On 2 February 2016 the European Commission announced that it has reached an agreement with the United States government on a new framework for transatlantic data flows. The new EU-US 'Privacy Shield' will replace the old Safe Harbor agreement that was declared invalid by the European Court of Justice last October.
The two sides just missed the deadline of 31 January 2016 to reach agreement, with officials "working day and night" on achieving a deal. The Commission has not yet published the text of the agreement, but it has stated that the new arrangement will include the following elements:
The Commission states that it has "mandated" Vice-President Ansip and Commissioner Jourová to prepare a draft "adequacy decision" in the coming weeks, which could then be adopted after obtaining the advice of the Article 29 Working Party. Since a committee of representatives of the Member States will also need to consulted, it would seem that we are still a few weeks away from a final deal.
Business groups such as the US Chamber of Commerce and the CBI have welcomed the announcement. However, the CBI has stressed that businesses now need clarity fast on what they need to do to comply with the new framework.
Other commentators have warned that many challenges remain. In particular, it is considered that if the agreement is concluded by an exchange of letters, privacy activists could challenge the legal basis of the pact. Privacy campaigner, Max Schrems, whose legal action brought down Safe Harbor, has commented that "a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users... when there is explicit US law allowing mass surveillance".
The announcement has certainly taken the pressure off organisations concerned about enforcement action following the end of January deadline. However, it is not yet clear whether Safe Harbor participants will be able to directly 'transfer' to the new scheme or what they should be doing in the meantime. It would certainly appear that organisations will need to be able to commit to more robust obligations on data processing under the new arrangements, and this may not be possible for all organisations without making operational changes.
Unfortunately the position is likely to remain unclear for a few more weeks. Organisations should continue to audit all arrangements where data is being transferred to the United States, and ensure that an alternative means of ensuring adequate protection is used instead of Safe Harbor, such as model contract clauses.
Once the text has been released, organisations will need to analyse the new obligations to assess whether they will be able to use the Privacy Shield for transatlantic data flows. In view of the demise of Safe Harbor, it will be important to bear in mind that the Privacy Shield could face a legal challenge at any time. TLT will continue to monitor potential challenges and will provide a detailed analysis of the text as soon as it is released.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at February 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions on www.TLTsolicitors.com