The transfer of data “across the pond” is an issue which has been subject to much comment and interest in recent months. Until October last year, organisations could transfer personal data to the US under the EU-US Safe Harbor scheme which allowed for self-certification as a proof of compliance with European data protection standards.
However, in October 2015 the CJEU found the scheme invalid as it failed to protect EU citizens’ data from mass surveillance by the US government and therefore violated the right to privacy (C- 362/14 Schrems v Data Protection Commissioner).
The ruling that Safe Harbour was invalid presented a host of issues for organisations that rely on data transfers for their business. The Commission has therefore been working on and negotiating with the US on a new framework for data transfers to the US known as the Privacy Shield. This should not be confused with the EU-US Umbrella Agreement which governs data transfers concerning law enforcement.
The negotiation process has not been smooth and the constant moving deadline for an agreement, is leaving companies in limbo and unsure on what they need to do to comply with data transfer rules. Unfortunately for them, it is apparent that uncertainty over the conditions in which it is lawful to transfer personal data from the EU to the US will continue for some time into the summer months. It is hoped that the Commission together with the case law will provide the clarity that is needed.
The Schrems judgment came at the time when the Commission had already been involved in renegotiating the Safe Harbor scheme with its US counterparts, following its recommendations from 2013. In its opinion following the judgment, Article 29 Working Party stated that if by the end of January 2016 no new solution is found, the national data protection authorities would consider taking appropriate and coordinated enforcement action.
In February 2016, the Commission and the US reached a political agreement on the Privacy Shield. The Privacy Shield places US companies under stronger obligations to protect personal data of Europeans and provides that the US government operates more transparently and puts in place clear safeguards and limitations on the access of personal data by public authorities. The key changes here are that it will give EU citizens tiered rights of redress which include the right to make a direct complaint to the company processing the data, the facility to make a complaint to the individual national data protection authority and a final right of redress to a Privacy Shield Panel which will have the capacity to issue a binding decision.
On 29 February 2016, the Commission published its draft adequacy decision on the Privacy Shield which concluded that the safeguards in the agreement reflect the requirements of EU data protection standards. On 13 April 2016, the Article 29 Working Party (WP29), consisting of heads of data protection authorities in the twenty-eight Member States, issued its opinion on the Commission’s draft adequacy decision on the EU-US Privacy Shield. Whilst the WP29 acknowledged the substantial progress made, especially with regard to more precise definitions, its opinion was mostly negative.
The main concerns and reservations of the WP29 are:
- the provisions are set out in several documents, which makes the relevant information difficult to find;
- there is insufficient reflection of the ‘purpose limitation principle’ and data retention is not expressly mentioned in any of the documents;
- the redress mechanism for EU citizens may be too complicated in practice to be effective;
- the US authorities have not provided adequate details to exclude mass and indiscriminate surveillance.
The European Parliament added to the uncertainty on 26 May when it passed a resolution demanding that the draft framework agreement be renegotiated. Further the European Data Protection Supervisor recently echoed the concerns of the WP29 and claimed that significant improvements needed to be made as the Privacy Shield would not be strong enough to withstand legal scrutiny. Whilst the Commission is not bound by these opinions, it is likely to take the concerns into account as to overlook the opinion could give rise to grounds for a challenge of the new framework.
Of these concerns the most prevalent is the right of access to data by US public authorities. In line with current case law and a democratic society, mass surveillance cannot be considered as proportionate and strictly necessary. It therefore remains to be seen which further criteria on mass collection and retention of data will be set out by the Court, following its forthcoming judgment in Tele2 and Davis-Watson.
While the Commission is not bound by the opinion of WP29, it will need the approval of the Article 31 Committee to adopt an adequacy decision on the Privacy Shield. Currently it is expected that the Article 31 committee will hold at least 2 further meetings before it takes a vote on the Privacy Shield and the work on the revised agreement is underway, as reported extensively by Ars Technica UK.