In the landmark decision of Maximillian Schrems vs. Data Protection Commissioner on 6 October, the European Court of Justice (ECJ) invalidated the Safe Harbor programme, which enabled US companies storing EU customer data to self-certify that they comply with EU data laws.
Maximillian Schrems complained, in Irish legal proceedings, that the Irish Data Protection Commissioner refused to investigate his complaint that the Safe Harbour programme failed to adequately protect personal data after its transfer to the US, in light of Edward Snowden’s revelations that the US security services were collecting and using the personal data of EU citizens on a large scale.
The ECJ ruled that the European Commission’s decision approving the Safe Harbour programme was invalid. Further, it ruled that EU data protection authorities can investigate complaints about the transfer of personal data outside Europe and, where necessary, suspend such data transfers until those investigations are satisfactorily completed.
Since then, the European Commission and US authorities have engaged in negotiations regarding a possible replacement to or improvement of Safe Harbor.
On 2 February 2016, the European Commission announced a proposed new EU-US Privacy Shield to allow EU to US personal data transfers.
The European Commission has emphasised significant differences between the invalidated Safe Harbour programme and the EU-US Privacy Shield, although the precise details have not yet been released.
In announcing the new EU-US Privacy Shield, Commissioner Vera Jourova said: “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.
“Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the [United States] has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”
The new agreement includes the following four elements.
1. US assurance on no mass surveillance
2. Strong obligations on companies handling EU citizens' personal data and robust enforcement of rights
US organisations wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and the guarantee of individual rights.
It is unclear if this will be a self-certification mechanism, which has been criticised under the Safe Harbour programme as being too lax and inadequately verified.
The US Department of Commerce will monitor the companies who publish their commitments, which makes them enforceable under US law by the US Federal Trade Commission.
In addition, any organisation that handles human resources data from Europe must commit to complying with decisions by European data protection authorities.
The new Judicial Redress Ac will allow EU citizens to bring civil claims to the same extent as US citizens if a US agency has unlawfully breached their data protection rights.
3. Clear safeguards and transparency obligations regarding US government access
For the first time, the US has given the EU written assurances that the access by public authorities for law enforcement and national security reasons will be subject to clear limitations, safeguards, and oversight mechanisms.
These exceptions must be used only to the extent necessary and proportionate to these reasons. To monitor the operation of the EU-US Privacy Shield, there will be an annual joint review.
The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the United States and data protection authorities.
4. Effective protection of EU citizens' rights with several rights of redress
Any citizen who considers their personal data has been misused under the new agreement will have several rights of redress.
Organisations have deadlines to reply to complaints. European data protection authorities can refer complaints to the US Department of Commerce and the US Federal Trade Commission.
In addition, Alternative Dispute Resolution (ADR) will be free of charge. A new role will be created to hear complaints on potential access of personal data by national intelligence authorities.
Before any data transfers can take place under the new EU-US Privacy Shield, the European Commission has to adopt a formal adequacy decision.
This cannot happen until the European Commission has taken advice from the Article 29 Working Party (the influential European data privacy body). Some of the members of the Article 29 Working Party are thought to be critical of any data transfers from Europe to the United States, so it may take some time before the EU-US Privacy Shield is in force. Then the Article 31 Committee will need to approve the decision.
In the meantime, it will still be necessary to legitimise data flows through alternative means such as model clauses, which currently remain in effect despite some recent challenges at the Data Protection Authority level.
Transatlantic commerce demands that data is able to flow freely and efficiently between Europe and the United States. Accordingly, the new EU-US Privacy Shield is to be welcomed in recognising this economic reality and in ensuring that appropriate safeguards are implemented to protect the fundamental rights of EU citizens.
While this is an important step forward, EU and US companies should be cautious. Challenges to the decision being finally adopted still lie ahead.
Commenting critically on the new proposal, Jan Phillip Albrecht (a member of the European Parliament) has already called the EU-US Privacy Shield a “sellout of the fundamental EU rights to data protection” and has suggested that it might be invalidated by the ECJ in the future.
Given that the Schrems ruling reiterated the national data protection authorities’ ability to investigate data transfers, there is still a risk of a challenge by an EU citizen or data protection authority.