1. Why is a new system needed?
The basic principle under current EU data protection laws is that transfers of personal data are not permitted from the EU to places not providing adequate legal safeguards. In the year 2000, the EU and US agreed the so-called “Safe Harbor” arrangement which enabled transfers from the EU to the US without additional approval or safeguards. However, in October 2015, the EU Court of Justice decided that the arrangements did not comply with EU law, among other things due to US surveillance activities that were held to endanger fundamental rights of EU data subjects.
In the light of that decision, some EU national data protection authorities indicated that if no alternative satisfactory arrangements were reached, then they might act to prevent data transfers to the US, possibly including those apparently legally carried out under alternative mechanisms including the EU model contractual clauses or Binding Corporate Rules within company groups.
2. What will the new system include?
a) US entities importing EU personal data will be required to commit to additional guarantees on how data is processed, to be enforced by the FTC, with particular rules applying to those processing Human Resources data.
b) US government agencies will commit to limitations on access to data and surveillance for law enforcement or national security. This is where privacy concerns seem most likely to arise: current indications are that there will be wide exceptions where generalised surveillance might still be permitted.
c) EU citizens will have additional means of enforcing their rights, with the DoC and FTC being responsible for investigating complaints referred by EU Data Protection Authorities. A free-of-charge alternative dispute resolution mechanism and a new Ombudsperson will also be created.
3. What happens next?
The Commission must now issue a formal “adequacy decision” which will authorise data transfers to the US that comply with the new Privacy Shield arrangements. This may take several months. EU Member States and, in particular, the EU’s Article 29 Working Party representing national data protection authorities will need to be consulted. The Working Party has indicated that it requires complete information and has already expressed concerns that the arrangements may not go far enough in balancing intelligence activities with respect for fundamental rights.
4. What should we do in the meantime?
Transfers relying solely on the Safe Harbor mechanism are clearly now not permitted and national Data Protection Authorities may be expected to investigate or take enforcement action where appropriate. The Article 29 Working Party has indicated that at least until the end of February 2016 transfers may continue on the basis of standard contractual clauses or binding corporate rules. So this is still the recommended course. After that time the Working Party intends to reconsider these mechanisms, in which case data exporters and importers will need to review their contracts and data flows. In the US, data controller and processor commitments made under Safe Harbor are expected to continue to be enforced, even if for European regulators this may not be sufficient to permit a transfer.
The text of the EU-US agreements, the Commission’s “adequacy decision”, and progress in the US with supporting measures such as the Judicial Redress Act, but also the interplay between the Commission, the national data protection authorities (within and independently of the Article 29 Working Party), as well as any legal proceedings that data subjects or their representatives might bring, will be crucial in deciding whether enough has changed in order to overcome the deficiencies of Safe Harbor. The EU Court’s decision invalidating the Safe Harbor scheme specifically confirmed that national authorities may still investigate privacy concerns over transfers even where an adequacy decision exists.
So although this moves us a step further along (and gives at least a temporary reprieve from enforcement actions that data protection authorities had threatened from 31 January 2016 if no EU-US agreement was forthcoming), data exporters and importers unfortunately cannot afford to relax too much and need to keep a close eye on how personal data transfers can be managed – or perhaps prudently minimized.