[co-author: Edward Hadcock - Mills & Reeve LLP]
The EU-US Privacy Shield, designed to protect EU citizens’ personal data when it is transferred to US organisations, has now been in place for a couple of months. How is it shaping up?
How we arrived at the Privacy Shield…
Under current EU data protection laws, as well as under the forthcoming General Data Protection Regulation (GDPR), personal data can be sent to entities based outside the EU only if one of the specified protections are in place. One protection mechanism is that the relevant territory guarantees EU residents a level of legal protection that is “essentially equivalent” to that guaranteed by the EU.
The previous EU-US regime (the “Safe Harbor”) was stopped in its tracks by a European court ruling that it was invalid. The court focused on concerns about systematic mass surveillance of private citizens on the part of US government authorities, as revealed by Edward Snowden.
The Privacy Shield agreement was intended to replace and overhaul the Safe Harbour regime for data transfers from the EU to the US.
Data security under the Privacy Shield
The Privacy Shield includes substantial additional protections over the Safe Harbor. Participating companies must:
provide detailed information to individuals about their data processing activities, including information about the type of data, purpose of processing, right of access and the choices available to the individual
set out the available remedies should a complaint arise
offer an independent recourse mechanism to investigate and “expeditiously resolve” individual complaints
limit personal data to that which is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current
allow data subjects to opt out if their personal data is to be disclosed to a third party or used for a materially different purpose
only allow onward transfers where (1) the transfer is for a limited and specified purpose; (2) it is carried out on the basis of a contract (or comparable arrangement); and (3) that contract must provide the same level of protection.
There has been some high-profile take-up of the new regime, with companies such as Microsoft, Google and Dropbox signing up. But there has been vocal opposition, particularly from individual activists, including Safe Harbor challenger Max Schrems and Edward Snowden.
EU Data Protection and Privacy regulators group WP29 previously raised concerns around the independence of the redress mechanisms available and also the continuing potential for indiscriminate data collection and surveillance. When the Privacy Shield comes up for its first annual review in the summer of 2017 WP29 will take a long, hard look at the arrangement.
Overall take-up has been cautious. A survey in August suggested that only 34 percent of companies intend to use the framework, others preferring to rely on other data-transfer mechanisms such as standard contractual clauses (IAPP report here).
However, standard contractual clauses (SCCs) are also under challenge through the Irish courts.
Standard Contractual Clauses under threat
The SCC protection for data transfer is being challenged on a similar basis to the Safe Harbor, with a court hearing expected next year. A summary issued by the Irish regulator, the DPC, explains the background to the case and gives a trial date of 7 February 2017. The DPC has several concerns about the SCC mechanism, particularly around the absence of an adequate legal remedy for aggrieved EU citizens whose data has been transferred.
The case has attracted international attention with applications to take part from ten organisations. The Irish court will allow the US Government, BSA Business Software Alliance, Digital Europe and EPIC to contribute to the case. A referral to the European court will probably follow.
The Privacy Shield and other mechanisms for cross-border data transfer are unlikely to see further significant changes this year but are likely to change again in 2017. In the UK, the Brexit vote does not alter the need to comply with EU-based legislation now. It also seems likely that data protection laws in place at the time the UK formally leaves the EU (likely to include the GDPR) will be retained by the current government.