Almost four months to the day that the Court of Justice of the EU issued its decision in the Max Schrems “Facebook” Case, which ruled the US “Safe Harbor” scheme (relating to transatlantic data transfer) invalid, the EU Commissioner for Justice, Věra Jourová, has this week announced that there is now political agreement on the future of such data transfer and this will be known as “the EU-US Privacy Shield”.
The text of the Privacy Shield has not been made available yet but it is expected before the end of this financial year.
The Commission has put out a press release (also available as a pdf) in which it sets out the following key elements of the Privacy Shield:
“Strong obligations on companies handling Europeans' personal data and robust enforcement” – companies within the US seeking to import relevant data from the EU will need to commit to “robust [processing] obligations”. The US Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission;
“Clear safeguards and transparency obligations on U.S. government access” – the US has provided the EU with written assurances that the access to personal data of public authorities shall be “subject to clear limitations, safeguards and oversight mechanisms”. There will be a proportionality test upon these exceptions – i.e. only to the extent required in the circumstances. There will be a joint review undertaken annually conducted by the Commission and the U.S. Department of Commerce; and
“Effective protection of EU citizens' rights with several redress possibilities” – EU citizens considering their data may have been misused will have “several redress possibilities”. European data protection authorities may refer complaints to the Department of Commerce and the Federal Trade Commission. Alternative Dispute resolution will be free of charge and a new Ombusdsman will be put into place relating to “complaints on possible access by national intelligence authorities”.
What does this mean for businesses?
The Model Clauses for the transfer of personal data to third countries and Binding Corporate Rules will continue to be accepted by the relevant data protection authorities throughout this financial year as well; however, enterprises continuing to rely on Safe Harbour are liable to face enforcement action going forward and are strongly advised to act now and not wait for the Privacy Shield to be put into place.
The Working Party set up in relation to the Privacy Shield expects to be able to provide legal certainty for businesses in April 2016 and we will continue to update you as this progresses.
However, the political agreement is not without criticism from MEPs and Max Schrems himself - and legal challenges to the decision may well follow: watch this space.