Privacy Shield: The new framework for EU transatlantic data flows and next steps

This article was produced by Olswang LLP, which joined with CMS on 1 May 2017.

The European Commission and United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield. According to the Commission, “this new framework will protect the fundamental rights of Europeans where their data is transferred to the US and ensure legal certainty for businesses”. However, a lot of open questions remain. We look at the practical implications for organisations transferring data to the US and the timetable for next steps.

The new framework

On 6 October 2015, the CJEU declared that the Commission’s decision on the Safe Harbor agreement was invalid in its “Schrems” judgment (CJEU Case C-362/14) – see our coverage of the Schrems decision and its practical implications here.

After months of tough negotiations, the EU and US finally agreed on the following elements:

• Stronger obligations on companies in the U.S. to protect the personal data of Europeans;
• Stronger monitoring and enforcement by the U.S. Department of Commerce and the FTC;
• Possibilities for public authorities to access personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight, preventing generalized access;
• An annual joint review in order to closely monitor the implementations of the Privacy Shield;
• An effective protection of the rights of EU citizens with several redress possibilities: Companies have deadlines to reply to complaints; European DPAs can refer complaints to the Department of Commerce and the FTC; Alternative Dispute Resolution will be free of charge; a new Ombudsperson will be created for complaints on possible access by national intelligence authorities.

A clear assessment of the new deal cannot yet be made. The Commission and the US will need a few more weeks to get the agreed elements into concrete legal wording. Nothing is written on paper yet; so far there has only been “an exchange of letters”. Tuesday’s announcement sounds like some vague (rushed out) goals rather than a clear Safe Harbor 2.0 deal.

There are many open questions

Is it a framework for registration like Safe Harbor? Will this lead to an adequacy decision for the US? Is the Privacy Shield on top of a Safe Harbor registration, i.e. will Safe Harbor rise from the grave? What about transfers to non-EU/EEA countries other than the US?

What about the other data transfer vehicles?

In last week’s (3 February) press conference, the Article 29 Working Party (WP29) explained what the “Schrems” decision means for the other data transfer tools. First, the WP29 noted that companies still relying on the old Safe Harbor agreement are in an “illegal situation”. Such companies may face enforcement, depending on the concerned DPAs. Second, BCRs and Model Clauses remain valid and can still be used for now – until the WP29 has examined the Privacy Shield arrangement. The WP29 stated that it must receive the relevant documents and know precisely the content and legal bindingness of the new arrangement in order to assess the other transfer tools. This assessment will focus on four essential guarantees that should be respected whenever personal data are transferred from the EU to the US (or other third countries, as well as by EU member states):

Processing should be based on clear, precise and accessible rules:

• Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated;
• An independent oversight mechanism should exist, that is both effective and impartial;
• Effective remedies need to be available to the individual.

The WP29 calls on the Commission to communicate all documents relevant to the new arrangement by the end of February. Then it intends to hold a meeting to assess the documents in March and have a final analysis ready by mid- or the end of April.

Comment

• The new deadline is end of April.
• Companies that are still relying on the Safe Harbor are facing enforcement.
• Companies that are using alternative mechanisms, such as BCRs and Model Clauses, are on the safe side, at least until end of April (final WP 29 statement).
• Don't give up on Safe Harbor 1.0 - it might be a good trampoline into Privacy Shield.
• The Commission still must work hard to bring Privacy Shield to a level of protection and to a format that meets the requirements set by the ECJ.
• If Privacy Shield is successful, Model Clauses will be adjusted in the near future; BCR might have to be adjusted, too.

See the full press release by the European Commission here.

See the statement of the WP29 here.