This article was co-authored by Zoey Forbes, Trainee Solicitor
On 12th July the European Commission formally adopted the EU-US Privacy Shield (“Privacy Shield”), which replaces the previous “Safe Harbor” regime. The Privacy Shield enables personal data to be lawfully transferred from Europe to US companies which have self-certified their compliance with the Privacy Shield’s Framework Principles (“Principles”). US companies will be able to self-certify with the US Department of Commerce from 1 August 2016.
History of the Privacy Shield
The Commission’s press release declares that the Privacy Shield “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers”. Such legal clarity is welcome after the months of uncertainty that followed the European Court of Justice’s decision to invalidate the Safe Habor regime in October 2015. For the last fifteen years or so, Safe Harbor had been one of the principal methods for transatlantic data transfers, however the European Court of Justice upheld Max Schrems’ complaint that, in light of the Snowden revelations on mass data surveillance by US authorities, Facebook’s transfer of Schrems’ personal data from Ireland to the US under the Safe Harbor regime did not ensure an adequate level of protection. This decision left companies previously using Safe Harbor with two options: either to put specific alternative measures in place, such as the EU’s “model clauses”, or to rely on data protection authorities not to take enforcement action pending agreement on a replacement to Safe Harbor. While the UK ICO took a pragmatic approach, other data protection authorities, such as those in Germany, not only called for companies to cease data transfers to the US which relied on Safe Harbor, but also questioned the validity of other transfer mechanisms.
Following the European Court of Justice’s decision, the Commission and the US authorities worked to improve protection for transatlantic data flows and first presented the Privacy Shield as a draft adequacy decision in February this year. While the draft Privacy Shield followed the basic model of Safe Harbor by requiring self-certification by US companies, it included a number of additional protections as described in European Commission unveils the EU-US Privacy Shield. For example, it introduced tighter conditions and stricter liability provisions for onward transfers of personal data and introduced a redress mechanism for EU data subjects, including an Ombudsperson mechanism. However, this draft was criticised by the Article 29 Working Party, made up of representatives from the data protection authority of each Member State, particularly on the grounds that:
- the bulk collection of personal data remained possible under the draft Privacy Shield;
- the independence and autonomy of the Ombudsperson was not clear; and
- there were no clear principles regarding data retention.
As a result, a number of additional clarifications and improvements have since been made to the Privacy Shield, which were sufficient for it be formally approved and adopted.
As the Privacy Shield will come into effect in the next fortnight, it is imperative that both US companies and European companies who transfer personal data to the US consider their options.
For US companies who wish or need to receive personal data from the EU, the first step is to determine whether the EU Standard Contractual Clauses (“Model Clauses”), binding corporate rules which only apply within companies in the same group, or the new Privacy Shield are most suitable for their organisation. If the Privacy Shield is found to be the best solution, then the next steps are to fully understand the new obligations and to ensure that employees receive appropriate training. In summary, these obligations include:
- opt-outs: data subjects must be given the choice to opt-out to the processing of their personal data:
- where it will be disclosed to a third party or used for a materially different than the purpose for which it was collected
- at any time in relation to direct marketing
- contractual provisions with third parties: for example:
- US data processors must be contractually bound to act only on instructions from the EU data controllers and assist the controller in responding to individuals exercising their rights under the Privacy Shield
- sub-processors must be subject to a contract that guarantees the same level of protection as provided under the Principles and that requires the parties to secure its proper implementation
- an onward transfer may only take place for limited and specific purposes under a contract (or comparable intra-group arrangements) that offers the same level protection as provided under the Principles (“Onward Transfer Principle”)
- recourse mechanisms: organisations must provide for effective and readily available independence recourse mechanisms at no cost to the individual
- annual review: organisations must annually review their compliance with the Principles
US companies should be aware that although self-certification is voluntary, compliance with the Principles is compulsory once self-certification has taken place. The Department of Commerce will maintain a list of all the companies that have self-certified (“Privacy Shield List”) and a list of all those companies that have been removed the Privacy Shield List (whether voluntarily or involuntarily).
US companies can self-certify from 1 August 2016 and there are some benefits from self-certifying prior to 1 October 2016. Companies that have existing commercial relationships with third parties and self-certify prior to 1 October 2016 can benefit from a “grace period”, which allows a maximum period of nine months to bring those relationships in line with the Onward Transfer Principle (although the other Principles must be applied during the interim period).
As with US companies, European Companies should initially consider whether the Privacy Shield is the most appropriate option for transferring personal data to the US. If so, the primary action points will be to review any contracts with US data processors to ensure that they comply with the Principles and to understand the new redress mechanisms.
In the case of UK companies, the position may become more complicated post-Brexit. As Baroness Neville-Rolfe, the Minister for Data Protection, stated recently “One problem is that we do not know how closely the UK will be involved with the EU system in future. On one hand if the UK remains within the single market EU rules on data might continue to apply fully in the UK. On other scenarios we will need to replace all EU rules with national ones. Currently it seems unlikely we will know the answer to these questions before the withdrawal negotiations get under way.” In the short term, the Privacy Shield will apply to the United Kingdom, at least until the UK formally exits the EU, and it may continue after if the UK becomes part of the EEA. If the UK does not become part of the EEA, then it will need to demonstrate (like the US) that its data protection laws provide an adequate level of protection for the data of EU citizens. This will be much easier to demonstrate if the UK’s data protection laws follow those of the General Data Protection Regulation, which appears to be the approach favoured by the Information Commissioner’s Office (see its recent blog post GDPR still relevant for the UK.
Even outside the UK and prior to Brexit, a degree of uncertainty remains. The Commission recognises that the “level of protection afforded by the US legal order may be liable to change” and accordingly the Privacy Shield requires the Commission to “continuously monitor” the Privacy Shield (one of the criticisms of “Safe Harbor” was that the original adequacy decision was not reviewed until after the Snowden revelations many years later), and the US authorities’ compliance with it. There will be a joint annual review of the functioning of the Privacy Shield, which in effect allows the Commission to annually re-evaluate whether the Privacy Shield still provides an adequate level of protection. The Commission has also provided for a re-assessment following the General Data Protection Regulation becoming effective in Member States, in May 2018, to ensure that the Privacy Shield meets the level of protection required under the Regulation. As a result, there is no guarantee that the Privacy Shield, in its current form at least, will enjoy the longevity of the Safe Harbor Regime.
Although the Commission has robustly defended the protections offered by the Privacy Shield, stating that it “protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States”, whether it does so remains to be seen. There has already been some criticism from privacy campaigners that the Privacy Shield does not provide sufficient safeguards and is therefore vulnerable to a legal challenge. Max Schrems has dubbed it “little more than a little upgrade to Safe Harbor, but not a new deal” and Privacy International, a UK-based privacy watchdog, predicts further legal challenges as it is based upon “the Obama Administration’s assurances as opposed to meaningful legislative reform”. These criticisms may encourage businesses to consider the other available mechanisms for transatlantic data transfers, yet even these are no longer clear cut. The Irish Data Protection Commissioner has brought a case in the Irish High Court case that queries the legal status of data transfers under Model Clauses and intends to seek a referral to the European Court of Justice. If the European Court of Justice were to find that Model Clauses were not adequate, which is a possibility given that the Schrems' judgment casted doubt on other transfer mechanisms, then we would again see significant changes to the transatlantic data transfer regime.
It is clear that although the Privacy Shield has provided an increased level of legal clarity, there are still a number of issues facing transatlantic data transfers. Accordingly, companies need to keep such transfers under review and consider which combination of compliance and organisational measures will provide the required level of protection.