EU-U.S. Privacy Shield: Still a long way to go and much depends on national regulators
The EU Commission has at last reached political agreement on the “EU-U.S. Privacy Shield”. It is intended to replace the now defunct U.S. Safe Harbor regime and provide a justification for transfers of personal data to the U.S.
However, the Privacy Shield still has a long way to go. The Article 29 Working Party must now give an opinion on the scheme, which will have much wider ramifications. In essence, the Working Party will consider if personal data can be safely transferred to the U.S. under any transfer mechanism, be it the Privacy Shield, Model Contracts or binding corporate rules. Their opinion is expected in April and could have significant implications for transfers of personal data to the U.S. and elsewhere.
The EU-U.S. Privacy Shield announced
Racing to meet the deadline set by European regulators, the EU Commission announced agreement of the new EU-U.S. Privacy Shield on 2 February 2016. The Privacy Shield is intended to remedy the deficiencies in U.S. Safe Harbor system identified in the Schrems decision (C-362/14). Whilst details of the new regime are still limited pending the publication of the agreement, the core principles are:
- Stronger obligations on U.S. companies handling Europeans' personal data and robust enforcement. This will include greater monitoring by the U.S. Department of Commerce and greater restrictions on onward transfers.
- Clear safeguards and transparency obligations on U.S. government access. The U.S. has provided written assurances that the access for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has also ruled out indiscriminate mass surveillance. A new Ombudsperson will be created to deal with complaints about national intelligence authorities.
- Better redress for EU citizen. There will be better redress for citizens. Companies under the Privacy Shield will have deadlines to reply to their complaints. Alternative dispute resolution will be free of charge.
These arrangements will be reviewed annually, including national security access.
Approval by European regulators will be vital
The EU-U.S. Privacy Shield now needs to traverse the comitology procedure before it comes into force as a binding Decision. In brief, this involves:
- the Article 29 Working Party (the representative body of European privacy regulators) and the European Data Protection Supervisor issuing an opinion on the scheme;
- approval from the Article 31 Committee, composed of representatives of Member States, under the comitology examination procedure; and
- the adoption of the decision by the College of Commissioners.
The first hurdle is likely to be the hardest. In a press conference on 3 February 2016, the Article 29 Working Party welcomed the agreement of the new framework but was very guarded on their views on the Privacy Shield.
There is no guarantee the Article 29 Working Party will approve this new scheme. Not only has there been limited contact between the Working Party and the Commission regarding the negotiations with the U.S., the Commission has no control over the Article 29 Working Party, whose independence is guaranteed by the EU Charter of Fundamental Rights.
Further to the Schrems case, the Working Party has gone through a review of the European case law on fundamental rights and identified four essential requirements that the new Privacy Shield as well as other transfer instruments need to meet in relation to law enforcement access, namely:
- they should be based on clear, precise and accessible rules;
- any access must be necessary and proportionate;
- there must be an independent oversight mechanism; and
- there are effective remedies for individuals.
Much will depend on the detail of the new arrangements, which the EU Commission has promised to provide to the Article 29 Working Party at the end of February. The Article 29 Working Party has indicated it hopes to issue its opinion in April. If the opinion is supportive, the Commission should be able to adopt a Decision to bring the Privacy Shield into force shortly after that. If the Article 29 Working Party issues a negative opinion, it is difficult to see how the Privacy Shield could survive.
Challenges from other quarters
Even if the Commission does adopt a Decision on the Privacy Shield, it could still be challenged in the CJEU. Indeed, Max Schrems has already stated that “European Commission may be issuing a round-trip to Luxembourg” and Europe v Facebook has issued a press release levelling the following criticisms of the scheme:
- commitments made by the U.S. are only embodied in an “exchange of letters” which is weak and not sufficiently binding. One concern is that they might be revoked by the new U.S. administration. However, this depends on the nature of these commitments and, if the U.S. were to revoke such commitments, it is likely the EU Commission would just withdraw the scheme;
- that it still permits mass surveillance of EU citizens in some circumstances. Again, this may be addressed in the detail of the new commitments; and
- that the laws are not “essentially equivalent” to EU data protection laws (as required by the CJEU in Schrems). In the words of Europe v Facebook: “you cannot pick the worst member state, like the UK, and claim you are ‘equivalent’ to that”.
Accordingly, even if the Privacy Shield is passed, it may be some time before it can safely be relied upon.
These issues may affect market acceptance of the Privacy Shield. The old U.S. Safe Harbor scheme had over 4,000 members. It is very unlikely those members will automatically transfer across to the Privacy Shield.
In the absence of automatic transfer, or at least some form of grandfathering arrangements, many organisations will be reluctant to recertify in the short term having carried out the transition to alternative transfer mechanisms, such as Model Contracts. Similarly, most EU companies will be unlikely to rely on the Privacy Shield while issues are still to be determined.
Opinion due on other transfer mechanisms
The Article 29 Working Party’s opinion on the Privacy Shield, due in April, will also consider the validity of other transfer mechanisms, including Model Contracts and Binding Corporate Rules.
This is essentially a unitary question; do the concessions by the U.S. mean it is capable of offering adequate protection under any transfer mechanism? Whether that is the Privacy Shield, Model Contracts or binding corporate rules becomes almost a secondary issue.
This is a far more important issue. If Model Contracts do not work this is no longer a question of moving from compliance model A to compliance model B; it will instead require EU businesses to completely re-engineer their systems and processes, for example by only using EU based data centres which could raise other types of issues such as protectionism.
The Article 29 Working Party has, at least, indicated that Model Contracts and binding corporate rules continue to be valid until these considerations are complete. Organisations grappling with the regulatory twists and turns following the Schrems decision are best advised to put these alternatives in place until a clearer picture emerges.