Safe Harbour will be replaced by an EU/US Privacy Shield - will it withstand Article 29 Working Party scrutiny?
Following the CJEU decision in the Schrems Case on 6 October 2015 invalidating the Safe Harbour regime, the Article 29 Working Party (the group comprised of representatives of European national data protection authorities (Article 29WP)) gave the EU and US a three month timeline in which to agree a political solution to replace Safe Harbour. Following intense negotiations, political agreement on the core elements of a new EU/US Privacy Shield was announced on 2 February 2016.
EU and US negotiators may have let out a collective sigh at having reached an agreement (their three month deadline expired on January 31) but the path is not yet clear for transfers - the detail of the shield has to be worked out over the coming weeks and the Article 29WP stands ready to analyse that detail.
The European Commission's press release noted that the EU/US Privacy Shield will include:
- stronger data processing obligations on companies wishing to import personal data from Europe with enforceability of commitments under US law by the US Federal Trade Commission (FTC);
- binding US assurances, with an annual joint review mechanism, that US law enforcement and national security access to personal data will be proportionate and necessary, subject to clear limitations, safeguards and oversight mechanisms and not indiscriminate mass surveillance; and
- enhanced redress opportunities for EU citizens who consider that their data has been misused including Alternative Dispute Resolution, deadlines imposed on companies to address complaints, referral of complaints to the US Department of Commerce and FTC by European data protection authorities and the creation of a new Ombudsperson.
HR Data: Companies in the US handling HR data from Europe have been called out for special attention and will specifically be obliged to comply with decisions of European data protection authorities. It remains to be seen what powers the European data protection authorities will have over such US companies.
Article 29WP Review: The Article 29WP has again put a timeline on political deliberations and on 3 February 2016 called for copies of the relevant detailed documents to be provided by the end of February. Once the Article 29WP receives the documents, it will analyse the new shield including the extent to which it will provide legal certainty for other transfer tools (such as Standard Contractual Clauses and Binding Corporate Rules).
Transfers in the Short Term: Until the detail of the EU/US Privacy Shield is available and the Article 29WP has completed its assessment of the new shield, it has indicated that:
- complaints related to the invalidated Safe Harbour decision will be dealt with on a case-by-case basis; and
- transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules, may be used to transfer data to the US.
Business transferring data across the Atlantic no doubt are eagerly awaiting the outcome of this process which could take until mid to late April 2016.
For more information please contact Claire Morrissey at email@example.com
This article first appeared on A&L Goodbody's International Blog on 3 February 2016.