Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
EU-US Privacy Shield now in place
The European Commission has adopted the adequacy decision to replace Safe Harbor. Privacy campaigners are not satisfied and it may still be challenged.
On 12 July 2016, the European Commission adopted a decision to make data transfers from the EU to US companies easier.
The previous “Safe Harbor” regime, based on Commission Decision 2000/520/EC of 26 July 2000, had been overturned by the Court of Justice of the European Union (CJEU) in the Schrems judgment of October 2015. Schrems determined that the US did not offer an adequate level of protection of personal data in light of the Snowden revelations, particularly because US legislation permitted access to data on a generalised basis and legislation did not provide for individuals to pursue legal remedies for breach.
Privacy Shield, v.2
The Privacy Shield arrangement is based on an agreement between the US and the EU. Like Safe Harbor, it relies on the self-certification by participating US companies. Additionally, it provides for:
- Strong obligations on companies handling data, including periodic reviews of compliance by the US Department of Commerce.
- Safeguards and transparency obligations regarding US government access. The US has provided assurances that there will be no indiscriminate surveillance of data and any bulk collection will be under specific preconditions.
- US Ombudsperson. For the first time EU data subjects will have the possibility of redress in respect of breaches for intelligence purposes through a new ombudsperson set up under the Department of State and independent of the intelligence services.
- Dispute resolution mechanism. In addition to intelligence-related complaints, individuals can raise a complaint about a company’s breach with the company itself, via a free alternative dispute resolution process or go to national data protection authorities who will liaise with the US Federal Trade Commission. Finally, as a last resort, the data subject can invoke a binding arbitration process under the “Privacy Shield Panel”.
- There will be an annual joint review mechanism of the Privacy Shield by the European Commission and the US Department of Commerce, including national intelligence experts from the US and EU data protection authorities. A public report will be issued to the European Parliament and the Council.
The Privacy Shield had been subject to criticism from both the Article 29 Working Party and the EU Data Protection Supervisor following its proposal in February 2016. The Commission’s adoption follows further agreements with the US including additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies with respect to limits on retention and onward transfers.
The Privacy Shield has been welcomed by Microsoft, whose Vice President EU Government Affairs, John Frank stated:
“Safe Harbor fell short of what European data protection rules required, and I believe the Privacy Shield now meets each of those requirements. The Privacy Shield secures Europeans’ right to legal redress, strengthens the role of data protection authorities, introduces an independent oversight body, and it clarifies data collection practices by U.S. security agencies. In addition, it introduces new rules for data retention and onward transfer of data.
Importantly, key Privacy Shield provisions will also be extended to alternative data transfer mechanisms, such as EU Model Clauses.”
Mr Frank also welcomed the annual review mechanism, which, “…makes the Privacy Shield a living framework. It can evolve over time, adapting to changes in data practices, technology and privacy laws.”
By contrast, Max Schrems, the complainant who started the action which brought down Safe Harbor, has reiterated that, despite a couple of improvements, Privacy Shield remains essentially the same thing as Safe Harbor. He does not believe that the additional protections would offer significant and effective improvements in practice.
It seems likely that the CJEU will be asked to decide on the adequacy of protection offered by the new Privacy Shield regime following action by privacy campaigners or a national data protection authority, although Mr Schrems has said that he is, “kind of sick of being the person who brings up all of these issues all of the time.”
The Privacy Shield decision is now in place and data controllers can be expected to rely on it to transfer data to US companies as had been permitted by the Safe Harbor decision for the 15 years prior to the Schrems decision.
However, it cannot be said that the matter is entirely settled until the CJEU has had an opportunity to rule on the issue. The uncertainty is further increased by the most likely alternative, Model Clauses, also being subject to a legal challenge (by Mr Schrems, again, via the Irish Data Protection Commissioner) which is also likely to result in a CJEU decision.
Data controllers will comply with their obligations in respect of EU-US data transfers by either of these methods in the meantime, but the lesson is to remain alert to changes in the law as a result of legal challenges in the CJEU. In that respect, we will update on significant developments as they occur.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.