In the aftermath of the CJEU judgment in Maximillian Schrems vs Data Protection Commissioner case (Case C-362/14), the European Commission and United States reached a political agreement on a new framework for overseas data transfers on Tuesday, 2 February 2016. In the beginning, the European Commission, albeit not publishing the content of the agreement, issued a press release maintaining that the EU-US Privacy Shield, successor to the Safe Harbor framework, satisfied all the requirements set out by the CJEU in Schrems case for providing an adequate level of protection for Europeans’ personal data. On Monday, 29 February 2016, the European Commission unveiled the much-awaited EU-US Privacy Shield agreement, thus enabling the procedure for its adoption to commence.
What does the arrangement include?
– Obligations to companies and law enforcement: U.S companies, under the U.S Department of Commerce and the Federal Trade Commission’s control, will be subject to robust obligations concerning the processing of personal data as well as the enforcement of the rights of data subjects. Companies wishing to abide by the EU-U.S Privacy Shield will be obliged to register in the Privacy Shield register and re-certify annually. Moreover, their privacy policies will have to be updated, so as to appropriately inform data subjects on their access rights and the available recourse mechanisms. Especially for onward transfers to third party service providers, companies will remain fully liable and will ensure that third parties’ processing data are in harmony with the privacy principles enshrined in the EU-U.S Privacy Shield.
– Obligations to governments: The U.S has been committed, in writing, that the access of U.S intelligence agencies to European personal data will be subject to clear limitations, safeguards and oversight mechanisms provided that access is allowed to the extent necessary and proportionate. In accordance with a recent U.S reform mass surveillance by U.S intelligence agencies is permitted in six cases, involving national security etc. In addition, the European Commission and the U.S Department of Commerce together with the presence of U.S intelligence experts and European Data Protection Authorities will conduct an annual joint review to regularly monitor compliance of companies and U.S government with the arrangement.
– Redress mechanisms against companies: Companies under the new regime should reply to individuals’ complaints no later than 45 days. Particularly for the processing of human resources data, U.S companies will also have to conform to the decisions of European DPAs, while in all other cases it will be voluntarily. In addition, they will have to provide individuals with a free of charge alternative dispute resolution mechanism. Data subjects may also be given the possibility to refer complaints to their national DPAs that together with the Federal Trade Commission will be responsible for resolving the complaints. As a last resort, data subjects will address their complaints to a new arbitration mechanism, the Privacy Shield Panel that will provide “individual-specific, non-monetary equitable relief” in form of binding decisions.
– Redress mechanisms against U.S government: Complaints concerning the access of U.S intelligence agencies to Europeans’ personal data will be addressed to an Ombudsperson within the State Department, which will be independent of the U.S agencies. It is notable that on 24 February 2016, the Judicial Redress Act was signed. The Act permits EU data subjects to seek remedies for violation of their personal data against U.S agencies in U.S courts.
What are the next steps?
Following the disclosure of the adequacy decision and the supplementary documents, a Committee comprised by representatives of the 28 Member States will arrange a hearing on the new framework in March. Furthermore, the Article 29 Working Party will complete an assessment on the EU-U.S Privacy Shield by the end of April 2016, as it is estimated. Thereafter, the College of Commissioners will decide on the adoption of the decision.
What should companies do?
What is certain at the moment is that companies still relying on Safe Harbor to transfer data from EU to the U.S are operating unlawfully. Following the invalidation of the Safe Harbor in October 2015, the Article 29 Working Party has also called into question the legitimacy of Binding Corporate Rules (hereinafter BCRs) and Standard Contractual Clauses (hereinafter SCCs) on the basis that they may not provide adequate protection from mass surveillance by U.S intelligence authorities, as it was found for the Safe Harbor framework.
The legal analysis that will be conducted in the next months by Working Party 29 vis-a-vis EU-U.S Privacy Shield will also include an analysis on the legitimacy of BCRs and SCCs. Until this analysis is completed, the Working Party 29 has temporarily determined that these tools can still be used for transatlantic data transfers.
Some quick and useful advice for companies is the following:
– Companies which were bound by the Safe Harbor should continue respecting the privacy obligations imposed by it, since the new framework will most likely be similar.
– Companies willing to be bound by the EU-U.S Privacy Shield should start being educated and take all the appropriate measures to quickly adjust to the new framework when it enters into force.
– Overseas data transfers should, in any case, be limited to absolutely necessary for security and privacy reasons.
– Rendering the data unidentifiable via encryption mechanisms while transferring data to the U.S is strongly advisable, since the European legal framework on privacy applies only to personally identifiable data.
Maria Mouzaki
Attorney at Law-LL.M