On 6 October 2015, the Court of Justice of the European Union (“CJEU”) delivered its judgment in C-362/14 Maximilian Schrems v Data Protection Commissioner invalidating the U.S.-EU Safe Harbor decision. On 29 February 2015, the European Commission formally presented the draft for Safe Harbor’s successor: The EU-U.S. Privacy Shield.
These FAQs provide an overview of the implications of the Court’s decision. They also offer some guidance to companies about what to do in wake of the judgment and updates on the latest developments relating to Privacy Shield, the Safe Harbor successor.
As the United States (“U.S.”) and the EU take different approaches towards data protection rules the European Commission – in consultation with the U.S. Department of Commerce – developed the Safe Harbor principles. In July 2000, the European Commission adopted the Safe Harbor decision (Decision 2000/520/EC) that declared that the Safe Harbor principles provided an adequate level of personal data protection. The decision allowed the transfer of personal data from the EU to U.S. companies that participated in the Safe Harbor self-certification scheme.
Additionally, the CJEU considered the European Commission’s Safe Harbor decision and found that the Commission had not – as is required by the Data Protection Directive – establish that the U.S. provides an adequate level of protection of personal data “by virtue of its domestic law and international obligations”, i.e. a “level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”
In this context the Court recalled that in the EU interference with the fundamental right to respect to private life is only permissible where it is strictly necessary and explicitly provided examples of legislation that is not in line with the EU legal order: Generalized retention of personal data; generalized surveillance of the content of communication; lack of judicial recourse for for individuals to access, rectify or erase personal data relating to them.
The CJEU further found that the Safe Harbor framework unlawfully limited the power of national data protection authorities to investigate claims by individuals concerning the adequacy of third countries.
For more detailed information please consult the European Commission’s communication on transfers of personal data from the EU to U.S. following the Schrems judgment. Additionally, companies should consult the data protection authorities in their relevant markets as requirements for the lawful transfer of data to the U.S. may vary across countries.
However, the Article 29 Working Party (“WP29”) has indicated reservations about alternative transfer mechanisms, such as BCRs, for transfers of personal data from the EU to the U.S. on the basis that some of the CJEU’s considerations concerned fundamental rights, which could also apply to alternative transfer mechanisms. While the WP29 was unambiguous about the unlawfulness of continued transfers based on the invalidated Safe Harbor decision, it announced that it considers transfers under BCRs and Standard Contractual Clauses valid for the moment.
The WP29 originally threatened potential enforcement against transfers based on alternative transfer mechanisms after the end of January 2016 unless U.S. and EU negotiators could solve outstanding issues. This grace period has been extended to allow the WP29 time to analyze the successor to Safe Harbor, which was announced on 2 February 2016 (see below).
In any case, companies should consult with the data protection authorities in their respective markets as different member states may take a different view to that of the WP29.
Companies should bear in mind that Privacy Shield is in a draft stage and cannot serve as a legal basis for transferring personal data from the EU to the U.S. until formally approved.
The Article 29 Working Party, which consists of all 28 EU data protection authorities, has issued an opinion on the draft adequacy decision on 13 April 2016. In its statement the group says that it welcomes the significant improvements that Privacy Shield offers over Safe Harbor, but also that is not convinced that Privacy Shield’s improvements are enough, because key elements of EU data protection are missing or substituted by inadequate alternative notions.
While the Article 29 Working Party’s opinion is not binding, the European Commission and EU member states have an interest in considering it carefully as under the Schrems judgment national data protection authorities are given greater powers to take cases on adequacy decisions to court.
On 26 May 2016 the European Parliament adopted a joint motion for a resolution on transatlantic data flows. While not binding, the resolution sends a strong message, citing that the Parliament feels that the current Privacy Shield would allow surveillance that does not comply with the EU’s Charter of Fundamental Rights.
Meanwhile, the Article 31 Committee (composed of experts from national Member States) has set 20 June as the date for a vote on the Privacy Shield. In its meetings in May, no vote was taken as they only received an update on the negotiations with the US counterparts. A final text was thus not available yet. The Article 31 Committee’s vote on the agreement is binding – a positive vote will mean the Commission can go ahead and adopt the adequacy decision, whereas a negative vote will stop the process.
The Article 31 Committee has approved the Privacy Shield deal, after the Commission renegotiated the deal with its US counterparts. This was a binding vote and the final formal step for the approval of the deal, meaning that the European Commission will likely adopt the adequacy decision on Monday, 11 July.
If confirmed, Privacy Shield would create a system of self-certification by which organizations commit to comply with a set of “Privacy Principles.” These principles would include more robust obligations on how personal data may be processed and individual rights guaranteed, as well as stricter liability provisions.
Privacy Shield would be administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission and U.S. Department of Transportation. The U.S. Department of Commerce has committed to “regular and rigorous” monitoring of how companies’ compliance with Privacy Shield. Companies that fail to comply would face “severe sanctions” under U.S. law.
In addition, under the Privacy Shield package, the U.S. Department of Justice and the Office of the Director of National Intelligence has provided the EU with assurances that access by public authorities for law enforcement, national security and other public interest purposes would be subject to clear limitations, safeguards and oversight mechanisms. To this end the U.S. will create the office of an ombudsperson tasked with following-up on complaints and inquiries by EU individuals into national security access by U.S. authorities of commercial data transferred to the U.S. under any legal basis.
EU individuals would also be provided with further enhanced redress possibilities, including cost-free alternative dispute resolution. Companies also would need to commit to reply to complaints within a fixed deadline. European data protection authorities would have the possibilities to bring claims before U.S. authorities in order to facilitate investigations. In addition, as a last resort, individuals would have access to a dispute resolution mechanism that can take binding and enforceable decisions against U.S. Privacy Shield companies: The Privacy Shield Panel. EU data protection authorities would be able to provide assistance to individuals in preparing their arbitration case before the Privacy Shield Panel.
Lastly, Privacy Shield would be subject to an annual joint review carried out by the European Commission and U.S. Department of Commerce to regularly monitor the functioning of all aspects of Privacy Shield, including the limitations and safeguards relating to national security access. This review would include European data protection authorities and U.S. national security authorities. Should U.S. companies and public authorities be found not to comply with their commitments, the European Commission could suspend Privacy Shield.
As part of the renegotiations, the U.S. has provided an additional letter of assurance about the bulk collection of data by it’s national security intelligence services. Issues of data retention and the office of the Ombudsperson were also further clarified. Judging by the positive vote of the Article 31 Committee, these changes have had the desired effect of gathering the approval of the Committee, which previously stated that the adequacy decision required more clarifications before they were ready to vote. However, neither the Article 29 Working Party, the EDPS, nor the European Parliament have commented on whether the renegotiated deal has alleviated their concerns.