by Michael Bishop, Brendan Tomlinson & Cassian Ho
“This new framework for transatlantic data flows protects the fundamental rights of Europeans and ensures legal certainty for businesses. The new arrangement lives up to the requirements of the European Court of Justice.”
– Commissioner Jourová, European Commission, 2 February 2016
On 2 February 2016, a political agreement between the European Commission and the United States was officially approved by the College of Commissioners, known as the EU-US Privacy Shield (Privacy Shield). Once in place, the Privacy Shield will fill the vacuum created by the invalidation of the EU-US Safe Harbour (Safe Harbour) on 6 October 2015, and once again provide a further mechanism whereby personal data from the EU may be transferred to participating companies in the US.
The EU Data Protection Directive prohibits companies operating in the European Union from transferring personal data outside the EU unless the recipients of that data can provide an adequate level of protection of that data. Prior to 6 October 2015, the Safe Harbour framework allowed personal data to be transmitted between the EU and US entities registered with the scheme. On 6 October 2015, a ruling of the Court of Justice of the European Union invalidated the EU-US Safe Harbour, holding that the US did not provide adequate protection for the personal data of Europeans in a number of respects (the Decision). Other methods of transfer remained, such as the use of model contract clauses and binding corporate rules, but these are often seen as more onerous and less efficient. We detailed the Decision and its implications in our article of 19 October 2015.
The Privacy Shield, which is to be drafted and implemented in the coming months, will provide for stronger obligations on companies and public authorities in the US to protect the personal data of European consumers.
These developments are being watched closely given how critical the movement of personal data is to the internet and cloud sectors and the US tech-giants in particular, who rely on data being transferred easily. They also serve to highlight tensions between the policy approaches in recent times of the US, which tends to prioritise national security, and the EU, which emphasises the individual’s right to privacy.
Privacy Shield vs. Safe Harbour
“The EU and the US are the closest allies. On a topic as important as this, we have to find common solutions. I believe that this new arrangement as negotiated between our teams is what Europe needs.”
– Commissioner Vice-President Ansip, European Commission, 2 February 2016
- Stricter and more enforceable privacy obligations. Businesses looking to transfer EU personal data into the US will need to commit to “robust obligations on how personal data is processed and individual rights are guaranteed”, which must be made publicly available (and will therefore be enforceable).
- Limiting the power of US Public Authorities. Under the Privacy Shield, US public authorities and national security agencies will be subject to “clear limitations, safeguards and oversight mechanisms”, with prohibitions against indiscriminate and mass surveillance. While there will still be exceptions in certain circumstances, it is expected that these will be “used only to the extent necessary and proportionate”. Interestingly, the US has already provided binding written assurances to the European Commission to implement these commitments, with further assurances to be provided by the Office of the Director of National Intelligence in the White House.
- Empowering the individual’s avenues of redress. European individuals who have concerns about their personal data will have a stronger voice, with European data protection authorities now able to refer complaints to the US Department of Commerce or Federal Trade Commission to investigate and impose enforceable orders. Where the concern is about mismanagement of personal data by a public authority or national security agency, complaints may be made to a newly created Ombudsperson. The Privacy Shield will also create an avenue for free alternative dispute resolution, and an arbitration mechanism if this fails. To ensure the timeliness and efficiency of handling of complaints, US businesses are required to respond to complaints within a certain period.
The Privacy Shield will be subject to annual reviews by both the European Commission and the US Department of Commerce or Federal Trade Commission to assess its effectiveness and adequacy.
“EU capitulates totally on #SafeHarbor. Interesting, given that they held all the cards.”
– Edward Snowden, 2 February 2016
While a political agreement has been reached, the Privacy Shield is not yet complete and so far no text of the proposed framework has been published. It will be interesting to see how the political agreement translates into actual implementation in the US. The wording is fairly high level, but it would appear to require legislative and operational changes in the US.
A number of commentators have expressed scepticism regarding the effectiveness of the Privacy Shield, questioning how robust the new obligations and enforcement will be in practice and querying whether the US will actually enforce the Privacy Shield. MEP Jan Phillip Albrecht has labelled the Privacy Shield as “little more than a reheated serving of the pre-existing Safe Harbour decision” which he believes will once again be challenged and invalidated in the European Court of Justice.
The Austrian student who brought the case against Facebook which led to the Safe Harbour being invalidated, Max Schrems, was sceptical also, saying “a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance.”
In our previous article, we noted that data transfers from the EU into Australia were already somewhat restricted as Australia does not provide ‘adequate’ protection for personal data for the purposes of the EU Data Protection Directive, and data transfers into Australia require contractual protection or the informed consent of data subjects. Australia’s introduction of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) on 26 March 2015, which requires telecommunications companies to retain certain customer metadata for two years, will certainly do nothing to make the flow of personal data to Australian entities any easier.
Commissioner Jourová has also announced that the Privacy Shield will contain “tightened conditions for onward transfers to other partners by the companies participating in the scheme”, which may in turn impact Australian businesses which use US-based service providers.
A draft “adequacy decision” will be produced in the following weeks and considered by the European Commission Working Party and a committee of representatives of Member States of the EU. This will come into force once it is adopted by the College of Commissioners.
In the interim, the position has not changed from that described in our previous article, with data flows between the EU and US still possible through compliance with the European Data Protection Directive. It remains to be seen whether any actions will be taken against those continuing to rely on Safe Harbour arrangements before the Privacy Shield is finalised, and groups like the industry pressure group DigitalEurope are urging Europe’s national data protection authorities to hold off any enforcement action in the interim.
For a PDF version of this article, please click here.