EU-US Privacy Shield texts published: is there any more certainty on the legality of EU-US data flows?

Written on 7 Mar 2016

On 4 February 2016, we reported that political agreement had been reached on a new framework for transatlantic data flows, called the EU-US Privacy Shield. At that stage, limited information was available beyond the European Commission’s press release and conference introducing the Privacy Shield. Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, explained that the EU-US Privacy Shield has been developed with the aim of protecting fundamental rights of Europeans and ensuring legal certainty for businesses.

The Article 29 Working Party reserved judgment until it had received the documents setting out details of the arrangement, and asked the European Commission to communicate those by the end of February. 

With not a day to spare, on 29 February 2016 the European Commission issued the legal texts that will put in place the Privacy Shield. It also issued a draft adequacy decision of the European Commission, a set of FAQs, a Communication to the European Parliament and the Council and a Fact Sheet

There is no doubt that a lot of work has been done during the last two years of negotiations; the legal texts alone are almost 130 pages long! In this update, we start by explaining what this means for businesses now, before briefly summarising what the EU-US Privacy Shield is likely to look like, and explaining what happens next. 

Whilst the Privacy Shield has been in development for some time, it was given new impetus by the CJEU’s finding in October 2015 that the existing “Safe Harbor” mechanism for legitimising data transfers to the US was invalid. The ability to move personal data between the EU and US is a crucial component of transatlantic business and commerce, and there was suddenly an urgent need to agree a legal replacement for Safe Harbor. The Privacy Shield is now that replacement. 

Does the publication of the text offer more certainty for businesses now?

The publication of the legal text of the Privacy Shield does very little to change the current position on the legality of data transfers; nor does it offer businesses any more legal certainty. As summarised in our earlier update:

  • businesses cannot yet rely on the Privacy Shield (though they are one step closer to being able to do so);
  • the legality of alternative transfer mechanisms in light of the CJEU’s October 2015 decision in Schrems is still under review by the Article 29 Working Party; and
  • Safe Harbor is invalid and should not be relied on. 

We expect to have more certainty on the legality of the proposal by mid-April 2016 once the Article 29 Working Party opinion (referred to below) has been issued. We will provide further updates and guidance as additional detail becomes available. 

What does the Privacy Shield look like? 

The Privacy Shield consists of what the United States Department of Commerce refers to as a “package” of materials:

  • a set of Privacy Shield Principles, to which organisations relying on the Privacy Shield must self-certify their compliance annually;
  • a letter from the International Trade Administration of the Department of Commerce, which will administer the Privacy Shield program, describing the commitments that the Department of Commerce has made to ensure the Privacy Shield operates effectively (which includes monitoring and active verification of companies’ compliance);
  • an Arbitral Model, which sets out the terms on which organisations relying on the Privacy Shield must arbitrate claimed violations of the Privacy Shield Principles if those claims cannot be resolved by any of the other Privacy Shield mechanisms; and
  • other documents from other US authorities, including from the Federal Trade Commission, the Department of Transportation, the Office of the Director of National Intelligence, the Department of State and the Department of Justice. 

The European Commission promises that the Privacy Shield provides:

  • robust obligations and on-going monitoring of US companies processing EU citizens’ personal data;
  • clear limitations, safeguards and oversight mechanisms on the US government’s access to EU citizens’ personal data; and
  • effective protection of EU citizens’ rights. 

The European Commission’s Fact Sheet and FAQs neatly summarise the all-important detail behind the Privacy Shield, and we will be continuing to review and report on that detail over the coming weeks. At a high level, the Privacy Shield principles focus on the following areas:

  • publishing privacy policies, and links to Privacy Shield related information;
  • providing appropriate consent and opt-out mechanisms;
  • implementing appropriate security measures;
  • providing mechanisms to enable data subjects to confirm what processing is taking place, and to correct or delete information;
  • being accountable for onward transfers of personal data; and
  • implementing mechanisms to resolve complaints. 

What next? 

The next steps are for:

  • a committee composed of representatives of the Member States to be consulted on the proposal;
  • the Article 29 Working Party to give their opinion; and
  • the Commission to make a final decision. 

The opinion of the Article 29 Working Party will be particularly important, even though it is not binding. 

In a press release on 29 February 2016, the Article 29 Working Party welcomed the publication of the legal texts and the draft adequacy decision but emphasised that the documents would have to be analysed “with great attention as regards the need for restoring trust in transatlantic data flows“. 

The opinion of the Article 29 Working Party will be adopted at its next meeting on 12 and 13 April 2016. 

Meanwhile, in the US…

As is clear from the various letters from US authorities included in the Privacy Shield “package”, there will be much activity to make the necessary preparations to implement the framework “expeditiously and fully” and to ensure that its commitments are met in a “timely fashion“. 

The publication of the legal text of the Privacy Shield coincides with the adoption of the Judicial Redress Act by the US Congress, signed into law by President Obama on 24 February 2016. The Judicial Redress Act is a long-standing request of the EU which, once in force, will give EU citizens access to US courts to enforce privacy rights in relation to personal data transferred to the US for law enforcement purposes. 

Following adoption of the Judicial Redress Act, we expect the European Commission to propose the signature of the EU-US data protection “Umbrella Agreement”. The “Umbrella Agreement” puts in place a comprehensive high-level data protection framework for EU-US law enforcement cooperation; it does not itself constitute a legal basis for transferring personal data from the EU to the U.S. That will be the job of the Privacy Shield – once it is approved.