On 12 July 2016, the European Commission (the “Commission”) formally adopted the ‘Privacy Shield’ framework for transatlantic data transfers from the EU to the US. The Commission’s decision followed an approval by Member States on 8 July 2016.
Privacy Shield replaces the ‘Safe Harbour’ agreement which was invalidated by the Court of Justice of the European Union (the “CJEU”) in the Schrems decision last year. The relative speed with which the Privacy Shield has been finalised demonstrates the importance of continued transatlantic data flows to industry, and therefore government, on both sides of the Atlantic.
The Commission has stated that Privacy Shield addresses the previous concerns related to data transfers from the EU to the US identified by the CJEU in the Schrems decision, as well as those voiced in the Article 29 Working Party (“WP29”) opinion of 13 April 2016 and by Mr Giovani Buttarelli, the European Data Protection Supervisor (the “EDPS”), in his opinion of 30 May this year. In the case of both the WP29 and the EDPS opinions, the concerns raised related to the previous draft of Privacy Shield, which was published on 29 February 2016.
At the recent Irish Centre for European Law Privacy and Data Protection Conference in Dublin, at which Matheson partner Anne-Marie Bohan spoke in relation to the Privacy Shield, Mr Bruno Gencarelli, Head of the Data Protection Unit of the Commission, expressed the firm opinion that the Privacy Shield would not have been proposed for approval if recent, further negotiations with the US had not resulted in additional changes which addressed the concerns identified in Schrems, as well as in the WP29 and the EDPS opinions. While accepting that the Privacy Shield is not immune from challenge, Mr Gencarelli was confident that it would withstand scrutiny.
In light of the heightened focus on data transfers in recent months, as well as recent commentary in the media, including a recent article in the Irish Times penned by Jan-Philipp Albrecht and Max Schrems, it would appear to be only a question of time before the Privacy Shield is subject to further legal scrutiny. In the interim, however, whether it will prove an attractive option for EU and US companies, particularly in light of recent efforts by many to implement model clauses following Schrems, remains to be seen.
Some of the Main Features
Stronger Obligations on US Companies
The framework requires that US entities that wish to avail of Privacy Shield will need to register with the US Department of Commerce (the “Participants”). The Department is required to monitor Participants to ensure that high data protection standards are in place and they will need to re-register with the Department annually. They will also be required to apply relevant data protection measures for as long as they retain the transferred data (even if they are no longer participants under the framework) and will be able to retain data only for as long as it serves the purpose for which it was collected.
US Government Access
The Office of the Director of National Intelligence has given an assurance for the purpose of Privacy Shield that the data flowing to the US from the EU will not be subject to indiscriminate mass surveillance. The document also lists specific pre-conditions for access to such data.
John Kerry, the US Secretary of State, has committed to establishing a redress mechanism through an Ombudsperson, independent of the US security services. The Ombudsperson will be responsible for addressing EU individuals’ concerns and inquiries regarding access to their data for US national security purposes.
The Commission will monitor the US’ adherence to the framework and will conduct joint annual reviews with the Department. The Commission can, if it believes the framework no longer provides an adequate level of protection, suspend the framework itself.
Privacy Shield provides for a number of redress mechanisms that include:
- a process whereby individuals concerned can lodge a complaint directly with their ‘home’ data protection authority in Europe. The authority will then refer the complaint to the Department, which will have 90 days to respond. If the Department cannot resolve the matter, the complaint will be passed to the Federal Trade Commission;
- an alternative dispute resolution process. Participants will have to indicate their chosen alternative dispute resolution body in their data protection policies and provide a link to the body’s website; and
- referral to the Privacy Shield Panel. The Commission describes this as the option of ‘last resort’. The Panel will be able to make binding decisions against a Participant. According to the Commission, features like free access, the ability to use video-link and free translation services will encourage individuals to enforce their rights through this facility.
Participants will be able to opt between the alternative dispute resolution and voluntary submission to the oversight of relevant EU data protection authorities.
Complaints in relation to US surveillance are to be addressed by the Ombudsperson.
When Privacy Shield Becomes Effective
Privacy Shield is effective immediately. US companies will be able to self-certify and register with the Department from 1 August 2016. The approved framework hopes to provide businesses with certainty that the flow of data between the EU and the US can be maintained.
The Commission’s Official Memo on Privacy Shield can be accessed here.