In November last year, at JWG’s monthly CDMG meeting, we discussed the incoming General Data Protection Regulation which – at that stage – remained a draft and the implications of the removal of the US safe harbour rule. The safe harbour rule was an agreement between the US and EU allowing businesses to transfer personal data on EU citizens to the US. In Q3 of 2015, the European Court of Justice invalidated the agreement with immediate effect in the Schrems case, which challenged the rule on the basis that the agreement allowed for the violation of certain fundamental rights under EU law, primarily Article 8 of the European Charter for Human Rights, which provides protection on the use of personal data.
Taking away this agreement affected an estimated 4,000+ companies, including firms in the financial services industry who transferred personal data of EU clients and employees to the US. The invalidation of the safe harbour rule left firms little time adapt and therefore forced them to rely on other instruments, such as contractual clauses and binding corporate rules which allowed for the transfer of data within the same corporate group to entities in other countries such as the US.
Yesterday, an agreement between the US and the UK was reached to replace the safe harbour with the EU – US privacy shield, which will hopefully ease data privacy tensions and facilitate the transfer of data across the Atlantic.
EU – US privacy shield
According to a statement by Commissioner Jourová, the new agreement will “protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies” and the US has provided certainty that the “access of public authorities for national security purposes will be subject to limitations, safeguards and oversight mechanisms”.
The new arrangements will include the following:
- Robust requirements and better enforcement on companies handling Europeans’ personal data: US companies importing personal data from the EU will be subject to obligations on the processing of personal data and will need to guarantee individual rights. The US department of Commerce will monitor and ensure that US companies undertake and publish their commitments to EU citizens.
- Clear safeguards and transparency obligations on US government access: the US has published written assurances that the access of public authorities will be subject to limitations, safeguards and oversight mechanisms.
- Effective protection of EU citizens’ rights with several redress possibilities. If someone considers that their data has been misused under the new arrangement, several possibilities of redress shall be provided to them. Companies will be obliged to reply to complaints, European Data Protection Agencies (DPAs) can refer complaints to the US Department of Commerce and Federal Trade Commission and alternative dispute resolution (ADR) mechanisms will be free of charge.
All that it seems
On the face of it, the agreement seems like a satisfactory replacement for the safe harbour. However, until more clarification is provided, there are still a number of unanswered questions. What exactly are the limitations for access of national authorities to personal data of EU citizens? How precisely will companies be monitored? Will that monitoring be effective? To what extent will the use of free ADR be useful? ADR is a private mechanism which sets no legal precedent and whose processes and conclusions are not publically accessible. Conceivably, this is a gift to companies who find themselves in disputes with individuals, enabling them to outnumber the complainant and offer conclusions which – in the long term – provide no real answers to proper and justifiable legal concerns. Of course, it could also be more cost and time effective and less burdensome to the complainant too.
That being said, there is no doubt that this agreement will be a relief to many organisations that export data. But this is only the initial draft and there is a long road ahead until a full and complete agreement is signed.
Watch this space for more news in the coming months … although, if GDPR is anything to go by, maybe that should read ‘years’!