A new personal data transfer agreement was announced yesterday between EU and US authorities: the EU-US Privacy Shield will replace the invalidated Safe Harbor programme.
Since the landmark decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner (case C-362/14) on 6 October 2015 that invalidated Safe Harbor, personal data transfers from the European Union to the United States have been in a state of uncertainty. This LawFlash provides an overview of the recently announced EU-US Privacy Shield, which aims to address the criticisms raised by the ECJ in Schrems.
As described in our October 2015 LawFlash “ECJ Rules EU-US Safe Harbor Programme Is Invalid”, Maximillian Schrems complained in Irish legal proceedings that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbor programme failed to adequately protect personal data after its transfer to the United States in light of Edward Snowden’s revelations that the US security services were collecting and using the personal data of EU citizens on a large scale. The ECJ ruled in Schrems that the European Commission decision approving the Safe Harbor programme was invalid. Further, the ECJ ruled that EU data protection authorities can investigate complaints about the transfer of personal data outside Europe and, where necessary, suspend such data transfers until those investigations are satisfactorily completed.
The European Commission has emphasised that there are significant differences between the invalidated Safe Harbor programme and the EU-US Privacy Shield. In announcing the new EU-US Privacy Shield, Commissioner Vera Jourova said the following:
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the [United States] has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
Andrus Ansip (EU Commission Vice President for the Digital Single Market) said, “I believe this arrangement is what Europe needs. Both our citizens and businesses will benefit from this.”
The new agreement includes the following elements:
Before any data transfers can take place under the new EU-US Privacy Shield, the European Commission has to adopt a formal adequacy decision. This cannot happen until the European Commission has taken advice from the Article 29 Working Party (the influential European data privacy body). Some of the members of the Article 29 Working Party are thought to be critical of any data transfers from Europe to the United States, so it may take some time before the EU-US Privacy Shield is in force.
In the meantime, it will still be necessary to legitimise data flows through alternative means such as model clauses, which currently remain in effect despite some recent challenges at the Data Protection Authority level.
Transatlantic commerce demands that data is able to flow freely and efficiently between Europe and the United States. Accordingly, the new EU-US Privacy Shield is to be welcomed in recognizing this economic reality and in ensuring that appropriate safeguards are implemented to protect the fundamental rights of EU citizens.
While this is an important step forward, EU and US companies should be cautious about putting all of their faith in this new framework. Challenges still lie ahead, and it may still be prudent to have back-up options in the event that the EU-US Privacy Shield is challenged as being invalid. Commenting critically on the new framework, Jan Phillip Albrecht (a member of the European Parliament) has already called the EU-US Privacy Shield a “sellout of the fundamental EU rights to data protection” and has suggested that it might be invalidated by the ECJ in the future. Given that the Schrems ruling reiterated the national data protection authorities’ ability to investigate data transfers, there is still a risk of a challenge by an EU citizen or data protection authority.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Doneld G. Shelkey
W. Reece Hirsch
Mark L. Krotoski
Dr. Axel Spies