Enter to open, tab to navigate, enter to select
Data transfers to the US: new framework agreed
Practical Law UK Articles 7-623-4626 (Approx. 5 pages)
Data transfers to the US: new framework agreed
by Dan Cooper, Covington & Burling LLP
| Published on 25 Feb 2016 • European Union, USA (National/Federal) |
On 2 February 2016, the European Commission announced that it had reached a political agreement on transatlantic data transfers with the US government, following the invalidation of the EU-US safe harbor framework by the European Court of Justice in October 2015.
On 2 February 2016, the European Commission (the Commission) announced that it had reached a political agreement on transatlantic data transfers with the US government (the agreement). The agreement is referred to as the EU-US privacy shield and it is intended to serve as a legal basis for future transfers of personal data from the EEA to US organisations that are participating in the privacy shield framework.
Both US and EU negotiators were highly motivated to agree the terms of the privacy shield following the invalidation of the EU-US safe harbor framework by the European Court of Justice (ECJ) in October 2015, which caused many US and EU organisations to be in breach of EU rules relating to transatlantic transfers of personal data (Schrems v Data Protection Commissioner C-362/14; see News brief "Safe harbor in a storm: ECJ rules on data transfers to the US"). Additionally, the expiry of a self-imposed moratorium on enforcement, agreed by EU data protection authorities (DPAs) following Schrems, provided further incentive to reach agreement.
What is the privacy shield?
EU and US authorities have not yet released the actual text of the agreement, so its terms remain unclear. That said, the Commission’s press statement and the US Department of Commerce’s fact sheet clarify certain aspects of the privacy shield framework (http://europa.eu/rapid/press-release_IP-16-216_en.htm; ww.commerce.gov/news/fact-sheets/2016/02/eu-us-privacy-shield).
For instance, in addition to subjecting participating US companies to various, as yet unspecified, safeguards, the privacy shield will also introduce an annual joint review of the framework by the Commission and US Department of Commerce, to which EU DPAs will be invited, to ensure its proper functioning. This will include a review of access by US intelligence agencies to data originating from the EU.
It will also include enhanced rights of redress for EU data subjects, including:
- Subjecting US organisations to firmer deadlines when responding to complaints.
- Allowing EU citizens and EU DPAs to refer complaints to the US Department of Commerce and the US Federal Trade Commission.
- Establishing, as a last resort, a new binding alternative dispute resolution mechanism to resolve complaints, which will be voluntary and free to data subjects, capable of issuing binding injunctive orders, and subject to judicial review consistent with the US Federal Arbitration Act.
- Creating a new ombudsman within the US State Department to handle complaints that relate to US intelligence agencies’ access to data. Complaints will be channeled through EU member state representatives. Disputes relating to human resources or employee data will remain subject to an alternative process that entails closer involvement of EU DPAs, similar to the old safe harbor framework.
It is reported that the US Director of National Intelligence will provide written assurances to the EU that US intelligence agencies do not engage in indiscriminate mass surveillance of data transferred under the agreement.
Regulator reaction
On 3 February 2016, the Article 29 Working Party (the working party), which represents EU DPAs, published its reaction to the agreement (http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160203_statement_consequences_schrems_judgement_en.pdf). Before the agreement can be launched, its content will be scrutinised by the DPAs represented in the working party. The working party said that it welcomed the agreement, and would now assess whether the protections envisaged in it, including rights of redress for EU citizens and a new ombudsman mechanism, would be sufficient to meet the criteria laid down by the ECJ in Schrems. In particular, the working party stressed that it would assess the privacy shield in light of four criteria and, in doing so, would bear in mind the potential access and use by US intelligence agencies of data transferred to the US using the privacy shield (see box "Assessment of the privacy shield").
Notably, the working party said that it would consider how the privacy shield might affect the validity of other transfer mechanisms, presumably including the model clauses and binding corporate rules (www.practicallaw.com/9-501-7717; see News brief "Processor BCRs: a new phase of data protection compliance"). The working party also said that it would further consider the basic validity of both of these other transfer mechanisms in light of the ECJ’s criteria as applied to the old US-EU safe harbor following its March 2016 plenary meeting.
In the meantime, the working party reiterated that transfers based solely on the old safe harbor are invalid, and that flows of data from the EU to the US must now be based on alternative legal mechanisms.
What next?
The Commission and the US authorities have not committed to the release of the agreement within a specific timeframe. However, it is anticipated that this will occur shortly, particularly since the working party has expressed a desire to see the agreement no later than the end of February 2016.
The EU College of Commissioners has mandated Vice-President Ansip and Commissioner Jourová to prepare a draft adequacy decision declaring that the privacy shield ensures an adequate level of protection. The adoption of an adequacy decision by the Commission depends on a comitology procedure that will involve:
- A proposal from the Commission.
- An opinion by member states’ DPAs and the European Data Protection Supervisor, in the framework of the working party.
- An approval from the Article 31 Committee, which is composed of representatives of member states, under the comitology examination procedure.
- The formal adoption of the adequacy decision by the College of Commissioners.
The exact timeframe for this is not confirmed, but Commissioner Jourová has expressed the wish that the privacy shield will be in effect within the next three months. At any time, the European Parliament and the Council of the EU may request the Commission to maintain, amend or withdraw the adequacy decision on the grounds that its act exceeds the implementing powers provided for in the Data Protection Directive (95/46/EC).
Action for companies
Given the paucity of information regarding the terms of the privacy shield, organisations should certainly monitor developments and anticipate the release of the agreement in the near future. Companies that were making the transition from the old safe harbor to alternative compliance mechanisms, such as model clauses, should continue with that strategy now that the official grace period on enforcement has expired. EU DPAs could, if they see fit, launch enforcement actions against companies that have not implemented alternative, compliant data transfer mechanisms.
Meanwhile, the privacy shield must be formally adopted on both sides of the Atlantic, a process that could take months.
Dan Cooper is a partner at Covington & Burling LLP.
Assessment of the privacy shield
The four criteria that the Article 29 Working Party will use to assess the new privacy shield agreement are:
- Does the privacy shield establish clear, precise, and accessible rules for the transfer and processing of data, so that affected individuals can be informed and anticipate in advance how data relating to them will be handled?
- Does the privacy shield establish protections to ensure that transferred data is processed only as necessary and proportionate to achieve the legitimate objectives of the processing, in ways that balance the rights of individuals and the needs of national security?
- Does the privacy shield establish an impartial, effective and independent oversight mechanism?
- Does the privacy shield provide for effective remedies for individuals whose data protection rights have been infringed?