Breaking news: New EU-US data transfer agreement announced

This article was produced by Nabarro LLP, which joined CMS on 1 May 2017.

Summary and Implications

On Tuesday, 2 February 2016, the European Commission announced that it had reached an agreement with the US government on a new framework to govern transfers of personal data from the EU to the US, replacing the invalidated Safe Harbor agreement. The full details of the framework, known as the “EU-US Privacy Shield”, are not yet known and will be drafted in “the coming weeks”. Once drafted, the new agreement will then be put to the Article 29 Working Party (a committee comprising representatives from each of the national data protection regulators) who will advise the European Commission on whether or not it should be adopted.

Protection of individual rights

The focus of the announcement was very much on mechanisms designed to protect the rights of individuals with very little information on how the scheme would work in practice and the nature of the obligations to be imposed on US-companies wishing to subscribe. The announcement included assurances from the US government that access to personal data by US public authorities will be subject to clear conditions, limitations and oversight. This was a direct response to the issues raised in the Schrems decision regarding the ability of the US authorities to undertake mass, indiscriminate surveillance of EU citizens’ personal data. In addition, EU citizens will be able to make complaints about how their data has been handled and a new Ombudsman will be created by the US government to hear complaints relating to access by national intelligence agencies.

Implications for US-based companies

US-based companies wishing to use the new EU-US Privacy Shield to transfer personal data from Europe to the US will be required to commit to and publish robust obligations on how they handle personal data and how individual rights are to be guaranteed. Breaches of these commitments will be subject to enforcement and sanction under US law. The announcement did not include any further detail on the specific commitments or how the EU-US Privacy Shield will work in practice.

The Schrems decision

The EU-US Privacy Shield is said to “reflect the requirements” set out by the European Court of Justice’s ruling in the Schrems case which invalidated the Safe Harbor scheme for personal data transfers between the EEA and the US. As you may recall, the result of the Schrems case was that transfers of personal data from the EEA to the US made after 6 October 2015 that relied solely on Safe Harbor were illegal. Following Schrems the EU Commission announced that no enforcement action would take place against companies continuing to rely on Safe Harbor until after 31 January 2016. By doing so, it gave itself a 3-month timeframe to put in place a new version of Safe Harbor.

Timing and grace period

Unfortunately, the announcement does not bring the immediate legal certainty for which we were hoping. Whilst the news is encouraging and it appears likely that the EU-US Privacy Shield will make its way into law, we have little information on the timing of its adoption. Vice President Ansip of the European Commission has stated that “[w]e will work now to put [the EU-US Privacy Shield] in place as soon as possible”. However, it is still subject to review by the national data protection regulators.

The grace period given by the European Commission for commencing enforcement action against those companies that continue to rely on Safe Harbor has lapsed. The announcement does not specifically address this. We anticipate that the European Commission will make a further announcement shortly to provide comfort to companies that the grace period will be extended until the new EU-US Privacy Shield has been adopted.