09 June 2016
The European Commission unveils the new EU-US Privacy Shield
Since our last briefing note on this topic, on 29 February 2016 the European Commission (the ''Commission'') published the legal texts that will put in place the EU-US Privacy Shield together with a Communication setting out the steps that have been taken to restore confidence in the exchange of data between the EU and the US.
The Commission has also issued a draft adequacy decision, stating that the safeguards provided when data are transferred under the Privacy Shield are equivalent to the data protection standards of the EU.
The US Judicial Redress Act, which gives EU citizens the right to enforce data protection rights in US courts, was signed by President Obama on 24 February 2016. The EU-US Umbrella Agreement, which was conditional upon the creation of the US Judicial Redress Act, has now been signed. The Umbrella Agreement implements a comprehensive data protection framework for criminal law enforcement cooperation. It is not yet in effect and further procedural steps are needed – the European Council will adopt a decision on the Umbrella Agreement once consent has been obtained from the European Parliament.
The US authorities have provided commitments that the Privacy Shield will be strictly enforced and that this will be achieved by implementation of the following measures:
- Strong obligations on companies and robust enforcement, including sanctions or exclusion for non-compliance;
- Clear safeguards and transparency obligations on US government access – this includes written assurance from the Office of the Director of National Intelligence that there will be no generalised access to personal data by public authorities for national security purposes and a commitment by US Secretary of State John Kerry to establish an Ombudsman within the US Department of State;
- Effective protection of EU citizens’ rights with several redress possibilities: complaints have to be resolved by companies within 45 days, free of charge alternative dispute resolution for EU citizens through their national Data Protection Authorities, working in co-operation with the Federal Trade Commission to ensure the investigation and resolution of complaints and, as a last resort, arbitration by the Privacy Shield Panel, which will be able to take binding decisions against US self-certified companies; and
- An annual joint review by the Commission and the US Department of Commerce to monitor the functioning of the Privacy Shield.
Each year, US companies will need to register in order to appear on the Privacy Shield List and will self certify that they comply with the Privacy Shield’s requirements. The US Department of Commerce will have to monitor and actively verify that a company’s privacy policies are readily available and comply with the Privacy Shield’s principles. The Department of Commerce has agreed to ensure that the list of Privacy Shield member companies is kept updated. It will also ensure that companies that are no longer members of the Privacy Shield continue to apply its principles to data received when they were members.
The Article 29 Working Party (the “Working Party”), comprising representatives of the supervisory authority of each EU country and the EU institutions, including the European Commission, has now also provided its opinion on the Privacy Shield. In its statement of 13 April 2016, it welcomed the significant improvements made by the Privacy Shield, particularly the insertion of key definitions and the mechanisms set up to ensure oversight and compliance. The Working Party expressed concern, however, in relation to the following issues:
- Inconsistency and lack of clarity caused by the Privacy Shield being constituted by multiple documents;
- A review of the Privacy Shield would need to be carried out after the entry into force of the General Data Protection Regulation in 2018, as it would need to comply with that new Regulation;
- The draft adequacy decision does not reflect key principles such as the application of the purpose limitation principle, the data retention principle and protection against automated processing;
- Onward transfers from a Privacy Shield entity to a third country recipient must provide equal protection to that provided under the Privacy Shield, including in relation to national security, in order to prevent the circumvention of data protection principles;
- The new redress mechanism is complex and may be too difficult for EU citizens to use, especially in a foreign language; and
- Insufficient details of safeguards against massive and indiscriminate collection of personal data, notwithstanding the creation of an Ombudsman, which it considers to be insufficiently independent and without adequate powers.
The Working Party has asked the Commission to resolve these issues before adopting the Privacy Shield.
On 30 May 2016, the European Data Protection Supervisor (the “Supervisor”) published a draft adequacy decision on the Privacy Shield. It concluded that the Privacy Shield, as drafted, is a step in the right direction but does not offer sufficient protection of privacy and data protection rights and therefore fails the adequacy test (i.e. that personal data can only be transferred to jurisdictions outside of the European Economic Area (“EEA”) if they provide adequate protection essentially equivalent to that guaranteed under European law). The Supervisor is particularly concerned about the lack of necessity and proportionality involved in the routine access that US authorities have to data transferred from EU Member States. It considers that self-regulation by private organisations together with commitments from public officials is only a short term solution and that federal legislation is needed to create adequate protection.
If these issues weren’t enough to contend with, the Irish Data Protection Commissioner has indicated that it will be applying to refer the question of the validity of Model Contracts (one of the currently used alternative mechanisms to legitimise EU-US data transfers post-Schrems) to the Court of Justice of the European Union (“CJEU”). Whilst it will likely take several years before the Court rules on the issue, it will add pressure to the negotiations, knowing that similar issues will be argued before the CJEU, which has already invalidated Safe Harbor.
Finally, the Article 31 Committee (made up of representatives of EU Member States), is due to meet in early June and on 20 June 2016. It could either vote on whether the Commission should adopt the Privacy Shield as presented by the Commission or recommend that further negotiations be entered into in order to address the concerns outlined above. The Article 31 Committee must approve the Privacy Shield before the Commission can adopt it, so its decision is eagerly anticipated.
As the ongoing furore relating to the Privacy Shield demonstrates, the EU and the US remain some distance apart in relation to how personal data belonging to EU citizens which is transferred to the US should be protected and what rights of redress should be accorded to those EU citizens. Even where agreement is apparently reached, there may be significant scope for EU stakeholders such as the Working Party and the Supervisor to challenge that agreement.
Of greater concern to data controllers in the Channel Islands is potentially the Irish Data Protection Commissioner’s challenge to the validity of Model Contract terms. Such Model Contracts are probably the most utilised basis for the transfer of personal data outside of the EU and any suggestion that their use may not be sufficient is likely to have a significant impact.