Maksim Kabakou - Fotolia
Since the invalidation of the Safe Harbour regime in October 2015, organisations have been relying predominantly on European Union (EU) model clauses to govern their EU-US personal data transfers (or binding corporate rules for intra-group transfers).
The Privacy Shield has been drafted to replace Safe Harbour with a view to providing a legally compliant way to transfer personal data to the US. It was adopted on 12 July 2016, after the European Commission issued its “implementing decision”.
Privacy Shield could face future legal challenges
If the European Commission has not taken into account criticisms levelled against the Privacy Shield, it is likely to be used as evidence against it in a future legal challenge.
This is all made more complicated by the recent referral by the Irish Data Protection Commissioner to the Court of Justice of the European Union (CJEU) on the validity of model clauses.
On 8 July 2016, the European Commission published a statement confirming that the Article 31 Committee – which is made up of representatives of all member states – had given their “strong support” to the Privacy Shield, which will govern EU-US data transfers.
The statement makes clear that the Privacy Shield is “fundamentally different from the old Safe Harbour: it imposes clear and strong obligations on companies handling the data, and makes sure that these rules are followed and enforced in practice”.
Criticisms of Privacy Shield
The adoption of the Privacy Shield comes after a number of setbacks, the most recent being the European Data Protection Supervisor echoing the criticisms levelled at the Privacy Shield by the Article 29 Working Party.
The European Parliament passed non-binding resolution, which welcomed the Privacy Shield, but urged the European Commission to continue negotiating with the US government to fully implement the Article 29 Working Party’s recommendations.
Further, the Article 31 Committee initially failed to reach an agreement as to whether the proposed Privacy Shield provided adequate protection for EU-US personal data transfers in a meeting with the European Commission.
The Article 29 Working Party’s opinion on the proposed Privacy Shield was given in April 2016, and was particularly critical.
It raised concerns with a number of provisions, ultimately recommending they are reviewed, revised and in some cases strengthened, to afford better protection for EU citizens whose personal data is being transferred outside of the EU to the US.
Of particular concern were the absence of obligations on organisations to delete data no longer required; bulk collection of personal data by US authorities; and the lack of clarity around the new ombudsperson role – in particular regarding their independence and autonomy, as well as the nature of their role and functions.
The Working Party recommended that the European Commission should amend the draft Privacy Shield to ensure that the level of protection given to EU individuals under it is equivalent to EU law, and the Privacy Shield should be reviewed after the General Data Protection Regulation (GDPR) comes into force from 25 May 2018.
In response to these criticisms, the statement made clear “the US has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens' data. And last but not least the Privacy Shield protects fundamental rights and provides for several accessible and affordable redress mechanisms”.
Accordingly, the statement concludes that “consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice”.
Despite the assurances given in the statement, the final Privacy Shield may be found wanting.
In a statement made on 12 July 2016, Maximilian Schrems – the original challenger of the validity of the Safe Harbour – states his view that “it is little more than an [sic] little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU”.
Schrems has taken aim at model clauses with the recent referral by the Irish Data Protection Commissioner to the CJEU on the validity of Facebook using them to transfer data from Ireland to the US, and it seems likely that he will look to challenge the validity of the Privacy Shield, too.
In terms of next steps, in the US, the US Department of Commerce will start operating the Privacy Shield. Companies will then have the opportunity to review the Privacy Shield framework and update their compliance. Companies will be able to certify with the US Department of Commerce from 1 August 2016.
Organisations should consider moving data centres to EU
Organisations should keep under review the options for EU-US personal data transfers. The CJEU will not decide upon the validity of model clauses for some time.
It would certainly be prudent to consider alternative options to US data transfers, such as moving data centres to the EU, to minimise any adverse fallout of both the almost inevitable legal challenge to the Privacy Shield, and the outcome of the CJEU decision on model clauses.
Privacy Shield will be renewed in 12 months
Additionally, it is important to note that the Privacy Shield is up for renewal in 12 months’ time, which will be dependent on the outcome of a careful review by the European Parliament as to its effectiveness.
Accordingly, the Privacy Shield is unlikely to provide the answer to all of an organisation’s transatlantic transfer woes on its own, but rather should be considered in the mix together with other compliance measures.
Emma Burnett and Ian Stevens are partners at CMS
Read more on Privacy and data protection
Why data exports from the EU will be challenging without Privacy Shield
Schrems steps up pressure on Irish data protection commissioner on Facebook’s data sharing with US
How Schrems II will impact data sharing between the UK and the US
EU court opinion finds EU-US data transfers lawful but raises questions over Privacy Shield