On 12 July 2016, the European Commission formally adopted a new scheme for trans-Atlantic data flows – the European Union – United States Privacy Shield. The scheme includes some important improvements compared to the rules that governed the transfer of personal data from the EU to the US in the previous fifteen years.
Before diving into the key novelties of the Privacy Shield, let us recapitulate the developments that led to the emergence of the new data transfer framework.
On 6 October 2015, the Court of Justice of European Union (CJEU) declared invalid the Safe Harbor scheme in the groundbreaking Schrems judgment. (We blogged on the case in October 2015.) The Safe Harbor was the framework for data transfers between the EU and the US after 2000. However, the problem with the framework – that ultimately led to its invalidation – was the possibility (which turned out to reality according to the Snowden’s revelations) of a large-scale indiscriminate access by US national security agencies to data transferred from the EU. Given the importance of economic cooperation between the EU and the USA and dependence of such cooperation on data transfers, negotiations about the new scheme started immediately after the demise of the Safe Harbor.
On 2 February 2016, the EU and the USA reached a political agreement which was yet to be transformed into a legally binding text. (Our blog post in February 2016addressed the issue). The European Commission presented to the public a draft decision on the Privacy Shield on 29 February. Article 29 Working Party, a body composed of representatives from the data protection authorities of each EU member state, the European Data Protection Supervisor, and the European Commission, issued its opinion on the proposed scheme on 13 April. The Working Party welcomed the significant improvements of the Privacy Shield compared to Safe Harbor. At the same time, the Working Party set out its strong concerns vis-à-vis the ability of the US authorities to access the data transferred under the Privacy Shield. The opinion concluded by urging the European Commission to resolve these concerns and further improve the Privacy Shield.
Following the issuance of Article 29 opinion, the EU and the US continued the negotiations leading to, first, a resolution of European Parliament on 26 May, and, second, the final adoption of the Privacy Shield in the form of an adequacy decision two days ago. So, what does the new scheme mean for the trans-Atlantic data transfers?
On the day the Commission adopted the adequacy decision, Věra Jourová, the Commissioner for Justice, Consumers and Gender Equality, described the Privacy Shield as a “robust new system to protect the personal data of Europeans and ensure legal certainty for businesses”. According to Jourová, the Shield “brings stronger data protection standards that are better enforced, safeguards on government access, and easier redress for individuals in case of complaints. The new framework will restore the trust of consumers when their data is transferred across the Atlantic.”
These ambitious goals should be achieved by implementation of the policies that the Commission in its press release grouped in the four broad categories:
(1) Clear and strong obligations imposed on US companies that handle data;
(2) Clear safeguards and transparency obligations on US government access;
(3) Effective protection of EU citizens’ rights through new redress possibilities; and
(4) Annual joint review to ensure the continuing effectiveness of the scheme.
As of 1 August 2016, US companies will be able to start self-certification with the US Department of Commerce. Under the new arrangement, the US Department of Commerce will conduct regular reviews of participating companies. If a company does not comply in practice, it may face removal from the list. For the onward transfers of data from a Privacy Shield-certified company to a third party, the company has to provide the equivalent level of protection as under the scheme. (Under the defunct Safe Harbor, companies also committed themselves by self-certification to the principles Safe Harbor prescribed, but there was no annual review of the scheme).
Any EU citizen who considers that his data has been misused under the Privacy Shield scheme will have several dispute resolution mechanisms at hand. In the best-case scenario, the company itself will resolve the complaint (within 45 days). There will also be a possibility of alternative dispute resolution. EU citizens can also go to their national data protection authorities (DPAs), who will work with the US Federal Trade Commission to ensure that complaints are investigated and resolved. As a last resort there will be an arbitration mechanism. Complaints pertaining to data transferred on “national security grounds” (as the Privacy Shield documents put it) will be handled by an ombudsperson in the US, who should work impartially and independently of all federal security agencies.
On annual basis, the European Commission and the US Department of Commerce will jointly review the functioning of the Privacy Shield, including the US commitments and assurances as regards access to data by US authorities for law enforcement and national security purposes.
The most controversial part of the scheme is the one concerning the access to the EU citizens’ data by the US intelligence agencies. The US has given assurance to the EU that the access is subject to clear limitations, safeguards, and oversight mechanisms. In that regard, the Office of the Director of National Intelligence clarified that bulk collection of data could only be used under “specific preconditions and needs to be as targeted and focused as possible, complying with principles of necessity and proportionality”. But, are these guarantees enough to say that the US is adequately protecting personal data of the Europeans? Opinions are highly divided.
There are some big companies, including Microsoft, Apple, Google, Samsung, Sony, which are eager to sign up to the Privacy Shield right away. John Frank, vice president on EU government affairs in Microsoft, wrote in a blog post that the decision “sets a new high standard for the protection of Europeans’ personal data”.
Opponents of the Privacy Shield seem to be louder. Privacy International, a London-based watchdog, has expressed concerns that “European data in the US will continue to be susceptible to surveillance, and Europeans will continue to have no access to justice”. Max Schrems, who filed a complaint against Facebook resulting in the invalidation of the Safe Harbor scheme, said that “Privacy Shield is the product of pressure by the US and the IT industry – not of rational or reasonable considerations. It is little more than a little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU”.
For the time being, along with Model Clauses, Binding Corporate Rules (BCRs), and data subject’s consent, the Privacy Shield is the fourth basis for the transfer of data to the US. However, Max Schrems has begun court action against Model Clauses and BCRs to get a similar process of review as in the case of the Safe Harbor. It is also well possible that the Privacy Shield itself will be subject to legal challenge either by Max Schrems, NGOs, or any of the EU member states’ DPAs. In either case, the CJEU will probably have the final say on the Privacy Shield.