements of the CJEU in Schrems.
During that meeting, and in their subsequent press release, the Article 29 Working Party welcomed the EU-US Privacy Shield, but emphasised that they needed to “receive documents in order to assess whether the Privacy Shield can answer the privacy concerns raised“. Isabelle Falque-Pierrotin, chair of the Article 29 Working Party and head of France’s data protection authority, CNIL, confessed that, at the moment, they know very little about the EU-US Privacy Shield. They called on the European Commission to communicate all documents pertaining to the arrangement by the end of February, so that they can publish their opinion by the end of March.
What does the EU-US Privacy Shield mean for businesses now?
This announcement isn’t an immediate fix for transatlantic data flows and businesses will need to wait for further details and confirmation that the new framework is acceptable to data protection authorities. However, the approach taken sounds like a promising step in the right direction for EU and U.S. businesses that have been grappling with data transfer issues since the Schrems judgement, and it appears to try to remedy the shortcomings of Safe Harbor as identified by the CJEU.
Opinions on the EU-US Privacy Shield have been divided. There has been immediate criticism from some key players. Jan Albrecht, the German MEP who led the European Parliament’s negotiations on the new General Data Protection Regulation described it as “a joke” on Twitter, claiming that the European Commission “sells out EU fundamental rights and puts itself at risk to be lectured by CJEU again“. Challenges to the EU-US Privacy Shield by privacy activists certainly cannot be ruled out, although they would take time to progress through the European courts.
For the moment, the key tests are whether the EU-US Privacy Shield will be accepted by both:
a) data protection authorities, who, as made clear by the CJEU in Schrems, have the power to investigate data transfers made under any Commission adequacy findings, and suspend data transfers if there are doubts about adequacy; and
b) businesses, as a reliable method for transferring personal data to the U.S.
What about alternative transfer mechanisms?
The Article 29 Working Party has also spent the last few months assessing the legality of alternative transfer mechanisms, such as the EU Model Clauses and Binding Corporate Rules in light of the Schrems decision. The Article 29 Working Party has confirmed that those transfer mechanisms can still be used for transfers of personal data to the U.S. for now. However, there is a suggestion that the longer term position on those alternative transfer mechanisms may depend on whether some of the protections in the EU-US Privacy Shield also extend to data transfers based on those mechanisms.
Some German data protection authorities had previously announced that they would not accept new EU Model Clauses and Binding Corporate Rules following Schrems. However, we understand that all data protection authorities have agreed to follow the Article 29 Working Party’s approach. It remains to be seen how this plays out in practice.
Overall, provided that the European Commission meets the timescales set by the Article 29 Working Party, the Working Party expects to be able to give businesses legal certainty on the legality of EU-US data transfers by mid-April 2016.
Can businesses still rely on Safe Harbor?
One of the key messages from the Article 29 Working Party on 3 February was to re-iterate that Safe Harbor is invalid. Businesses that previously relied on Safe Harbor and have been waiting to implement alternative transfer mechanisms should act now and not wait for the EU-US Privacy Shield to be signed-off and set-up.
Data protection authorities may take enforcement action if alternative transfer mechanisms are not in place. This is particularly the case where they receive complaints from affected individuals, which is a real possibility following Max Schrems’ success.
While these latest developments are encouraging, we expect there to be further twists and turns to come in the story of legitimising transatlantic data flows. We will be providing further updates and guidance as additional detail becomes available.