On 12 July 2016, the European Commission adopted the ‘Privacy Shield’, a new framework for transatlantic data transfers. The EU-US Privacy Shield is the successor of Safe Harbour, which had been declared invalid by the Court of Justice of the European Union in October 2015 in the well-documented Schrems decision. This new framework aims to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States, and brings clarity for businesses relying on transatlantic data transfers.
The Key Principles
The Privacy Shield applies to both data controllers and data processors. It is based on seven core privacy principles: notice, choice, security, data integrity and purpose limitation, access, accountability for onward transfer and recourse, enforcement and liability. Further, it is fundamentally different from Safe Harbour, as it imposes ‘clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice’. These include the following measures:
- Redress mechanisms. Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from a number of dispute resolution mechanisms. Complaints should be resolved by the company itself, or ADR solutions will be offered. Individuals can also go to their national Data Protection Authorities. An arbitration mechanism also exists as a last resort. The European Commission also plans to publish a guide for European citizens explaining the remedies available to them, and how they can be sought.
- Stronger obligations on companies handling data. Under the new arrangement, the US Department of Commerce will conduct regular updates and reviews of participating companies to ensure compliance. Companies that do not comply may potentially face sanctions.
- Safeguards and transparency obligations on US government access. The adoption of Privacy Shield was partly due to the perceived inadequacy of Safe Harbour, as a result of the snooping practices exposed by Edward Snowden. Following this, the US has given various assurances that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms.
- Annual joint review mechanism. An annual joint review, conducted by the European Commission and the US Department of Commerce, together with national intelligence agencies, will oversee the functioning of the Shield.
The Privacy Shield is effective immediately. With regards to the validity of previous accepted mechanisms for transfers of data to the US, the position is less clear. For now the Privacy Shield is the only framework that EU data controllers and former Safe Harbor participant companies may legitimately rely on. While the European Commission has stated that Privacy Shield reflects the requirements set out by the ECJ in Schrems, further legal challenges may arise. Some argue that the Privacy Shield has not adopted all the recommendations of the Article 29 Working party and it will come under challenge by the ECJ.
The adoption of the Privacy Shield will resolve some of the recent uncertainty regarding transatlantic personal data flows and this will undoubtedly be a welcome development for many EU and US companies. Companies will need to consider the new scheme, and conduct a cost versus benefit analysis, to determine whether self-certification is necessary.
For any questions concerning the above, please contact a member of Devonshires’ Employment Team.