EU-US Privacy Shield to Replace Safe Harbor
A new personal data transfer agreement was announced yesterday between EU and US authorities: the EU-US Privacy Shield will replace the invalidated Safe Harbor programme.
Since the landmark decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner (case C-362/14) on 6 October 2015 that invalidated Safe Harbor, personal data transfers from the European Union to the United States have been in a state of uncertainty.
The Schrems Case
Maximillian Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to adequately protect personal data after its transfer to the United States in light of Edward Snowden’s revelations that the US security services were collecting and using the personal data of EU citizens on a large scale. The ECJ ruled in Schrems that the European Commission decision approving the Safe Harbor programme was invalid. Further, the ECJ ruled that EU data protection authorities can investigate complaints about the transfer of personal data outside Europe and, where necessary, suspend such data transfers until those investigations are satisfactorily completed.
The EU-US Privacy Shield
The European Commission has emphasised that there are significant differences between the invalidated Safe Harbor programme and the EU-US Privacy Shield. In announcing the new EU-US Privacy Shield, Commissioner Vera Jourova said the following:
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the [United States] has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
Andrus Ansip (EU Commission Vice President for the Digital Single Market) said, “I believe this arrangement is what Europe needs. Both our citizens and businesses will benefit from this.”
The new agreement includes the following elements:
Strong obligations on companies handling EU citizens' personal data and robust enforcement of rights
US organisations wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and the guarantee of individual rights. The US Department of Commerce will monitor the companies who publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission. In addition, any organisation that handles human resources data from Europe must commit to comply with decisions by European data protection authorities. The new Judicial Redress Act, if passed, will allow EU citizens to bring civil claims to the same extent as US citizens if a US agency has unlawfully breached EU citizens’ data protection rights.
Clear safeguards and transparency obligations regarding US government access
For the first time, the United States has given the European Union written assurances that the access by public authorities for law enforcement and national security reasons will be subject to clear limitations, safeguards, and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate to these reasons. The United States has ruled out indiscriminate mass surveillance under the new agreement (a key criticism made in Schrems). To monitor the operation of the EU-US Privacy Shield, there will be an annual joint review. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the United States and data protection authorities.
Effective protection of EU citizens' rights with several rights of redress
Any citizen who considers that their personal data has been misused under the new agreement will have several rights of redress. Organisations have deadlines to reply to complaints. European data protection authorities can refer complaints to the US Department of Commerce and the US Federal Trade Commission. In addition, Alternative Dispute Resolution (ADR) will be free of charge. A new role will be created to hear complaints on potential access of personal data by national intelligence authorities.
Before any data transfers can take place under the new EU-US Privacy Shield, the European Commission has to adopt a formal adequacy decision. This cannot happen until the European Commission has taken advice from the Article 29 Working Party (the influential European data privacy body). Some of the members of the Article 29 Working Party are thought to be critical of any data transfers from Europe to the United States, so it may take some time before the EU-US Privacy Shield is in force.
In the meantime, it will still be necessary to legitimise data flows through alternative means such as model clauses, which currently remain in effect despite some recent challenges at the Data Protection Authority level.
Transatlantic commerce demands that data is able to flow freely and efficiently between Europe and the United States. Accordingly, the new EU-US Privacy Shield is to be welcomed in recognizing this economic reality and in ensuring that appropriate safeguards are implemented to protect the fundamental rights of EU citizens.
While this is an important step forward, EU and US companies should be cautious about putting all of their faith in this new framework. Challenges still lie ahead, and it may still be prudent to have back-up options in the event that the EU-US Privacy Shield is challenged as being invalid. Commenting critically on the new framework, Jan Phillip Albrecht (a member of the European Parliament) has already called the EU-US Privacy Shield a “sellout of the fundamental EU rights to data protection” and has suggested that it might be invalidated by the ECJ in the future. Given that the Schrems ruling reiterated the national data protection authorities’ ability to investigate data transfers, there is still a risk of a challenge by an EU citizen or data protection authority.