The EU Commission announced earlier this year that political agreement with the US had been reached to create a new legal structure for transferring data from the EU to the US, known as the EU-US Privacy Shield (Privacy Shield). The Privacy Shield is intended to replace the Safe Harbour scheme which, until last year, enabled transfers between businesses in the EU and the US. Both the EU and the US have now released legal documents, including the EU draft “adequacy decision”, outlining how the Privacy Shield will work in practice. However, the Article 29 Working Party (an advisory body on data protection) has expressed some concerns with the decision and identified areas for improvement.
Under the eighth data protection principle of the Data Protection Act 1998 (DPA), which incorporates the 1995 EU Data Protection Directive into UK Law, personal data must not be transferred outside of the European Economic Area (EEA) unless sufficient levels of protection are in place. The US was found not to be adequate and therefore, in order to assist, the US put in place the US Safe Harbour scheme which was recognised by the EU Commission as providing adequate protection. US undertakings and businesses which signed up to Safe Harbour were able to self-certify their adherence to a series of principles designed to replicate the safeguards of EU law for data protection, therefore enabling the transfer of personal data between the EU and the US in compliance with principle eight of the DPA. However, in 2015, Maximillian Schrems, a privacy campaigner, entered into a legal dispute with Facebook on the back of Edward Snowden’s revelations about the mass surveillance and interception of data by intelligence agencies in the US. As a result of this case, the Court of Justice of the European Union (CJEU) ruled that the earlier EU Commission decision approving Safe Harbour as adequate was invalid. After negotiations, the EU and US have now released the details of the Privacy Shield.
The Privacy Shield is intended to ensure an adequate level of protection for data transferred from the EU to US. The draft adequacy decision sets out how this is to be achieved and provides the framework for the Privacy Shield.
The Privacy Shield, like Safe Harbour, is based on a system of self-certification. Under its terms:
- Obligations on US Companies: US organisations will have to register to be on the Privacy Shield list and have to self-certify that they meet the relevant requirements under the Privacy Shield principles;
- Redress possibilities: individuals will be able to complain to businesses directly and the business must then reply within 45 days. They will also have the option to take their complaint directly to their home data protection authority which can then refer the complaint to the US Department of Commerce. Organisations will also have to provide a free independent dispute resolution mechanism to deal with individuals’ complaints. The US has, in addition, committed to put in place a new Ombudsman mechanism to handle EU citizens’ personal data enquiries and complaints;
- Annual joint review mechanisms: the functioning of the Privacy Shield will be monitored and an annual review will be conducted by the US Department of Commerce and the EU Commission and various other agencies involved in the implementation of the Privacy Shield;
- Limited government access: the US has given the EU Commission written assurance that any access to EU personal data by public authorities will be subject to clear limitations and safeguards;
- Wider transparency: the new framework will put greater reporting obligations on both sides to create a more open system;
- More contact with local data protection authorities: the new measures enforce better communication and co-operation between the US and EU authorities.
Reactions to the draft adequacy decision
The Article 29 Working Party, at a press conference on 13 April, called for further improvement to the Privacy Shield on the basis that it does not provide adequate protection in its current form. The criticism focused on issues with the independence of the US Ombudsman and the continued fear that EU data will be subject to mass surveillance in the US. Other criticisms surrounded the lack of certainty and specificity in some areas of the decision. Although the Article 29 Working Party’s views are not binding, the Privacy Shield framework is likely to now be subject to further review.
In light of the feedback on the adequacy decision, it may take more time until the details of the Privacy Shield are agreed. However, the EU Commission Vice-President for the Digital Single Market has reportedly said that he is continuing to work to have the Privacy Shield in place by summer. If you would like further information on alternative protections available for businesses exporting personal data to the US, please see our previous note here.