Privacy activists across Europe raised their data protection banner following the announcement by EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová on Tuesday 2 February 2016 that a political agreement had been reached between the EU and the US on a new framework for handling transatlantic data flows. This does not bode well, especially because the exact content of the new agreement which will replace the “Safe Harbour” mechanism is still unknown. We will expand on the indications provided by the Commissioner on some of the negotiated protection mechanisms. More importantly, we will highlight the risks that over 4.000 companies, mainly US tech companies, still face and the measures they should put in place to ensure compliance with EU data protection rules.
Safe Harbour and the storm
In October 2015, the Court of Justice of the European Union (CJEU) in case C-362/14 Maximillian Schrems v Data Protection Commissioner (reported on here) declared the Safe Harbour scheme invalid. Thousands of companies that relied on this cost-effective and compliant way to transfer European personal data to companies, subsidiaries or suppliers in the US, were faced with uncertainty and were exposed to potential enforcement actions by national data protection authorities in the EU. This case, which followed a reference from the Irish High Court to the CJEU in which the High Court asked if national data protection authorities were bound by adequacy decisions of the European Commission or if, to the contrary, they may or must conduct their own investigations into the adequate protection of individual’s privacy rights. Plaintiff Maximillian Schrems complained that by transferring his personal data to the US, a large American social media company, was unable to adequately ensure that US authorities would not have access to his data through mass and indiscriminate surveillance activities. The CJEU ruled that national data protection authorities must be able to investigate and suspend a transfer if it finds that the protection offered to European individuals were inadequate. At the same time, the CJEU invalidated the simplified mechanism offered by the Safe Harbour.
Following this ruling, US companies that relied on the Safe Harbour, were uncertain as to providing additional protective measures and whether or not they should wait for a Safe Harbour 2.0 version.
Just an announcement
The Commission responded, back in October, that it would take the CJEU ruling on board and work with the Article 29 Working Party – the 28 Member States representatives of the national data protection authorities – to further negotiate a new and improved agreement with the US.
The Commissioner’s announcement on 2 February 2016 was received with mixed views and divided opinions. Companies want certainty and welcome the progress made by both sides. Data protection organisations and some members of the European Parliament (MEPs) were more negative, doubting the ability of the US to provide equivalent protection for personal data as at home. The most striking reaction came from the “Article 29 Working Party” who adopted a wait and see approach, urging the Commissioner to provide them with the agreement in order to assess whether it provides answers to the privacy concerns.
In her statement on the new EU-US Privacy Shield, the Commissioner announced that the US committed to providing additional assurances and protections to guarantee that the CJEU’s concerns are met, including:
- ongoing monitoring by the US Department of Commerce of US companies importing personal data from Europe and more stringent obligations on the processing of data, the protection of individual rights and the further transfer of data;
- clear limitations, safeguards and oversight mechanisms on law enforcement and national security authorities ruling out indiscriminate mass surveillance;
- real protection and appeal mechanisms, offering EU citizens several accessible and affordable dispute resolution and arbitration mechanisms, as well as the establishment of an independent ombudsman.
Is the end in sight?
US companies have been grappling with transatlantic data flow issues since the CJEU case of last October. This announcement does not yet bring the much awaited certainty, and the reaction of some privacy activists even before the release of the agreement, indicates that new legal challenges cannot be ruled out. National data protection authorities will have the power to investigate and potentially suspend data transfers if they deem the protections to be inadequate.
What should business do?
The Safe Harbour is invalid and companies that were hoping that this new agreement would provide an answer should better review their position. It will take a couple of more months before the agreement is made public and binding. In the meantime, companies that have not taken alternative actions, are still at risk of facing enforcement actions by national data protection authorities. The alternatives for companies remain the adoption of EU model clauses and the establishment of binding corporate rules. These however, are more time consuming, challenging to put in place and under closer individual scrutiny by national data protection authorities. The “Article 29 Working Party” members have confirmed that those data transfer mechanisms can still be used – at least until the group can assess the validity and adequacy of the new agreement.
- Investigate the measure your company and the data receiving counterpart in the US have put in place and if those were based on the Safe Harbour mechanism.
- Review the agreements you have with your data processor and ensure that you include the right contractual obligations.
- National data protection authorities will shortly come out with minimum standards and guidelines. Make sure you are monitoring this on a country by country basis.
- Evaluate the possibility to adopt alternative transfer mechanisms or alternative data processing options.