The European Commission (the Commission) and the US have reached a political agreement on a replacement for the Safe Harbor framework. The Commission has stated that the new framework, which will be known as the “EU-US Privacy Shield”, reflects the data protection requirements set out by the Court of Justice of the European Union (CJEU) in the case of Maximilian Schrems v Data Protection Commissioner C‑362/14.
Prior to the CJEU decision in Schrems, companies often relied on the Safe Harbor framework in order to transfer personal data belonging to European citizens to the US. In 2000, the Commission adopted a decision which stated that the Safe Harbor framework provided adequate protection for European citizens’ personal data (Decision 2000/520).
However, in Schrems, the CJEU overruled Decision 2000/520 stating that it did not provide “a level of protection of fundamental rights essentially equivalent to that guaranteed within the European Union”. Therefore, companies can no longer rely on the Safe Harbor framework when transferring personal data to the US.
EU-US Privacy Shield
On 2 February 2016, the Commission and the US agreed on a new framework for transatlantic data sharing. In its press release, the Commission stated that the new EU-US Privacy Shield will include three key elements. These can be summarised as follows:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement. US companies will need to commit to “robust obligations” in relation to the processing of personal data belonging to European citizens. The US Department of Commerce will monitor whether US companies publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission.
- Clear safeguards and transparency obligations on US government access. The US has given written assurances that access to personal data by public authorities will be subject to clear limitations, safeguards and oversight mechanisms. For the first time, the US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new EU-US Privacy Shield.
- Effective protection of EU citizens' rights with several redress possibilities. Any European citizen who considers that their data has been misused under the EU-US Privacy Shield will have several possibilities of redress and US companies will have deadlines to reply to complaints. European data protection authorities will be able to refer complaints to the US Department of Commerce and the US Federal Trade Commission. In addition, Alternative Dispute Resolution will be available to European citizens free of charge and a new Ombudsperson will be created to hear complaints on alleged access to personal data by US intelligence authorities.
While the political agreement between the Commission and the US is an encouraging step forward, we are still some way from knowing what the future holds.
Notably, the political agreement between the Commission and the US is not legally binding. The Article 29 Working Party is due to analyse the EU-US Privacy Shield in the coming weeks and will make recommendations to the Commission before an adequacy decision is adopted. Until then, it remains unclear what practical impact the EU-US Privacy Shield will have.
In the meantime, the Article 29 Working Party has stated that companies can continue to rely upon Binding Corporate Rules and Standard Contractual Clauses in order to transfer personal data to the US. However, this position will likely be revisited following the adoption of the EU-US Privacy Shield.
With that in mind, companies should review their current EU-US data transfers mechanisms to ensure that the legal basis for any data transfers made to the US is properly understood. In addition to imposing contractual obligations on US organisations regarding their use of personal data, companies should also consider whether any additional technical measures could be implemented to improve data security. In these uncertain times, by ensuring the widest possible range of safeguards to protect EU citizens’ personal data, companies can greatly reduce the likelihood of falling foul of data protection authorities.