Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
Safe Harbor to be replaced with “Privacy Shield”
On 2 February 2016, and after an intense weekend of final negotiations, the European Commission announced a political agreement between the EU and US authorities on a new framework for transatlantic personal data flows named “Privacy Shield”, to replace the invalidated Safe Harbor scheme.
Although a high-level political agreement has been reached, the detail of the new framework is yet to be drawn-up. The Commission will now prepare a draft “adequacy decision” in the coming weeks setting out the proposed Privacy Shield framework, on which it will seek the views of the Article 29 Working Party (A29WP), the EU’s independent data protection advisory body, and a committee of representatives from each EU member state.
What do we know about the EU-US Privacy Shield so far?
The Commission has confirmed that the proposed Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared Safe Harbor invalid. The Commission has also confirmed that the new arrangement shall include the following features:
• Stronger obligations will be imposed on US-based companies to protect personal data flowing from the EU, with stronger monitoring and enforcement powers given to the US Department of Commerce and Federal Trade Commission, including through increased cooperation with European data protection authorities (DPAs).
• Clear safeguards and limitations will be put in place for access to EU personal data by US public and intelligence authorities, preventing generalised access and mass surveillance.
• EU citizens will have the right to seek redress for breaches of the Privacy Shield in a number of ways, including the ability to complain to a new, independent US Ombudsman in relation to access to personal data by US intelligence authorities.
What should businesses do in the meantime?
Although the Commission was silent in yesterday’s announcement on what businesses should do in the period between now and the implementation of the Privacy Shield, the A29WP confirmed in a press conference yesterday that businesses will need to rely on one of the alternative safeguards to ensure that they are in compliance with their obligations under the Data Protection Directive 95/46/EC, for example, through the incorporation of the “Model Clauses” into relevant agreements, or adoption of binding corporate rules (BCRs) in their business. The A29WP said that it is not acceptable to rely on Safe Harbor and ‘wait it out’ until the Privacy Shield is in force, as Safe Harbor has been clearly invalidated.
Although it is positive that the EU and US have reached agreement on a framework to replace Safe Harbor, many challenges remain. With the detail yet to be fleshed out, and difficult negotiations ahead between the EU member states, it may be some time before businesses receive the certainty they have been hoping and patiently waiting for since October last year.
It is suspected that the data protection authorities of EU member states may be critical of the draft proposals, especially since the Commission has indicated that the Privacy Shield will be built upon letters signed at the highest political level in the US. There are doubts that this will be a strong enough legal foundation for the framework.
As for enforcement, it is unclear to what extent the DPAs will take action against businesses who have not put in place alternative safeguards following the invalidation of Safe Harbor. The A29WP previously announced that if no appropriate replacement was found by the end of January 2016, then DPAs may take all necessary enforcement action. It is important that clarity is provided on this standpoint, since there will be delay of months between Tuesday’s announcement and the eventual implementation of the Privacy Shield.
Click here for the European Commission press release.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.