New EU-US Privacy Shield to replace Safe Harbour

What is Safe Harbour?

EU data protection law forbids the movement of its citizens’ data outside of the EU, unless it is transferred to a location which is deemed to have “adequate” privacy protections in line with those of the EU (or an exemption can be found such as where the data subject consents to the export of their data).

The Safe Harbour agreement agreed between the EU and the US government essentially promised to protect EU citizens’ data if it was transferred to the US.

Under the Safe Harbour arrangement, companies self-certified that they would protect EU citizens’ data when transferred and stored within US data centres.

However, late last year, the European Court of Justice ruled that the old Safe Harbour arrangement was invalid as, in practice, it did not ensure a sufficient level of data protection as required by EU law.

Self-certification did not provide sufficient comfort that companies which self-certify actually put in place adequate data protection safeguards. US businesses could sign up to the scheme without any third party overseeing whether or not they actually complied with the required standards.

To view our previous newsflash about Safe Harbour, please click here.

What’s the current position now that Safe Harbour is invalid?

Since the ECJ’s decision on Safe Harbour, businesses have had to rely on alternative bases to Safe Harbour in order to ensure they are lawfully transferring personal data from the EU to the US.

EU and US officials have been working to agree a new framework to replace Safe Harbour These negotiations have led to the new proposed framework called the “EU-US Privacy Shield”.

What’s been agreed under the new EU-US Privacy Shield arrangement?

The new arrangement, agreed between the EU and the US authorities, is intended to provide stronger obligations on companies in the US to protect the personal data of EU citizens. The new arrangement will also provide more stringent monitoring and enforcement by the US Department of Commerce and Federal Trade Commission, as well as increased cooperation with European data protection authorities.

The new arrangement includes commitments from the US public authority/government as to the circumstances in which they can access personal data transferred under the new arrangement.

Such access will be subject to conditions, limitations and oversight, with the aim of preventing generalised access to the personal data of EU citizens. Furthermore, EU citizens will be able to raise enquiries or complaints concerning their personal data which has, or is, being processed in the US through a dedicated new Ombudsman.

The European Commission has confirmed that the new EU-US Privacy Shield arrangement will include the following elements:

Strong obligations on companies handling EU citizens’ personal data and robust enforcement:

• US companies wishing to import personal data from the EU will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed;
• the US Department of Commerce will monitor that companies publish their commitments, making them enforceable under US law by the Federal Trade Commission; and
• any company handling human resources data from the EU will have to comply with decisions made by European data protection authorities.

Clear safeguards and transparency obligations on US government access:

• the US has given the EU written assurances that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Any such access must be made only to the extent necessary and should be proportionate;
• the US has ruled out indiscriminate mass surveillance of the personal data transferred to the US under the new arrangement; and
• there will be regular monitoring of the new arrangement and an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European data protection authorities to such reviews.

Effective protection of EU citizens’ rights with several redress possibilities:

• any EU citizen who considers that their data has been misused under the new arrangement will have new redress possibilities;
• companies will have deadlines to reply to complaints and European data protection authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. Any alternative dispute resolution will be made available to EU citizens free of charge; and
• a new, dedicated Ombudsman will be created to deal with complaints from EU citizens regarding possible access to their personal data by national intelligence authorities.

What happens next?

The EU Commission will prepare a draft “adequacy decision” in the coming weeks, which could be adopted after obtaining the advice of representatives of EU Member States. The EU Working Party set up in relation to the Privacy Shield expects to be able to provide legal certainty for businesses in April 2016.

In the meantime, the US authorities will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsman.

Is there anything I need to do following this announcement?

No, not at this stage, although you do need to make sure that you have legal means to export data outside the EU. As the Safe Harbour scheme ended in October 2015, if you were relying on it, you should have found alternate means to export data to the US by now.

On February 11, the Information Commissioner’s Office (the “ICO”) issued a further update on the Privacy Shield negotiations and has reiterated that, for the time being, organisations can “…continue to use other tools such as Model Contract Clauses and Binding Corporate Rules for transfers to the USA”.

In addition, the ICO has issued updated interim guidance for businesses regarding EU-US data transfers which can be accessed by clicking here.

We will keep you informed of any material developments regard the Privacy Shield and, once the new arrangement is formally agreed and an implementation date set, we will contact you further to explain how the new arrangement may impact on your business.

Please get in touch if you require assistance reviewing your existing arrangements.

How can Ward Hadaway help?

If you have any queries regarding the new Privacy Shield, Safe Harbour or data protection matters generally, please get in touch with a member of the Data Protection team.