New EU-US Privacy Shield – destined for invalidation?

On 29 February 2016, the draft adequacy decision and the legal texts that will establish the EU-US Privacy Shield were released by the European Commission and the US Department of Commerce.

The Privacy Shield will operate as a framework to regulate transatlantic data flow of personal information from the EU to participating US companies, in an attempt to fill the void left by the EU-US Safe Harbor Agreement which was invalidated by the European Court of Justice (ECJ) in October 2015.

A novel framework

The paramount importance that the US places on national security, demonstrated through the significant surveillance powers afforded to some of its government agencies, is naturally at odds with the EU’s emphasis on the privacy of personal information and protection of data.

If the Privacy Shield is ultimately accepted by EU officials, it has the potential to provide much needed protection and certainty both to EU individuals who disclose personal information to US businesses, and for US businesses that transfer this data in the course of their transatlantic activities.

In an international first, the US has given the EU binding assurances that access to data for the purposes of law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms – a welcomed response after the 2013 surveillance revelations by Edward Snowden.

Key elements of the Shield

If the Privacy Shield is adopted by the European Commission, it will impose:

  • Strengthened safeguards and increased enforcement, including significant obligations on US companies handling Europeans’ personal data and robust enforcement. US companies wishing to access and utilise personal data from Europe will now have to commit to obligations as to how the data is processed and individual rights are protected, which must be publicly available and enforceable.
  • Greater transparency and oversight, including monitoring of US companies but also regular assessments of the functioning of the Privacy Shield through mechanisms such as an annual joint review to monitor the functioning of the Privacy Shield.
  • New redress mechanisms where data has been misused. These include an obligation on companies to reply to individual complaints within 45 days, a free alternative dispute resolution system, an Ombudsperson, co-operation between the Data Protection Authority and the US Department of Commerce and Federal Trade Commission, and an arbitration mechanism to ensure decisions concerning misuse of data are enforceable.

EU-US data transfer still possible

While the current landscape remains uncertain as to the ease, cost and scope of transatlantic data flows between the EU and the US, data transfer is still possible through compliance with the EU Data Protection Directive.

There are several ways that data can be transferred under the Directive, including Model Clauses, Binding Corporate Rules, or derogations. The use of Model Clauses can be onerous for companies, raising contractual administration challenges, and the risk of creating a paper tiger, with strong contractual guarantees but a lack of compliance in practice.

The derogations are clearly stipulated in the EU Data Protection Directive, but they are interpreted restrictively, and in the case of consent contain specific requirements that may be difficult to obtain.

The Directive also faces an uncertain future, with a new General Data Protection Regulation expected as a replacement by 2018.

If it is successfully adopted, the Privacy Shield may prove to be the preferred mechanism for companies, as self certification and compliance under the Shield is likely to be more streamlined than entering into numerous contracts containing Model Clauses.

An unsafe Harbor?

Those companies that continue to rely on the Safe Harbor Scheme despite its invalidation should beware – while various interest groups are urging Europe’s data protection authorities to not commence any enforcement actions, there are no guarantees that action will not be taken.

Acceptability of the Privacy Shield

At this stage, there is no clear indication that the Privacy Shield will be accepted by Europe’s data protection authorities or whether it will survive scrutiny of the ECJ. Some commentators have suggested that the Privacy Shield in its current form is not robust enough to protect the transfer of data between the EU and the US, that it fails to provide businesses with the certainty they require to comply with it, and that it contains no legally binding improvements.

The Shield has been described as a promise without weight behind it, as it will require extensive policy change and oversight, and would be impossible in practice.

Vice President Ansip of the European Commission remains a staunch supporter of the Privacy Shield, however, stating that “Now we start turning the EU-U.S. Privacy Shield into reality. Both sides of the Atlantic work to ensure that the personal data of citizens will be fully protected and that we are fit for the opportunities of the digital age. Businesses are the ones that will implement the framework… We will continue our efforts, within the EU and on the global stage, to strengthen confidence in the online world. Trust is a must, it is what will drive our digital future.”

Not surprisingly, technology and cloud service providers are keeping a close watch on the progress of the Privacy Shield, particularly as the ease with which data is transferred is of fundamental importance.

Impact on Australian business

Data transfer from the EU to Australia is already problematic, as Australian privacy legislation is not considered adequate in its protection of personal data. Consequently, contracts have become a primary mechanism through which adequacy is ensured, but this can be onerous for businesses.

The Privacy Shield includes requirements that may impact Australian businesses, with any onward transfer of personal data only to take place for limited and specified purposes, on the basis of a contract, and only if that contract provides the same level of protection as the one guaranteed by the Privacy Shield.

A notable change that Australian businesses should be aware of is that in the case of sensitive data, subjects will have to ‘opt in’ for onward transfers. If compliance problems arise, the organisation acting as the controller of the data will have to prove that it is not responsible for the breach, or face liability.

What’s next for the new Privacy Shield?

The Commission has made public the draft “adequacy decision” and the texts that will constitute the Privacy Shield, which are available here.

The Privacy Shield is still provisional. The next step is for a committee of representatives from the EU Member States to conduct a detailed review. Following this, the European Commission’s College of Commissioners can adopt a final adequacy decision, which will enable data to move from the EU to the US under the Privacy Shield.

For further information, please contact:

Kathryn Speed
M: 0408 446 013

Copyright © 2020 Page Seager. Privacy Statement Privacy Policy