Teal blue graphic

European Commission approves US Privacy Shield

Transfers of personal data to the US have been the source of much uncertainty for businesses since the Safe Harbor arrangement was declared invalid in October 2015.  This declaration followed a case brought by Max Schrems against Facebook. 

The eighth principle of the Data Protection Act prohibits transfers of personal data outside the European Economic Area (EEA) without adequate safeguards. Safe Harbor was one method by which EU businesses could demonstrate compliance with that principle when sending data to the US. The decision to declare Safe Harbor invalid meant that EU businesses were increasingly having to rely on other adequacy mechanisms, such as model clauses. However, model clauses have their own practical difficulties and are also currently subject to challenge by Mr Schrems.

The European Commission (EC) has now agreed a replacement arrangement with the US; the EU-US Privacy Shield. The EC’s adequacy decision approving the Privacy Shield was adopted on 12 July 2016 and self-certifications under the scheme are open in the US as of 1 August 2016. 

How does it work?

As with Safe Harbor, Privacy Shield is a self-certifying scheme and US businesses must certify annually with the Department of Commerce (DoC) that they meet its requirements.. If a US business is certified under Privacy Shield, data controllers and data processors within the EU can transfer personal data to that business without breaching the eighth principle.

What does it do?

Companies that are signed up to the Privacy Shield scheme must adhere to certain principles, which are largely based on the Safe Harbor principles. Those principles include notice, choice, accountability, security, purpose limitation, access and liability. Where Privacy Shield differs from Safe Harbor is in the enhanced requirements around implementation of the principles. For example: 

  • Privacy Shield companies must display their privacy policies on their websites, and the DoC will monitor those policies to ensure they are in line with Privacy Shield and are readily available to the public.
  • There is an obligation on participating companies to ensure that any third parties to whom they transfer data provide the same level of protection as the participating company.
  • There are restrictions on how long a participating company can hold personal data for. It must be deleted once it is no longer required for the purpose for which it was collected.
  • There are various mechanisms which EU citizens can use to obtain redress if their data is not processed in compliance with Privacy Shield. There are obligations on participating companies to reply to complaints within 45 days, as well as provision for alternative dispute resolution.
  • Access by public authorities in the US to personal data will be subject to limitations, safeguards and oversight mechanisms. This is important as the key concern surrounding data transfers to the US has been around the level of access to data that US government bodies are allowed. This was a key concern raised by the Article 29 Working Party (WP29) during the negotiations for Privacy Shield, and the final version of the arrangement goes some way towards addressing this concern. 

Is it really adequate?

Numerous concerns were raised by the WP29 when the draft Privacy Shield was released earlier in the year. Although the WP29 has acknowledged that the final version takes many of those concerns into account, a number still remain. For example, there are concerns around the lack of specific rules on automated decision-taking. The WP29 has also expressed a view that stricter guarantees should have been provided around access to data by government bodies. Some other privacy commentators have also been scathing about the adequacy of the Privacy Shield, and Max Schrems has already heavily criticised it. 

Therefore, it is possible  that Privacy Shield ends up in a similar challenge to Safe Harbor further down the line. But, a recent statement by the WP29 suggested that it would not seek to challenge the legitimacy of the Privacy Shield during the first year of its operation.  WP29 said that the first annual review will be a ‘key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed’.

For the time being at least, the Privacy Shield is likely to be a very useful mechanism for many EU data controllers to facilitate data flows across the pond.

Brexit?

The relevance of Privacy Shield to the UK post-Brexit is uncertain and will depend to an extent on the terms on which the UK exits the EU. For multi-national companies with offices across the EU and for UK companies with EU-based customers, Privacy Shield is still likely to be very relevant. If the UK becomes part of the EEA post-Brexit, all UK businesses could continue to use Privacy Shield for transfers outside the EEA. If the UK decides to ‘go it alone’ without EEA membership, we may well see our own version of the Privacy Shield to free up data flows with other EU countries.

Contributor:  Emma Fox

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.


Insights & events View all