The mechanisms underpinning the transfers of personal data from the European Union to the United States have been the subject of intense scrutiny and discussion in recent years and particularly in recent months, arising from the following developments:
- 6 October 2015: The Court of Justice of the European Union ("CJEU") in the Schrems case held that Commission Decision 2000/520/EC in respect of Safe Harbor was invalid under European law. Therefore, transfers of personal data from the European Union to the United States pursuant to the "Safe Harbor" mechanism did not ensure an adequate level of protection under EU data protection laws. Consequently, data controllers subject to EU data protection laws were mandated to implement alternative transfer mechanisms for transfers to the US, such as model clauses.
- 16 October 2015: The Article 29 Working Party specified 31 January 2016 as the deadline by which the representatives of the European Union institutions and the United States should agree legal and technical solutions to address the shortcomings identified by the CJEU in Safe Harbor in order to provide stronger assurances for the rights of EU data subjects. The Article 29 Working Party expressed the intention "to take all necessary and appropriate actions, which may include coordinated enforcement actions" in the event that agreement was not reached by the deadline.
- 2 February 2016: The European Commission announced that it had agreed with the US a new framework for data transfers from the EU to the US: the EU-US Privacy Shield, designed to resolve the concerns raised in the CJEU's ruling.
- 3 February 2016: The Article 29 Working Party announces that the new framework will be assessed by it by reference to the requirements of the CJEU in the Schrems judgment.
- Self-Certification: Like Safe Harbor, the EU-US Privacy Shield is a self-certification mechanism. A US organisation can join the EU-US Privacy Shield if it publishes its commitments on accepting "robust obligations" on how personal data is processed by it and how individuals' rights are protected. Any processing of employment personal data will be subject to an obligation to comply with decisions by European data protection regulators.
- Monitoring: Compliance with the EU–US Privacy Shield will be subject to monitoring and review by the US Department of Commerce, with sanctions applied by the US Federal Trade Commission for any failures to comply.
- Law Enforcement Access: Mass surveillance of personal data by US law enforcement and national security has been ruled out by the US authorities. Any access to personal data by such authorities will be subject to limitations, safeguards and oversight mechanisms and subject to the principles of necessity and proportionality.
- Rights of Redress: Individuals have rights of redress and any complaints issued by an individual to a certified organisation must be addressed free of charge within a specific timeframe. The complaint may be escalated by the individual for consideration by a European data protection regulator (which may involve the US Department of Commerce and Federal Trade Commission to aid in its resolution). US legislation will be passed to provide European citizens with the same rights of redress as US citizens with respect to unlawful access of their personal data by US public bodies. An independent ombudsman will deal with complaints concerning processing by national intelligence authorities.
- Annual Review: The European Commission and US Department of Commerce will conduct a joint annual review of the functioning of the EU-US Privacy Shield.
The European Commission expects that the arrangements to implement the new framework will be finalised by the EU and US authorities over the next three months. The Article 29 Working Party expects to issue its report on the proposed framework by the end of April. This opinion will also consider the validity of other transfer mechanisms, such as model clauses and binding corporate rules and therefore could be wide ranging in its scope.
If the Article 29 Working Party approves the new mechanism, the European Commission will adopt a decision that confirms that any processing of personal data in the US by organisations that are certified under EU - US Privacy Shield, once finalised and implemented, shall be deemed to be in accordance with European data protection law. It is hoped that this can be achieved in May 2016.
FURTHER CHALLENGES ON THE HORIZON?
It is difficult to assess at this stage whether any replacement or future mechanisms for data transfers will continue to be fraught with legal challenges. Once the Article 29 Working Party has issued its opinion in April/early May 2016, the position on the adequacy of these arrangements will be clearer. As model clauses are also based upon Commission Decisions, it is possible that the CJEU may also be requested to consider the validity of those decisions. However, if any such challenge is referred to the CJEU for consideration, it will take some time for a decision to issue. Therefore, data controllers should continue to rely on model clauses in the absence of an alternative legislative basis for data transfers and especially until such time as the EU-US Privacy Shield has been implemented and approved as an adequate transfer mechanism.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.