EU-US Data transfer: Privacy shield to replace Safe Harbour
As has been widely publicised, in October last year Safe Harbour was invalidated by the European Court of Justice.
The Safe Harbour framework was established in 2000 between the EU and the US for the protection of EU citizens' personal data within the US. This invalidation made it unlawful for many businesses to transfer personal data from the EU to the US. Since then, the EU Commission and US administration have been in negotiations to create a replacement framework. On 3 February 2016, agreement was finally reached on a new framework, the 'Privacy Shield'.
The aim of the Privacy Shield is to protect the fundamental rights of EU citizens where their data is transferred to the US. It also ensures legal certainty for businesses transferring personal data to the US. The framework will be implemented through enforcement, monitoring and co-operation between European Data Protection Authorities (DPAs) (the Information Commissioner's Office in the UK) and the US Department of Commerce and Federal Trade Commission. US companies will also have stronger obligations in respect of the protection of EU citizens' data, which will be enforceable under US law.
At this stage, there are few concrete details about the specific wording of the Privacy Shield, although it is clearly intended to be equivalent to Safe Harbour in several respects. The main parallel with Safe Harbour is the self-certification by US companies on the basis of an EU Commission decision of adequacy (meaning that EU businesses will not need to rely on either EU model contract clauses or binding corporate rules in order to transfer personal data).
The key aspects of the Privacy Shield can be summarised as follows:
- Restriction on 'snooping' by the US government: one of the main concerns of the EU Commission was the ability of the US Government to snoop on EU citizens where their data is held in the US. The new framework will set out "clear limitations, safeguards and oversight mechanisms", which it is claimed will prevent generalised access by US public authorities.
- Rights of EU citizens: if an EU citizen thinks that their data is being misused, they can complain to the US Department of Commerce and the Federal Trade Commission. The creation of a new Ombudsman will oversee complaints in respect of misuse of data by US national security authorities.
The Privacy Shield framework has to go through an approval process at EU member state level and the US has to put in place the necessary mechanisms for implementation, therefore final sign-off is some way off. A complete version of the text is expected at the end of February. The EU Article 29 Working Party (the official EU body responsible for representing all DPAs) will then inspect the text in order to determine if it resolves the issues that arose from Safe Harbour. Worryingly, the Article 29 Working Party has also said that it will investigate the validity of model clauses and binding corporate rules at the same time as reviewing Privacy Shield, which means there is a possibility that all 3 of these mechanisms (Privacy Shield, model clauses and binding corporate rules) could be terminated if they are deemed inadequate. However, until the end of February at least, model clauses and binding corporate rules remain a lawful way of transferring personal data from the EU to the US.
The law in this area is currently volatile and fast moving. The good news is that a political solution to replace Safe Harbour is agreed in principle although, with most things of this nature, the difficulty is in the details. The bad news is that it could all change at the end of February. Watch this space!
For more information, contact Matthew Holman.