On 2 February 2016, the European Commission and the United States reached political agreement on a new framework for transatlantic data flows: The EU-US Privacy Shield.
The Privacy Shield became necessary after the Court of Justice of the European Union (ECJ) declared the Safe Harbor framework invalid on 6 October 2015 (we reported on the decision in our October Technology & Commercial Update). The EU privacy regulators had set the Commission a deadline of the end of January to find a new agreement with the US.
Key features
- US authorities, such as law enforcement and national security forces, may access Europeans' personal data only subject to "clear limitations, safeguards and oversight mechanisms". Exceptions will be made "when necessary and proportionate".
- US companies intending to import Europeans' personal data must publish their commitment to comply with "robust" data protection obligations.
- US authorities will monitor and enforce such commitments.
- US companies handling the HR data of Europeans must comply with European data protection authorities' (DPA) decisions.
- Europeans who feel their data has been misused are entitled to raise complaints and US companies must respond within strict deadlines. Dispute resolution will be available for free.
- A new ombudsman will deal with complaints regarding the possible access of US national intelligence agencies.
Green light for transatlantic data transfer?
Unfortunately, it is doubtful whether the Privacy Shield will provide the much needed clear, long-term legal basis for companies requiring transatlantic data transfers in order to do business.
Although the official announcement is hazy in terms of detail, it already gives rise to concerns that the Privacy Shield will not meet the standards set by the ECJ. The ECJ has left no doubt that "mass, indiscriminate surveillance" by US authorities must be restricted and that "effective judicial protection" must be available to EU citizens. The current deal will need to be beefed up with specific provisions so as to meet these standards.
Unsurprisingly, the Privacy Shield has therefore been met with a mixed, and sometimes quite emotional, public response. While industry and lobbying groups have welcomed it as a positive signal for EU and US businesses, the prevailing number of commentators believe the Privacy Shield lacks substance and is just "Safe Harbor repackaged".
It is therefore likely that the Privacy Shield will be challenged. The ECJ may soon have another opportunity to specify the legal standards for transatlantic data transfers.
Next steps for corporates
At this stage, there is no immediate reaction required: In the coming weeks, the Commission will prepare a draft "adequacy decision" to be consulted upon by the Article 29 Working Party and representatives of Member States. Meanwhile, the US side will make the necessary preparations to put in place the new framework. Once the details become available, corporates will need to analyse and adjust existing data transfer structures to meet the new requirements.
Until then, data transfer strategies will need to take into account the future practice of the European DPAs. It appears likely that most DPAs will, at least for the interim period until finalisation of the Privacy Shield, accept the use of other transfer mechanisms, such as binding corporate rules and model contract clauses.
In any case and regardless of the Privacy Shield's fate, corporate groups should have a global data transfer strategy in place to meet future data protection compliance challenges. Obviously, the need for a data transfer framework is not limited to the US but generally affects all EU-outbound international transfers.
The ongoing uncertainty means that corporates need robust yet flexible data transfer arrangements that can be adjusted promptly, as required, in order to meet changing global regulatory requirements.
For further details on the EU Commission's press release please click here.
For further information on any of the issues raised in this newsflash, please speak to one of the Ashurst Data Protection team below or to your usual Ashurst contact.
