Further to the invalidation of the Safe Harbor by the European Court of Justice on 6 October 2015, the legal uncertainty on personal data transfers to the U.S. may - hopefully - come to an end in the near future.
Following the signature by President Obama of the Judicial Redress Act on 24 February 2016, the Commission revealed the EU - U.S. Privacy Shield package on 29 February. Like the invalidated Safe Harbor, the EU-U.S. Privacy Shield is based on a system of annual self-certification by which U.S. organisations commit to a set of privacy principles issued by the U.S. Department of Commerce ("Privacy Principles"). To validate the EU-U.S. Privacy Shield, the Commission has prepared a draft "adequacy-decision" to which the Privacy Principles are annexed as well as letters from various representatives of U.S. institutions.
This framework is presented by the Commission as final, yet will be subject to the following further validation steps: (i) first the Article 29 Working Party (WP 29 - the EU advisory body) will assess the documents in order to give its opinion on 13 April 2016, (ii) then the Member States will give their opinion in comitology and lastly, (iii) the "adequacy-decision" will be submitted for adoption to the College of Commissioners.
What are the Shield's key points?
In its Q&A on the EU-U.S. Privacy Shield, the Commission stated that the new framework "will protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses". In order to meet this achievement, the Commission centred its focus on the following key points:
1. Strong obligations on companies and robust enforcement
- Effective supervision mechanisms to ensure that companies follow the rules they have legally committed to uphold, namely consisting of robust obligations on how personal data is processed and individual rights are guaranteed, by means of:
- Tightened conditions and stricter liability provisions for Privacy Shield companies that transfer EU data, for instance for sub-processing activities, to third parties outside the framework, whether in the U.S. or in other third countries;
- Regular and rigorous monitoring of how companies comply with their commitments and eradication of companies that falsely claim adherence to the scheme;
- Making Companies' commitments legally binding and enforceable under U.S. law by the Federal Trade Commission, whereby non-compliance can be punished with severe sanctions.
2. Clear limits and safeguards with respect to U.S. government access
- For the first time, written representations and assurances from the U.S. government that access by public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms;
- Redress mechanism for EU data subjects in the area of national security through an Ombudsperson:
- who will be independent from the national security authorities and
- whose tasks will be to follow-up complaints and enquiries by EU individuals into national security access and confirm compliance or remedied non-compliance;
- The abovementioned safeguards are applicable to all personal data transferred to the U.S. for commercial purposes, irrespective of the basis used to transfer those data (not only for to Privacy Shield transfers).
3. Effective protection of EU individuals’ privacy rights with several redress possibilities
- Companies commit to reply to complaints within 45 days;
- Companies handling HR data from the EU commit to comply with the decisions of the competent EU data protection supervisory authority (DPA) (other companies may voluntarily make such a commitment);
- Possibility for individuals to take their complaint to their ‘home’ DPA which will work with the Department of Commerce and the Federal Trade Commission to facilitate the investigation and resolution of the respective claim within a reasonable timeframe;
- As a last resort: recourse to the so-called Privacy Shield Panel, a dispute resolution mechanism that can take binding and enforceable decisions against U.S. Privacy Shield companies.
4. Annual joint review mechanism of the EU-U.S. Privacy Shield
- Monitoring and review of the EU-U.S. Privacy Shield by the Commission and the U.S. Department of Commerce, supported by the EU data protection authorities, the U.S. national security authorities and the Ombudsperson;
- Consequence of non-compliance with the EU-U.S. Privacy Shield: activation of the suspension process of the EU-U.S. Privacy Shield.
The Shield's first resistance tests
Maximilian Schrems, who introduced the claim on the basis of which the CJEU declared the Safe Harbor invalid, reacted quickly to the Commission's press release. He considers that the new framework does not resolve the fundamental issues of U.S. mass surveillance and the lack of U.S. personal data protection.
On the same day, the WP 29 issued a statement in which it announced that the documents will have to be analysed with great attention given the need for restoring trust in transatlantic data flows.
Further to this assessment, the WP 29 will equally consider whether the current transfer mechanisms - Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR) - can still be used for personal data transfers to the U.S.. In its statement dated 3 February 2016, the WP 29 considered that the SCC and BCR can still be used for existing transfer mechanisms of personal data to the U.S..