Transfers of personal data to the US have been the source of much uncertainty for businesses since the Safe Harbor arrangement was declared invalid in October 2015. This declaration followed a case brought by Max Schrems against Facebook.
The eighth principle of the Data Protection Act prohibits transfers of personal data outside the European Economic Area (EEA) without adequate safeguards. Safe Harbor was one method by which EU businesses could demonstrate compliance with that principle when sending data to the US. The decision to declare Safe Harbor invalid meant that EU businesses were increasingly having to rely on other adequacy mechanisms, such as model clauses. However, model clauses have their own practical difficulties and are also currently subject to challenge by Mr Schrems.
The European Commission (EC) has now agreed a replacement arrangement with the US; the EU-US Privacy Shield. The EC’s adequacy decision approving the Privacy Shield was adopted on 12 July 2016 and self-certifications under the scheme are open in the US as of 1 August 2016.
As with Safe Harbor, Privacy Shield is a self-certifying scheme and US businesses must certify annually with the Department of Commerce (DoC) that they meet its requirements.. If a US business is certified under Privacy Shield, data controllers and data processors within the EU can transfer personal data to that business without breaching the eighth principle.
Companies that are signed up to the Privacy Shield scheme must adhere to certain principles, which are largely based on the Safe Harbor principles. Those principles include notice, choice, accountability, security, purpose limitation, access and liability. Where Privacy Shield differs from Safe Harbor is in the enhanced requirements around implementation of the principles. For example:
Numerous concerns were raised by the WP29 when the draft Privacy Shield was released earlier in the year. Although the WP29 has acknowledged that the final version takes many of those concerns into account, a number still remain. For example, there are concerns around the lack of specific rules on automated decision-taking. The WP29 has also expressed a view that stricter guarantees should have been provided around access to data by government bodies. Some other privacy commentators have also been scathing about the adequacy of the Privacy Shield, and Max Schrems has already heavily criticised it.
Therefore, it is possible that Privacy Shield ends up in a similar challenge to Safe Harbor further down the line. But, a recent statement by the WP29 suggested that it would not seek to challenge the legitimacy of the Privacy Shield during the first year of its operation. WP29 said that the first annual review will be a ‘key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed’.
For the time being at least, the Privacy Shield is likely to be a very useful mechanism for many EU data controllers to facilitate data flows across the pond.
The relevance of Privacy Shield to the UK post-Brexit is uncertain and will depend to an extent on the terms on which the UK exits the EU. For multi-national companies with offices across the EU and for UK companies with EU-based customers, Privacy Shield is still likely to be very relevant. If the UK becomes part of the EEA post-Brexit, all UK businesses could continue to use Privacy Shield for transfers outside the EEA. If the UK decides to ‘go it alone’ without EEA membership, we may well see our own version of the Privacy Shield to free up data flows with other EU countries.
Contributor: Emma Fox
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.