An agreement was reached on the new privacy Safe Harbor for transfer of data between the EU and the US with a massive impact on US companies.
Updated on 07.02.16
What had happened to the Safe Harbor principles?
Back in October 2015 the European Court of Justice had invalidated the so called EU Safe Harbor program on which a number of US companies used to rely for the transfer of personal data of EU citizens to the United States. This invalidation created a situation of “panic” in the sector and US companies started implementing the so called Model Clauses or the binding corporate rules.
But even such move was not 100% safe as the arguments raised by the European Court of Justice against the Safe Harbor program could be used also against these tools. Pending the negotiations between the EU and the United States on the so called Safe Harbor 2.0 scheme, the EU privacy regulators granted a “grace period” up to the end of January 2016 committing not to challenge data transfers to the US during this time window.
What is the Privacy Shield?
The grace period now elapsed. But based on a press release, the European Commission and the United States have agreed on a new framework for the transfer of personal data between the EU and US which has been named “the EU-US Privacy Shield“.
The new agreement is based on 3 general principles:
1. Stricter obligations will be imposed on US companies as to how European personal data is processed and individual rights of European individuals are protected.
But what really matters is that US companies shall publicly commit to comply with the privacy shield which will make its rules binding for those companies also under US law. As a consequence, if companies are found not to be compliant, they may face sanctions and the removal from the scheme that will block data transfers.
2. Greater transparency will be ensured around the extent of and the limitations on US surveillance. The US Government will provide written assurances as to the safeguards that have been put in place. This is the most tricky issue since this was the reason why the Safe Harbor scheme was invalidated;
3. EU citizens will be provided with a number of possibilities of redress in case of breaches. Companies will be initially expected to resolve individual complaints. But if this is not effective the matter will be escalated to national Data Protection Authorities that can refer complaints to the Department of Commerce and the Federal Trade Commission. Also new alternative dispute resolution procedures will be introduced.
The consequence of the above is that both EU and US authorities will monitor compliance and in case of breach US companies might face challenging proceedings on “both sides of the fence“.
Nothing to do for the moment?
The Privacy Shield is not yet into force. The European Commission is working on an “adequacy decision” that shall be in line with the regulatory framework to be put in place under the new EU privacy regulation. And US authorities are working on measures necessary for the coming into force of the new framework. This process is expected to take around 3 months.
But the major question is
If the privacy shield will come into force in 3 months and the grace period has expired,
what shall US companies do now?
Will everything be as before?
The big question is the impact of the privacy shield on the operation of US companies. How strict will these new obligations be? Will they affect the model of business and the products of US companies?
We still don’t know what is going to happen, but it seems that US companies shall set up separate databases and rules for EU customers to ensure that their data processing is compliant with the privacy shield rules. On the contrary, the general impression so far was that data of EU customers was treated as any other type of data once transferred to the US.
Is there a risk of double sanction for US companies?
If the privacy shield will be binding on US companies under US law, it can be assumed that US authorities will issue these fines. But the same conduct might trigger a breach of the new privacy regulation that provides fines up to 4% of the global turnover of the breaching entity.
A new approach required from US companies?
A number of US companies are moving their servers dedicated to EU customers to the European Union to deal with this issue. But such “special treatment” for the European business is not only required by the invalidation of the safe harbor scheme. Indeed, this is in line with
- The principles of the new privacy regulation that will apply also to non-EU companies processing data of EU individuals, and
- With tax principles that are gradually moving towards taxation based on the place where customers are located.
What is the position of the Article 29 Working Party?
Interestingly the Article 29 Working Party, whose members are the data protection authorities of all the EU Member States, issued a press release where it welcomed the Privacy Shield. But it also held that
stands ready to analyse the result of the negotiations in the light of the European essential guarantees […] It will especially have to consider if its concerns regarding the U.S. legal framework can be alleviated following the introduction of the EU-U.S. Privacy Shield.
Based on the above it seems that the WP29 has not yet validated the Privacy Shield and the final outcome of the negotiations is still pending.
What happens to the current data transfers?
Pending the finalization of the approval of the Privacy Shield, the Article 29 Working Party confirmed that the Safe Harbor cannot be used as legal basis for data transfers to the United States. But what really matters is that
- After the review of the documentation relating to the Privacy Shield, the WP29 will assess whether transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, can still be used for personal data transfers to the U.S., while
- In the meantime, the WP29 considers that this is still the case for existing transfer mechanisms.
Therefore companies relying of the Standard Contractual Clauses or the Binding Corporate Rules for data transfers to the United States “should” be safe.