Back in October 2015 the legal framework surrounding transatlantic data flows between the EU and US was cast into uncertainty following the European Court of Justice’s ruling in the case of Maximillian Schrems v Data Protection Commissioner, that the US-EU Safe Harbor Framework is invalid.
The judgment resulted in an immediate response by both the European Commission (EC) and the US authorities to begin negotiation on an agreement that confers adequate protection for personal data transferred from the EEA to the US, on which we commented here.
In the meantime, organisations which previously relied on Safe Harbor, have had to adopt other measures to ensure adequate protection for data transfers to the US such as the EU standard contractual clauses, consent and to a limited extent, binding corporate rules.
On 12 July 2016, the EC approved the Privacy Shield framework for EU-US personal data transfers (a modified version of that published in February) to set a new framework for how individuals’ data will be protected in transatlantic data transfers.
The Privacy Shield has been described by Commissioner Jourová as “a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses”.
The Privacy Shield sets out:
- Enhanced obligations on companies handling of data;
- Greater restrictions on US Government access to data;
- Increased protection for EU citizens’ rights and a simplified system for redress;
- An independent ombudsperson to manage compliance and enforcement; and
- A system for annual review and monitoring of the effectiveness of the new provisions.
The adoption of the Privacy Shield has been met with mixed response from both companies and privacy commentators. Notably – Microsoft, Google and the International Chamber of Commerce have all welcomed the decision for restoring international data flow. However, the Vice Chair of the European Parliament’s Civil Liberties, Justice and Home Affairs Committee has criticised the EC’s decision, saying it ignores concerns raised by WP29 - for more see here and here.
These concerns have also been echoed by Max Schrems who has described the Privacy Shield as “little more than a little upgrade to Safe Harbor” and commented that it is likely to fail.
Whilst the Article 29 Working Party (WP29) has commended the EC and US authorities for having taken its initial concerns into consideration in the final draft of the Privacy Shield, it still has concerns regarding the commercial aspects of the Privacy Shield and access by US data authorities to data transferred from the EU to the US.
The Privacy Shield will be available for an initial one year period with a joint annual review to take place in July 2017 during which the robustness of the Privacy Shield will be assessed. WP29 has commented that the results of this review may also impact other existing transfer mechanisms such as standard contractual clauses and binding corporate rules.
Where does this leave companies?
The new system is based on self-certification and from 1 August 2016, US organisations can self-certify. They must demonstrate the procedures they have in place to meet all the obligations under the Privacy Shield and the Privacy Shield Principles.
It is likely that, going forwards, many organisations will still rely on standard contractual clauses, binding corporate rules and limited exemptions such as consent. However, Mr Schrems’ original complaints are also still being pursued further by the Irish Data Protection Commissioner who is now seeking a referral to the European Court of Justice to determine the status of data transfers under the EU standard contractual clauses. A hearing has been fixed and will open on 7 February 2017.The landscape for transatlantic data flows is therefore by no means certain and there is more to come over the next year.
We are also yet to see how the Privacy Shield will sit following the introduction of the GDPR (read more) and Britain’s impending exit from the EU provides another story that is yet to unfold.
For further advice on the Privacy Shield and transatlantic data flows generally, please contact Sarah Williamson on 0118 952 7247 or email [email protected], Mark Blunden at [email protected], Bill Gornall-King at [email protected] or your usual contact in the Commercial & Technology team.
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.