EU-US Privacy Shield – is the harbor safe again, or are we entering further unchartered waters?
The EU-US data transfer framework known as “Safe Harbor” was declared invalid by the European Court of Justice (“the ECJ”) last October in the Schrems decision. Since then, US and EU authorities have been locked in negotiations to see if a deal could be reached to address the concerns raised by the ECJ when it struck down Safe Harbor. Top of the list were the alleged mass surveillance by US security agencies and a lack of redress for European citizens when their rights were infringed by those authorities.
Agreement has been reached
Political agreement between the EU Commission and the US was announced on 2 February 2016 – the “EU-US Privacy Shield”. Details of this high-level framework agreement are sketchy, but we set out below our current understanding of the proposals.
Meanwhile, the body of EU Regulators known as the Article 29 Working Party have been busy as well. They have been conducting hearings to understand the impact of the Schrems decision with those in the know such as academics, business representatives and senior government officials.
The Working Party received the announcement of the political agreement in a lukewarm way and sounded very cautionary notes – reserving judgement until they had seen the fine detail of the paperwork. They said that until more detailed content is released they cannot be satisfied of the “legal bindingness” of the arrangement and whether it will truly alleviate the concerns raised by Schrems. They had identified guarantees which must be met before they will bless the new arrangement. These guarantees unsurprisingly address transparency, necessity, proportionality, the need for independent oversight and effective remedies. The Working Party has called on the EU Commission to provide draft documents on the new framework by the end of February.
What we know so far about the Privacy Shield proposals
Uncertainty will remain until the end of February or early March, but the headline proposals set out by the European Commission are:
- Obligations and enforcement mechanisms on US companies who handle personal data of EU citizens. Companies will be required to publish “commitments” to show how they will process data and guarantee individual rights. These commitments are to be monitored by the Department of Commerce and be subject to US Federal Trade Commission enforcement.
Of particular note for HR practitioners is the additional point that US companies who handle HR data “must comply with decisions made by European Data Protection Authorities”. No further details have been provided, but this may be difficult in practice. For example, to what extent will an HR department based in the US commit to a ruling made by the French Data Protection Authority, and then a different ruling by the UK Information Commissioner?
- Safeguards and requirements of transparency on the US government in relation to their access to data. The EU have stated that binding assurances have been given that the access of US public authorities to Europeans’ data will be subject to clear limitations, safeguards and oversight. An annual review conducted by the European Commission and the US Department of Commerce with the assistance of national intelligence experts will monitor that these assurances are being complied with.
The strength of the “shield” that these written assurances will provide remains to be seen, as the US Department of Commerce’s press release on the Privacy Shield suggests less movement by US legislation than perhaps the Europeans are expecting. According to the Department of Commerce, “the US Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operation”. Even those of us unfamiliar with the details of how US legislation is made might recognise that describing the safeguards does not mean the same thing as introducing additional safeguards via legislation.
- Protection of EU citizens’ rights and opportunities for them to seek redress. New redress opportunities are to be introduced for European data subjects:
- US companies will have deadlines in which to respond to complaints.
- Data Protection Authorities in Europe will be able to refer complaints to the Department of Commerce and will work with the Federal Trade Commission to ensure complaints are investigated and resolved.
- Alternative Dispute Resolution services will be provided free of charge.
- In relation to potential breaches by national intelligence authorities, a dedicated Ombudsman will deal with these complaints.
The Department of Commerce has announced that it will dedicate a special team with significant new resources to supervise compliance with the Privacy Shield, which will also provide a specific channel for EU individuals to raise questions regarding intelligence activities. The devil will no doubt be in the detail of those “written assurances”, but the recent political agreement is definitely a helpful step in the right direction for businesses working on both sides of the Atlantic.
What should employers do now?
The situation is the same as it was before and the uncertainty is likely to prevail for some time. A key point is that the Article 29 Working Party has not extended its moratorium on enforcement action in relation to companies still relying on Safe Harbor (which was in place until 31 January 2016). Relevant Data Protection Authorities will therefore deal with cases and complaints “on a case by case basis”.
It is surprising and disappointing that the regulators chose not to extend the moratorium but there is still no need for panic. Certainly the UK Information Commissioner’s approach is a pragmatic one, taking the view is that the risk is the same today as it was the day before the Schrems decision.
It is worth keeping an eye on the Regulators wherever you do business. A few, notably some of the German regulators and the Spanish, take a much harder-line approach than in the UK.
Pending further details being published, Safe Harbor is not available and transfer of personal data outside the EEA should only take place in the ways which are legally accepted (more often than not through the use of standard model clauses or binding corporate rules). It is also worth noting that the Working Party has been analysing other “transfer tools” since the Schrems decision. It says that it will complete its assessment once the Commission has communicated the documents which detail the framework agreement. It will then consider alternative transfer mechanisms such as standard model clauses and binding corporate rules, and whether they “can still be used for personal data transfers to the US”. For the time being, these mechanisms do remain acceptable.
The potential implementation of the Privacy Shield will only be relevant to EU-US transfers, as was the case with Safe Harbor. If you send data outside the EEA to non-white listed countries you also need to review your transfer mechanisms.