Data Protection Report - Norton Rose Fulbright

On February 2, 2016, the European Commission and the United States reached an agreement on a new framework to permit transatlantic transfers of personal data.  The new framework — named “EU-US Privacy Shield”  — is slated to replace the US-EU Safe Harbor framework that was invalidated by the Court of Justice for the European Union.

Andrus Ansip, the Commission’s Vice President for the Digital Single Market, and Vera Jourova, the Commissioner for Justice, have now been mandated to take the steps to implement the framework, which will take the form of a Commission Decision. The United States, meanwhile, will implement the agreed privacy safeguards. Jourova anticipates that these steps will take approximately three months, after which the new EU-US Privacy Shield will enter into force.

While the agreement is a hopeful sign that Europe and the United states are determined to find a solution for transatlantic data transfers, the proposed EU-US Privacy Shield may still face hurdles in being implemented and surviving legal challenges.

Key aspects of the EU-US Privacy Shield

Initial reports indicate that the new arrangement will have the following  key requirements:

  • Clear safeguards and transparency obligations on US government access
    • the US (US Office of Director of National Intelligence) has given the EU written assurances that access to the data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, and that such access will only be used to the extent necessary and proportionate
    • there will be no indiscriminate mass surveillance on personal data covered by the framework
    • there will be annual joint review of the framework, including national security access
    • the European Commission and the US Department of Commerce will conduct the annual review, and US intelligence experts and European data protection authorities will also be invited to participate in the review process
  • Stronger obligations on US importers to protect personal data of European citizens
    • importers will have to commit to robust obligations on how they process personal data and guarantee individuals’ rights
    • the US Department of Commerce will monitor that the importers’ privacy commitments are public
    • the US Federal Trade Commission will enforce the importers’ privacy commitments
    • importers handling human resources data will also need to comply with decisions of European data protection authorities
  • Effective protection of EU citizens’ rights with several redress options
    • EU citizens will have several options for seeking redress for  violation of the framework:
      • filing a complaint directly with the importer
      • resolving the dispute via an alternative dispute resolution put in place by the importer which must be free of charge to the individual
      • filing a complaint with the relevant European Data Protection Authority, that can in turn forward complaints to the US Department of Commerce or the Federal Trade Commission
      • with respect to national security access, the US will establish a functionally independent US Ombudsperson to address complaints of possible access by national intelligence authorities

Our Take

The new agreement is a positive sign for all organizations that export personal data outside of the European Economic Area to the United States and other jurisdictions.  It is a sign that the European Union understands the importance of data flows to European economy, and is willing to act pragmatically.

However, even though the initial agreement was announced today, it is not the time to celebrate; it is a first step in a longer process that will test the new framework’s ability to withstand challenges.  There is no doubt that it will have to face many skeptics in Europe.

One commentator succinctly observed:

US tech companies should hold the champagne. They need to realise that the ultimate fate of the shield lies not with the commission in Brussels or US commerce department officials, but with national privacy regulators and European judges. Unlike diplomats who may be willing to massage rules and strike a deal, these judges and regulators are likely to be suspicious of a quick fix.[1]

Initially, LIBE Committee representatives asked pointed questions about the substance of the commitments, including whether the written assurances sufficiently legally bind the US, whether the Ombudsperson will have the necessary powers to provide the promised redress, whether the redress will be available only to EU citizens when EU data protection laws apply regardless of the citizenship of the individual.

For the framework to succeed, the Commission also must convince the Article 29 Working Party (made up of representatives of the 28 EU Member State Data Protection Authorities) that it addresses their concerns and the ECJ decision in Schrems.  The Article 29 Working Party will begin to consider these questions on February 3, 2016.  It is understood that Member State Data Protection Authorities were consulted during negotiations, but their formal approval will be needed to calm fears that the new framework will be immediately challenged by the Data Protection Authorities, who have been deemed the ultimate decision makers by the CJEU in Schrems (as they will be in the front line receiving complaints from Mr. Schrems and other privacy activists and will then have to decide whether to suspend flows or face possible judicial review actions and ultimately further referrals to the CJEU as to the validity of such transfers or the arrangement).

EU Data Protection Authorities had agreed  to refrain from taking enforcement action against companies that had relied on the US-EU Safe Harbor and which had not put in place an alternative export solution.  This enforcement moratorium expired on January 31, 2016. They must also decide if they will extend this moratorium until the EU-US Privacy Shield comes into force.

We will continue to provide updates as the framework winds its way through the approval process.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.

[1] Transatlantic privacy shield could yet be pierced by regulators.  Abraham Newman – Financial Times 2 February 2016