TechVision Research Consulting Analyst
- The recent judgement against Facebook led to the termination of the Safe Harbour agreement shaking up the 15-year old arrangement for data transfers between Europe and the US.
- The new EU-US Privacy Shield announced this month is a response to European concerns but raises more questions than it answers.
- US companies have to tread warily to avoid falling foul of more vigilant data protection authorities in Europe.
Anyone following the intense debate about the transfer of data between the European Union (EU) and the US over the last five months must wonder what to do next – and with good reason!
Since last October, when the European Court of Justice judged that the Safe Harbour1 agreement between the European Commission (EC) and the US Department of Commerce was henceforth invalid, the status of trans-Atlantic data flows has been up in the air. Based on a suit brought by a European citizen concerned that his personal data was not being adequately protected by Facebook, the judgement highlighted growing concerns and criticisms about the participation by 4,400 US businesses in the self-certification of the Safe Harbour privacy principles intended to protect EU and Swiss citizens’ data if transferred by American companies to the US and stored in data centers in the US. As a consequence, self-certified US companies holding personal data relating to EU citizens could no longer rely on the Safe Harbour principles to serve as the legal basis for transatlantic data transfers. Business was no longer as usual.
Hence, in the immediate wake of the ruling, US enterprises operating in the EU were faced with having to transfer from Safe Harbour to Model or Standard Contract Clauses2 for the international transfers of personal data to demonstrate that they were complying with the appropriate national data protection regulations, overseen by national data protection authorities (DPAs). Following months of uncertainty, confusion and intense to-and-froing between EU and US negotiators, a political agreement on a new framework, the EU-US Privacy Shield, was finally announced on February 2, two days after the deadline set by the Article 29 Working Party (WP29), the group within the European Union charged with protecting the processing and movement of EU citizens’ personal information.
The “EU-US Privacy Shield” sounds like something out of Stars Wars and at the moment has as much credibility. Remarkably enough, the day after the announcement, WP29 issued a statement calling for all documents associated with the proposed new arrangement to be communicated by the end of February – in other words the responsible body within the EU for data protection had not yet seen the substance of the political sticking plaster. WP29 went on to state that, sometime after being properly briefed, it would be in a position to complete its assessment on personal data transfers to the US and whether or not EU Standard Contractual Clauses and Binding Corporate Rules can still be used. The good news is that until they’ve made up their minds the existing transfer mechanisms mentioned above are still valid.
So what happens next? And more to the point, what should any multinational from the US or elsewhere be doing?
According to EU Justice Commissioner Vĕra Jourová on the conclusion of talks with US Commerce Secretary Penny Pritzker:
The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.3
Nevertheless, it is up to WP29 to recommend approving the EU-US Privacy Shield agreement for the EC to prepare a draft “adequacy decision”, not least to address the issues raised by the October judgement. This in turn would require the approval of the national DPAs in each of the 28 EU Member States. In parallel, the US team will make the necessary preparations to put in place the new framework agreement, monitoring mechanisms and a new Ombudsman to handle complaints relating to possible access by national intelligence authorities. If there are any doubts and, bearing in mind the severe misgivings arising from the Snowden revelations about US surveillance activities, it’s not a given that there will be blanket approval across Europe. In which case, it will be months not weeks before any legislation comes into force.
Even though the EU-US Privacy Shield may well be similar in substance to Safe Harbour, what is clear is that, irrespective of what transpires over the coming weeks and months, existing Safe Harbour self-certifications no longer have any legitimacy today. And whatever arrangements are put in place, they probably will not be recognized in the future either. In other words, the chances are that companies wanting to comply with the EU-US Privacy Shield will have to go through a similar procedure all over again.
In the meantime, companies are advised to look to adhering to the EU’s Standard Contractual Clauses and Binding Corporate Rules4, with the caveat that individual DPAs have the right to investigate and suspend data transfers on a case-by-case basis.
So nobody’s making this easy right now … and a further important consideration for US multinationals reviewing their data protection strategy is that the EU-US Privacy Shield only applies to data transfers to the US and does not apply to any other jurisdictions.
And, if that were not enough, all of the above has to be considered in the context of the EU’s upcoming General Data Protection Regulation (GDPR), a wholesale revision of data protection and privacy enforcement which will apply equally across all EU Member States. In terms of penalties alone, the impact of this new legislation for any government agency or business handling personal data about EU citizens, irrespective of whether they are European-based or multinational, can not be underestimated.
To understand the impact of all the new legislation that will come into force over the next two years and to develop a strategy going forward be sure to get sight of TechVision Research’s upcoming document: “Understanding European Privacy and Data Protection Regulations: Compliance Or Consequences.”
Please contact us if you’d like to discuss this topic with David Goodman.
1It is mildly ironic that European and American legislators couldn’t even agree on how to spell Safe Harbour/Harbor.
2Article 26 (4) of the Data Protection Directive 95/46/EC empowers the Commission to decide that certain Standard Contractual Clauses offer sufficient safeguards as required by Article 26 (2), that is, they provide adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights. The effect of such a decision is that by incorporating the standard contractual clauses into a contract, personal data may be transferred from a data controller established in any of the 28 EU Member States and three EEA member countries (Iceland, Liechtenstein and Norway) to a data controller or processor established in a country not ensuring an adequate level of data protection.
3European Commission Press Release – Strasbourg, February 2, 2016: http://europa.eu/rapid/press-release_IP-16-216_en.htm
4Binding Corporate Rules are internal rules (such as a Code of Conduct) adopted by multinational group of companies which define its global policy with regard to the international transfers of personal data within the same corporate group to entities located in countries which do not provide an adequate level of protection.