deepagopi2011 - Fotolia

Business lacks certainty despite official adoption of EU-US Privacy Shield

The European Commission has adopted the EU-US Privacy Shield framework, but businesses still lack clarity and assurance on transatlantic personal data transfers

The European Commission (EC) has officially adopted the EU-US Privacy Shield framework to protect transatlantic personal data transfers to the US, but that may not be the end of the controversy.

Andrus Ansip, EC vice-president for the Digital Single Market, said the framework will protect the personal data of European Union (EU) citizens and provide clarity for businesses.

“We have worked hard with all our partners in Europe and in the US to get this deal right and to have it done as soon as possible. Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions,” he said.

Věra Jourová, commissioner for justice, consumers and gender equality, said the framework is a robust system to protect the personal data of Europeans and ensure legal certainty for businesses.

“It brings stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints,” she said.

Jourová said the framework will also restore the trust of consumers when their data is transferred across the Atlantic.

“We have worked together with the European data protection authorities, the European Parliament, the member states and our US counterparts to put in place an arrangement with the highest standards to protect Europeans’ personal data,” she said.

Privacy Shield implementation

The EC announced agreement of a EU-US Privacy Shield to replace the Safe Harbour agreement in February 2016.

The announcement was greeted with cautious optimism by businesses, but the Article 29 Working Party (WP29) – a body drawn from representatives from European privacy regulators – raised issues with the original proposals, as did the European Data Protection Supervisor (EDPS) and the European Parliament. 

The main concerns included access to the data by national security agencies, the consistency of protection in terms of data protection rights and the independence of the proposed ombudsperson.

Despite these reservations, the EC is satisfied the EU-US Privacy Shield framework addresses the issues raised by the EC and the European Court of Justice (CJEU) and has decided to go ahead with the implementation of the data transfer framework.

This means US organisations wishing to import personal data from the EU can apply for certification under the Privacy Shield framework from 1 August 2016, while EU organisations will have no barriers to data transfers to US organisations that have been certified.

Read more about EU-US Privacy Shield

However, according to Vinod Bange, head of the UK data protection and privacy practice at law firm Taylor Wessing, while the EC’s adoption of the framework is a great step forward after the shock demise of Safe Harbour, it is not necessarily the end of the story on EU-US data transfers. 

“Max Schrems, who brought the original challenge to Safe Harbour, has begun court action to get a similar process of review underway with regard to the use of model clauses and binding corporate rules [BCRs],” he said.

According to Bange, it is also possible that the Privacy Shield itself will be subject to legal challenge either in the near future or further down the line if it is seen as insufficiently robust.  

“However, commissioner Jourová and the US secretary of commerce said the Privacy Shield had been designed to take into account the CJEU ruling in the Safe Harbour case, which gave them confidence that it would not be open to further legal challenges,” he said.

Elodie Dowling, vice-president and European general counsel at BMC Software, said it also remains unclear what type of “assurances” the US has provided to the EU to ensure mass surveillance does not apply or, if it does, that it happens in a transparent and framed manner for EU citizens. She expects this issue to be considered carefully by data privacy activists.

Much will also depend on the attitude of the regulators, said Bange. 

The EC does not need the agreement of the EU data protection regulators to adopt the Privacy Shield, but without their backing, he said, the Privacy Shield is unlikely to give any real comfort to businesses. This is because regulators have the ability to investigate data exports irrespective of any adequacy decision by the EC.

WP29’s verdict yet to come

The Article 29 Working Party said it did not know what would happen if the EC were to go ahead with the Privacy Shield as originally drafted, and it remains to be seen what its views on the finalised version will be. 

The WP29, which is expected to meet on 25 July 2016 to give its view on the Privacy Shield framework, is yet to give its opinion on the validity of model clauses and BCRs following the Safe Harbour judgment.

“For now, the EU-US Privacy Shield joins model clauses and BCRs as a solution to enable the lawful transfer of personal data from the EU to the US, which businesses affected by the Safe Harbor ruling should welcome,” said Bange.

However, Phil Lee, partner in the privacy, security and information team at law firm Fieldfisher, said the EC’s adequacy declaration regarding Privacy Shield is only a step along this path to success.

“Market acceptance is something entirely different, and wholly more challenging,” he said.

Lee points out that after the Safe Harbour agreement was declared invalid, many businesses went through lengthy and expensive programs to re-engineer their data export strategies, switching over from Safe Harbour to model clauses, and requiring their supply chain to do the same. 

“Having expended all this time, effort and money, the big question is whether they and their boards are prepared to repeat the process and switch again to Privacy Shield, keeping in mind the prospect that it will almost certainly be challenged by civil liberties groups and possibly some data protection authorities.

“It seems we’re entering a world where no one data export model is good enough: Privacy Shield has an uncertain future, model clauses are being referred to the CJEU for review, and BCRs take too long for all but the most compliance-minded businesses,” said Lee. 

“Because of this, what we’re seeing instead is businesses looking towards a layering of these solutions, rather than betting the ranch on any one solution alone.”

Read more on Privacy and data protection