Following the invalidation of the Decision 2000/520/EC of 26 July 2000 (the “Safe Harbour Decision”) by the Court of Justice of the European Union (the “CJEU”) on 6 October 2015, US and EU officials have finally reached a political agreement for the implementation of a new framework covering the transfer of personal data between the US and the EU; the so called EU-US privacy shield. The EU-US privacy shield aims to put an end to the legal uncertainty created after the invalidation of the safe harbour scheme by the Safe Harbour Decision.
The officials have mandated Vice-President Ansip and Commissioner Jourová to take the necessary steps to put in place the new framework which will aim to: (i) protect the fundamental rights of Europeans when their personal data is transferred to the US and; (ii) provide legal certainty for businesses.
After the invalidation of the safe harbour scheme by the Safe Harbour Decision, companies that performed EU-US personal data transfers could no longer rely on the Safe Harbour agreement to comply with the EU and member states’ data protection legislation. As alternatives to the Safe Harbour scheme, many companies considered the possibility of adopting binding corporate rules or model contracts, both of which require implementing due diligence processes and ongoing assessment on a case-by-case basis.
The new framework will be marked by a stronger cooperation between US and EU authorities and enhanced protection and enforcement of EU individuals’ personal data being processed in the US.
For instance, the US has committed to put in place clear safeguards, limitations, oversight and transparency on the surveillance of personal data by public authorities, and to be held accountable in case of breach. Law enforcement and national security agencies will have access to such data on a necessary and a proportionate basis. Therefore, under the new arrangement, the U.S. will not be able to carry out indiscriminate mass surveillance on the personal data of Europeans transferred to the US.
Other relevant changes in comparison to the Safe Harbour agreement include more procedural protection for individuals to ensure an adequate enforcement the new framework preventing generalised access. Under the EU-US privacy shield companies will need to respect deadlines to answer complaints. Such complaints may be referred by European data protection authorities to the US Department of Commerce and the Federal Trade Commission. Individuals will also have access to dispute resolution and arbitration mechanisms, and to an ombudsperson in case of enquiries or complaints related to surveillance by public authorities.
Finally, the European Commission and the U.S. Department of Commerce will be carrying out annual reviews in order to assess whether the EU-US privacy shield is being complied with.
A draft of the new framework under the EU-US privacy shield is expected to be published within the next weeks and will need approval by the College of Commissioners after consultation with the Article 29 Working Party and representatives of the Member States before coming into force.
EU national data protection authorities voiced a tentative approval in respect of the EU-US privacy shield and are expecting to receive a final draft by the end of February. In a published statement, Article 29 Working Party has expressed concerns that the US legislation may not be compatible with the essential guarantees set out by the European jurisprudence on fundamental rights in respect of intelligence activities.
Once the final draft is issued, the legality of alternative mechanisms (such as binding corporate rules and model contracts) will be reviewed. In the meantime, such alternative mechanisms are still considered to be a suitable option for companies transferring personal data between the EU and US.
Despite the announcement, the future of the new framework and the international data flow is still uncertain. It is unclear whether the EU-US privacy shield will achieve its desired outcome – particularly the need for restraining mass surveillance of EU individuals by US public authorities – as the US has not implemented reforms in its surveillance legislation.
Furthermore, the Safe Harbour Decision opened the door for any national data protection authorities to ask the CJEU to challenge the legality of future arrangements, which will increase the likelihood of judicial challenges of the new framework once it is adopted.
For more information, check the European Commission press release here.
by Jose Saras and Natalia Porto.
(Jose Saras is a partner at Preiskel & Co LLP and can be contacted here. Natalia Porto was an associate at Preiskel & Co LLP )