EU-US Privacy Shield
To the surprise of some commentators, the discussions between the EU Commission and US government officials have now produced a form of agreement on a replacement data flow system for the Safe Harbor agreements.
As previously reported, the decision by the CJEU in October 2015 ruled that the Safe Harbor Agreements used to effect data transfers of EU citizens’ data to the US were no longer lawful. The new agreement, reached on 2 February 2016, after extensive negotiation, proposes a new “EU-US Privacy Shield”.
This provides for:
- a US ombudsman to handle complaints from EU citizens about Americans viewing their data without permission;
- written commitments from the US Office of the Director of National Intelligence that EU citizens’ personal data will not be subject to mass surveillance;
- a joint annual review to ensure that the new system is working properly;
- EU data protection authorities to work with the Federal Trade Commission to address any flagged problems; and
- companies being barred from making use of this process if they do not comply with privacy safeguards.
Essential guarantees
As this is only a political agreement it cannot be considered as a complete solution. The Working Party of national data protection delegates from the EU member states (WP29), which has been reviewing the effect of the CJEU’s decision, has welcomed this agreement but is waiting for a formal copy with supporting documents before reaching a view as to whether it believes it removes the principal problems identified by the CJEU. In the meantime WP29 has issued what it terms “essential guarantees” required of US intelligence agencies which are necessary to protect EU citizens’ privacy rights.
The “essential guarantees”
- Data processing should be based on clear and accessible rules which allow all parties involved to understand what might happen to data transferred to the US.
- Necessity and proportionality need to be demonstrated where data is collected (showing a balance between the reasons for which the data is collected against the rights of the individual whose data is being viewed).
- There should be an independent oversight mechanism such as a judge or other independent person able to carry out the necessary checks and balances (to ensure adequate protection of individuals’ rights).
- Individuals must have effective means of preventing or obtaining remedies in the case of abuse of personal information.
Looking ahead
Once the detailed proposals comprising the Privacy Shield are received, the following steps will need to be taken before it can be said to be legally binding and effective:
- WP29 will report to the EU Commission with its view on whether the new agreement is sufficient to deal with the concerns expressed by the CJEU.
- If its view is positive then the EU Commission must consider whether to adopt it as providing adequate protection for EU citizens’ data.
- The national data protection authorities of each member state must then approve the arrangement.
This process is likely to take a number of months. We will keep you updated on any progress. In the meantime, the EU Standard Contractual Clauses and Binding Corporate Rules continue to offer a potential route for data transfers to the US.
Contact us
To discuss your options in minimising your risks when transferring data to the US please get in touch.
Disclaimer
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.