On 2 February, the European Commission announced that it had reached political agreement with the United States on a new framework for trans-Atlantic data transfers, following the invalidation of Safe Harbour by the Court of Justice of the European Union (the “CJEU”) in the Schrems case in October 2015.
The framework agreement, rebranded the “EU-US Privacy Shield”, was concluded between the EU and US through an “exchange of letters”, and has been approved by the College of Commissioners. The effectiveness of the Privacy Shield will, however, depend on the drafting and adoption of the associated EU Commission “adequacy decision”, which has been tasked to the (EC) Vice President in charge of the Digital Single Market, Andrus Ansip, and Commissioner for Justice, Vera Jourová, and the implementation by the US of its commitments under the arrangement. However, Ms Jourová is reported as having indicated that the agreement could become law within three months.
We understand that the Privacy Shield arrangement introduces the following changes to the trans-Atlantic data transfer regime, designed to address the concerns identified by the EU Commission in its 2013 review of Safe Harbour, and by the CJEU in Schrems:
- US companies that import personal data from the European Economic Area (“EEA”) must publicly commit to the fair processing of that data;
- US government access to imported personal data for national security purposes must be subject to transparent and stringent restrictions; and
a number of enforcement mechanisms will be introduced to guarantee the fundamental rights of European citizens.
- There will also be a joint annual review of the arrangements to monitor implementation by the US of its commitments.
Obligations on US Companies
Under the new arrangement, US companies looking to import personal data from Europe must publicly commit to “robust” obligations on how that personal data is processed in a manner that respects the individual rights of European data subjects. The US Department of Commerce will monitor and ensure the publication of these commitments. Once published, these commitments will be enforceable by the US Federal Trade Commission (the “FTC”) under Section 5(a) of the Federal Trade Commission Act, which establishes the FTC’s general consumer protection remit.
In gauging the likely effectiveness of these obligations, the FTC’s history of enforcement on data protection issues is worth considering. From 2002 to 2013, the FTC brought nearly 50 data security complaints against companies, yet settled all but two amidst continuing questioning of its statutory authority to prosecute issues of data security. Without a clear legal basis for the FTC’s enforcement powers in this space, the obligations placed on US companies under the Privacy Shield arrangement in relation to the fair processing of European personal data may well lack teeth.
Obligations on US Public Authorities
As noted in our previous articles, the CJEU in Schrems specifically noted that generalised access to the content of communications by intelligence agencies violates the fundamental right of European citizens to the respect of their private lives.
Therefore, the US has, for the first time, given the EU written assurances that the right of US public authorities to access imported personal data for the purposes of law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.
In particular, the European Commission has stated that any access to imported personal data for such purposes will only be allowed to the extent necessary and proportionate to the public interest. However, on Monday, Commissioner Jourová told the Committee on Civil Liberties, Justice and Home Affairs that generalised access by public authorities to the personal data of Europeans may occur “in very rare cases” under the new agreement.
Additionally, Privacy Shield establishes a new independent US Ombudsperson to oversee, investigate and enforce cases of suspected misconduct by US intelligent authorities.
Redress Mechanisms for the Misuse of Personal Data
The misuse of personal data under the new arrangement will be subject to several enforcement and redress schemes. Individuals are given the right to make complaints directly to the company / companies involved or through their relevant data protection authority (“DPA”). Where an individual lodges a complaint with a company over the misuse of their personal data, the company is obliged to reply within a prescribed deadline. Additionally, European DPAs can refer complaints to the Department of Commerce and FTC in the US for investigation and enforcement.
Broadly speaking, the technology industry has applauded the agreement which re-introduces an element of legal certainty to the over 3,000 companies that are reliant on such arrangements to legitimise their transfers of personal data from the EEA to the US. However, commentators have been quick to warn that the Privacy Shield arrangement will not be impermeable to challenge, and that stakeholders should stay alert to further changes in the legal landscape.