EU-US Privacy Shield – an adequate replacement for the Safe Harbour Framework?
Friday 12th August 2016
European Commission adoption of the Privacy Shield
On 12 July 2016, the European Commission adopted the EU-US Privacy Shield agreement (the ‘Privacy Shield’). Negotiated between the European Union and the United States of America, the Privacy Shield regulates the transfer of personal data from inside the EU to the US and will replace the Safe Harbour Framework (another EU approved method of transfer invalidated on 6 October 2015 by the Court of Justice of the European Union (‘CJEU’) in Case C-362/14 Maximiliam Schrems v Data Protection Commissioner).
Going forward, any US organisation that receives personal data from the EU must adopt one of three approved mechanisms for cross-border transfers of personal data, namely
(1) the Privacy Shield;
(2) EU standard contractual clauses; or
(3) binding corporate rules (for inter-company/affiliate transfers).
The Privacy Shield is seen as being significantly more convenient than the other available methods of EU data transfer to the US. Standard contractual clauses are cumbersome because they require signature by all relevant legal entities and any divergence from the clauses often requires approval of the relevant EU data protection authority. Their validity as a method of transferring EU data to the US is also currently under review by the CJEU. Binding corporate rules can also be a lengthy and costly process to implement requiring the approval of EU data protection authorities.
The Privacy Shield is based on seven key principles for assuring adequate protection when transferring and processing personal data originating in the EU. Similar to its predecessor, the Safe Harbour Framework, organisations can self-certify their compliance with these principles. Once they have done so, they can seek inclusion on the US Department of Commerce’s list of certified organisations. This registration authorises them to transfer personal data of EU residents to the US.
The Privacy Shield has already been subject to scrutiny and is likely to be tested in the EU courts. Data protection specialists have warned that the revised deal is flawed and toothless to prevent mass surveillance of personal data by US authorities and Giovanni Buttarelli, the European Data Protection Supervisor, has warned that the Privacy Shield is not ‘robust enough to withstand legal scrutiny.’ In addition, Max Schrems (who successfully challenged the validity of the Safe Harbour framework), has vowed to challenge the legality of the Privacy Shield.
On a more positive note, the Privacy Shield is expected to fare better than the Safe Harbour Framework as its provisions were specifically drafted to address the latter’s inadequacies identified by the CJEU. In addition, unlike Safe Harbour, the European Commission and US Department of Commerce will conduct an annual review to monitor the functioning of the Privacy Shield. Should material concerns arise, they can be addressed through ongoing revisions to the text.
The Privacy Shield holds great promise and will potentially make it much easier for businesses to transfer data between the EU and US. Whether it will prove to be a panacea only time will tell but there are undoubtedly plenty of organisations with their fingers crossed.