An important breakthrough has been reached in the “Privacy Shield” framework designed to facilitate the flow of personal data between the EU and the US.
US companies used to be able to legally receive personal data from companies in the EU under the “Safe Harbor” framework. This framework was invalidated in October 2015 by a decision of the European Court of Justice following a complaint relating to Facebook transferring personal data to the US on the basis that US law and practice did not ensure adequate protection of that personal data against mass surveillance carried out by US national security authorities. There are other methods to legally transfer personal data to the US but they have significant drawbacks either in rigidity or length of time to implement.
Since this decision, the EU and the US have been in negotiations to create a suitable successor to Safe Harbor and earlier this year the European Commission published the results of these negotiations being a draft of the “Privacy Shield” framework.
A number of concerns had been raised about this draft by various interested parties (including the Article 29 Working Party, the European Parliament and the European Data Protection Supervisor).
Very recently it has been reported that amendments have been agreed to Privacy Shield which could mean that, if approved by the EU Member States, Privacy Shield could be implemented as early as later this month. The text of this revised framework is yet to be published but it is reported to have overcome many of the major criticisms of the earlier draft which included the following:
Data Retention – the earlier draft of Privacy Shield did not appear to impose on US Certified Organisations (USCOs) a limit for retaining personal data (even after that USCO leaves the Privacy Shield regime) and there was no requirement to delete data after it is no longer necessary to retain it for the purposes for which it was collected.
Automated Decisions – there was no wording to protect individuals against decisions made about them solely based on automated processing (e.g. on creditworthiness). It has been suggested that safeguards should be put in place including the right to know the logic involved in the decision making and a right to request reconsideration on a non-automated basis.
Purpose Limitation – a key idea in relation to EU data protection is that generally personal data should only be used for the purposes for which it was collected. The previous draft of Privacy Shield went some way to grappling with this concept but it used different wording in various parts of the documents when dealing with this concept and it was feared that this could lead to significant misunderstandings.
Onward Transfers – there was concern that Privacy Shield allowed for onward transfers of personal data to third parties who may be outside of the US and it was not clear whether this could lead to a lower level of protection than USCOs have to comply with under Privacy Shield and therefore the potential for circumvention of EU data protection principles.
Redress Procedure – various interested parties were worried that the proposed redress mechanisms for EU individuals were in practice too complex and it had been suggested that clarification of these procedures was needed and that EU data protection authorities could be a point of contact for EU individuals wanting to make a complaint about a USCO and/or that Privacy Shield could contain a jurisdiction clause entitling individuals to exercise their rights under Privacy Shield in Europe. Further there were questions over whether the proposed Ombudsperson (overseeing the use of personal data by public authorities) would have sufficient powers to function effectively and whether they were truly independent.
Collection of Data – Privacy Shield did not fully exclude the continued collection of massive and indiscriminate personal data from the EU. There were calls for the European Commission to signal that access to and use of EU personal data by public authorities should only take place in exceptional circumstances and where such is indispensable for specified public interest purposes.
General Data Protection Regulation – Privacy Shield had been designed on the basis of the current EU Data Protection Directive which will be superseded by the General Data Protection Regulation (GDPR) in May 2018. Commentators had therefore recommended that Privacy Shield should take into account the provisions of the GDPR especially in relation to new elements of the GDPR which are not present in the Data Protection Directive.
The first draft of Privacy Shield represented a significant step forward from the Safe Harbor regime but it is clear that various interested parties had very real issues with it as originally drafted. The real risk of getting this wrong, in addition to offering inadequate protection for personal data transferred from the EU to the US, is that if and when Privacy Shield comes before the CJEU it too could be invalidated in the same way as Safe Harbor throwing transfers of personal data between the EU and the US back up in the air. It remains to be seen to what extent the new draft overcomes these concerns and therefore how quickly Privacy Shield can be approved and implemented.
In the meantime, the Information Commissioners Office (ICO) in the UK has confirmed that organisations can continue to use other tools such as standard contractual clauses and binding corporate rules to transfer personal data to the US legally. Our experience, however, is that standard contractual clauses, the wording of which cannot be amended, are not suitable in a number of circumstances and binding corporate rules are complex and can take a very long time and considerable expense to implement as they require approval by the data protection authority in each EU member state. For those companies still relying on Safe Harbor, the ICO has provided some comfort by stating that “it will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome”.
If you aren’t receiving our legal updates directly to your mailbox, please sign up now
Please note that this blog is provided for general information only. It is not intended to amount to advice on which you should rely. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content of this blog.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.