Who: Information Commissioner’s Office, Article 29 Working Party, EU College of Commissioners, the US Senate, US Department of Commerce and Federal Trade Commission
Where: Brussels, Washington DC and London
When: February 2016
Law stated as at: 16 February 2016
After more than three months of discussions, EU and UK authorities have announced “political agreement” on “EU-US Privacy Shield”, a replacement for the discredited “Safe Harbor” platform for compliant EU-US personal data transfers.
The full text of the new framework has not yet been finalised and once it is, it will need an “adequacy decision” by the EU College of Commissioners before it can be taken seriously. The Article 29 Working Party will also want to have its say. By all accounts, key elements of the new regime include the following:
1. More robust obligations on US organisations importing personal data from the EU (“US Importers”);
2. Ongoing monitoring of US Importers by the US Department of Commerce, with more proactive policing of non-compliance, backed by more stringent penalties;
3. “Binding assurances” from the US that US public authorities’ access to Europeans’ personal data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, with an annual joint review of how the new arrangements are working; and
4. EU citizens who consider that their data has been misused will benefit from “several accessible and affordable” dispute resolution mechanisms. Complaints that are not resolved by direct interaction between data subject and data controller can be escalated to national data protection authorities. They will work with the FTC to ensure resolution of complaints within a reasonable time, with an arbitration mechanism available as a last resort.
All this will in all likelihood be augmented by further rights for EU citizens to challenge in the US Courts the processing of their data in the US for law enforcement purposes. These are due to be created by the US Judicial Redress Act. At the time of writing this was awaiting Presidential sign-off.
Why this matters:
It is hoped that the final stages on the way to formal adoption of EU-US Privacy Shield can be completed by mid-April 2016. To facilitate that stretching timetable, the Article 29 Working Party has called for the full Privacy Shield details to be made available for scrutiny by the end of February 2016.
Wrinkles already appearing
There are already wrinkles appearing. For instance the final language of the Judicial Redress Act imposes two preconditions on non US citizens being able to sue in the US courts over US enforcement authority data breaches.
These are (1) that the non US citizen’s country of residence must allow commercial transfers of personal data with the US and (2) that other country must not impede the national security interests of the US.
Whatever the small print of the new framework looks like, after the Schrems debacle there has to be a significant risk of legal challenges by privacy campaigners. Osborne Clarke partner Ulrich Baumgartner, a leading European data protection expert based in its Munich office, has been quoted as saying that such challenges are all but inevitable.
These will take time to work their way through the EU judicial system, however, and in the meantime the impetus behind installing a viable “Safe Harbor 2.0” now seems unstoppable.
Are UK businesses still relying on “Safe Harbor 1.0” at risk?
In this situation, are UK businesses still at material risk if they used to rely on “Safe Harbor 1.0” to legitimise their personal data transfers to the US and have still not put in place alternative mechanisms such as transfer agreements using the EC approved “standard contractual clauses”?
The ICO says that they “will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers.” They go on: “we will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.”
Soothing words maybe, but after this lapse of time since the Schrems decision and the distinct possibility existing that the scrutineering of Privacy Shield will over-run and lead to slippage in the timetable, a “do nothing” strategy is plainly not advisable for any UK data controllers using Safe Harbor 1.0″ who have still not taken action.