On 02 February 2016 the European Commission and the US announced a political agreement on a new framework for transatlantic data flows. Dubbed the EU-US Privacy Shield, the new agreement will allow companies to transfer and process the data of EU citizens in the US given certain privacy guarantees.
The agreement comes after the European Court of Justice (ECJ) ruled in October 2015 that the previous Safe Harbour agreement was invalid, as it did not provide adequate protection for European citizens. Austrian law student, Max Schrems, had argued that the Irish data protection regulator had failed to protect him from mass surveillance from the US National Security Agency.
Facebook along with around 4,500 other companies was making use of the 15-year Safe Harbour agreement. This allowed US companies to transfer data on European citizens across the Atlantic, if they agreed to meet certain conditions, which included notifying customers when their data was collected and used.
Speaking at the beginning of February, Vera Jourová, European commissioner for justice, said: “For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”
“In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review to closely monitor the implementation of these commitments.”
Far from a done deal
But what does the agreement mean in practice for firms transferring data from the European Economic Area (EEA) to the US? According to Andrew Evans, partner, Gateley plc, firms transferring personal data from the EEA to the US should be able to rely on an umbrella protection, rather than on individual agreements negotiated with individual US companies.
“Firms can also raise any non-compliance by US companies with their local data protection regulator, and individual data subjects can do the same. The Department of Commerce and Federal Trade Commission will police the arrangements and there will also be a new ombudsman.”
“There will be alternative dispute resolution processes, the burden of which is likely to fall on businesses. So clearly, there are more avenues for complaint, but also increasing layers of bureaucracy affecting complaints about transatlantic data transfer.”
Annual reviews of the Privacy Shield will take place and with future legal challenges likely, it remains to be seen whether the agreement remains a long-term solution.
Future legal challenges possible
As well as ruling Safe Harbour to be void in the Schrems case, the ECJ made it clear that data protection authorities in the EEA could assess whether data transfers to territories outside the EEA provided an adequate level of protection. If any of these local data protection authorities rule in this way or have their decisions appealed, then the ‘adequate level of protection’ issue could find itself in front of the ECJ again.
“Therefore, just as with the Schrems case on the old Safe Harbour regime, and regardless of the new political agreement on the EU-US Privacy Shield, the risk remains the same,” explained Evans.
“The comfort given by the US on access to personal data by its security agencies appears to come in the form of letters to the EU, which are unlikely to have the force of law. Depending upon the content of the Privacy Shield, it still may not provide adequate protection as there may not be an actual or sufficient change in US practices.”
At the end of February, the European Commission issued the legal texts that would put the EU-US Privacy Shield into practice. A committee comprising representatives of the various member states will be consulted. The EU data protection authorities (the Article 29 Working Party — WP29) is now also in the process of reviewing the detail of the Privacy Shield. In a statement prior to the publication of the legal texts, WP29 said that it expected the Privacy Shield to contain certain key elements, so the text could have a bumpy ride prior to implementation.
The data clock is ticking
“The prudent course of action is to continue to proceed as if the Privacy Shield were not in place and enter into individual data processing agreements with US companies where possible. These continue to be the most reliable protection for data transfer to third parties, but even these may come under legal challenge in the future on a case by case basis,” said Evans.
“The clock is ticking from a data protection compliance perspective. Once the Privacy Shield has been implemented and a reasonable period of time has passed, EEA data protection regulators will expect EEA firms to have their affairs in order for personal data transfer to the US.”