The European Commission has this evening announced political agreement with the United States on a new data transfer regime to replace Safe Harbor, which the CJEU declared invalid in October last year.
The announcement follows four months of intensive negotiations between the EU and the United States and comes two days after the expiry of the Commission's self imposed deadline for reaching agreement on a new regime.
What will change with Privacy Shield?
The Commission has not yet published the text of the agreement reached with the United States (far less the instruments that will give legal effect to the new mechanisms), but in a press conference Commissioner Jourova and Vice-President Ansip set out the high level principles that the Commission believes will address the CJEU's concerns with Safe Harbor:
- an assurance from the United States that it does not undertake indiscriminate mass surveillance on data transferred to the United States.
- safeguards and limitations on, and oversight of, access to data for the purpose of law enforcement and national security.
- a joint annual review to monitor the functioning of the new arrangements.
- a redress mechanism under which EU data subjects can complain about misuse of their personal data, including an ombudsman to deal with concerns over misuse of personal data by intelligence agencies.
- a requirement for US companies wishing to import data from the US under Privacy Shield to commit to "robust obligations" on how personal data is processed and individual rights are guaranteed. These obligations will be more stringent than the current principles that must be adhered to under Safe Harbor
What happens next?
Despite the Commission's announcement, we are still some way from any new arrangements coming into effect.
In order for Privacy Shield to be recognised as a lawful basis for transferring personal data outside the EEA, the Commission will need to issue a finding of adequacy in respect of the arrangements that constitute Privacy Shield. The Commission will not be able to do this until the instruments giving effect to the new mechanisms and arrangements are available and can be appropriately scrutinised.
The Commission will also seek the views of the Article 29 Working Party (a grouping of representatives of the various national data protection authorities) and EU member states.
Given that the Schrems decision confirmed the powers of national data protection authorities to investigate and challenge the Commission's findings of adequacy, it will be interesting to see the Article 29 Working Party's initial reaction to Privacy Shield.
In addition, the United States will need implement the necessary instruments to establish the new mechanisms and frameworks that will underpin Privacy Shield.
Commissioner Jourova expects these steps will take around three months to complete.
What does this mean for EU data controllers?
Once those initial hurdles are overcome, there are still barriers ahead. Even if the Article 29 Working Party is satisfied with the new arrangements, it seems inevitable that the Commission's finding of adequacy will be challenged in the courts in the same way as Safe Harbor. That means that Privacy Shield may not provide data controllers with any long term certainty in relation to the lawfulness of their international data transfers.
Given these concerns, data controllers may wish to look at other mechanisms for transferring personal data outside the EEA, such as model clause agreements, though these are also potentially subject to legal challenge.
The ICO's position up until now has essentially been one of "wait and see". Now that the Commission has announced its proposals the ICO and other national data protection authorities will need to issue guidance to data controllers on whether they consider Privacy Shield an appropriate mechanism and, if not, what steps data controllers should be taking (noting that model clause agreements and binding corporate rules provide no greater protection against government surveillance).
In particular, having stated that no enforcement action would be taken before the end of January, it will be interesting to see what guidance the Article 29 Working Party issues to organisations currently relying upon Safe Harbor pending the Privacy Shield being formally adopted. Will there be a further stay on enforcement action? Will interim measures need to be taken? Data controllers need early guidance on these sorts of issues.
Update (3/2/16): Article 29 Working Party responds to Privacy Shield announcement
The Article 29 Working Party has today (3 February) said that it cannot comment on whether Privacy Shield resolves the issues with Safe Harbor until it sees the detail:
The legal format of the arrangement is still unclear for us... It's difficult to come to a conclusion when you are facing a political will but no real documents.
The Article 29 Working Party does not expect to be able to deliver its verdict on Privacy Shield until April at the earliest. The Article 29 Working Party also emphasised again its concerns on the legality of other data transfer mechanisms such as binding corporate rules and model clause agreements, but is suspending those concerns until it has had an opportunity to review Privacy Shield.
In other words, organisations relying on model clause agreements or binding corporate rules for US data transfers should be free from enforcement action for the time being. However, it will be up to individual data protection authorities to decide whether or not to now start taking action against organisations that are continuing to rely upon mechanisms using Safe Harbor.
As noted above, the ICO's stance to date is that organisations should not rush to put in place alternative measures. It remains to be seen whether this stance will continue pending the Article 29 Working Party's review of Privacy Shield. In the meantime, organisations should ensure that they properly understand their data transfer activities so that they can promptly take any action necessary to legitimise any transfers that continue to be based on Safe Harbor.
We'll publish further updates on Privacy Shield as and when more information becomes available.