The new deal on personal data: Part 2

There has been a mixed response to Privacy Shield – a new mechanism for safeguarding the privacy of personal data transferred from the EU to the United States. Rhys Williams of Taylor Vinters explains.

 

On 29 February 2016 the EU Commission announced details of the Privacy Shield. Things do sometimes get done quickly in Europe – the new framework was first announced less than a month ago (as previously covered here).

US Secretary of Commerce Penny Pritzker described the agreement as “strong” and “historic”, “a tremendous victory for privacy, individuals and businesses on both sides of the Atlantic.”  

Max Schrems, the Austrian student responsible for the demise of Privacy Shield predecessor Safe Harbor, said it was “ten layers of lipstick on a pig” and tweeted an unflattering picture to that effect. He concedes that Privacy Shield contains “a large number of new improvements”, but argues that it “does not address the core concerns and fundamental flaws of US surveillance law and the lack of privacy protections.”

Background

Following Edward Snowden’s revelations about the US intelligence services, Schrems lodged a complaint with the Irish Data Protection Authority, arguing that the personal data he provided to Facebook was inadequately protected from US government surveillance. The European Court of Justice ruled in his favour, invalidating the old Safe Harbour framework. A new deal was required to restore legal certainty for the 4000+ companies with a stake in the $260bn transatlantic digital services trade.

Privacy Shield

Enter Privacy Shield. It differs from the old Safe Harbor framework in several important ways:

  • Companies must provide more detailed ‘information notices’ to EU consumers (including details about who can access their data).
  • Complaints made to companies are to be resolved within 45 days.
  • European citizens will have access to a free independent dispute resolution service, which will be able to take binding and enforceable decisions against Privacy Shield compliant companies.
  • Companies that handle human resources data from Europe must comply with decisions from European Data Protection Authorities (DPAs).
  • There will be stricter rules about transferring personal data on to third parties. Organisations that sign up to Privacy Shield in the first two months will have up to 9 months to transition to the new standards for onward data transfer.
  • Privacy Shield will be reviewed annually by the EU Commission and the US Department of Commerce.
  • An independent Ombudsman has been established in the Department of State, giving European citizens an avenue to seek redress in the area of national intelligence. The Ombudsman will follow up complaints and enquiries, determining whether the intelligence services have complied with all relevant laws.

Privacy Shield will not be operational until mid-April 2016 at the earliest. It must first be reviewed by Member States and a working group of representatives from Europe’s DPAs. After this, the EU Commission will have to draft a decision as to whether the Shield ensures adequate protection for EU citizens’ personal data.

The Future of the Shield

Privacy Shield may pass muster with the EU Commission, but the legal uncertainty will not end there. The likes of Schrems can be expected to challenge the new deal through the courts.

Given this uncertainty, companies would do well to make contingency plans to ensure continued compliance with EU privacy laws. There are a number of ways to ensure that personal data transfers are adequately protected:

  • Explicit and informed consent of the data subject to the transfer. For any corporation of any size, this is administratively and practically very difficult, if not impossible.
  • Binding corporate rules (BCRs) for intragroup transfers. BCRs need to be approved by each relevant national regulatory authority, and this is a lengthy process (sometimes years).
  • Contracts between the exporting and receiving entities. The European Commission has produced so-called ‘Model Clauses’ that can be incorporated into agreements to contractually ensure adequate protection of the transferred personal data. These can be implemented relatively quickly but may in some circumstances cause administrative burdens.
  • In the UK, companies may be able to make their own adequacy determinations under guidance issued by the UK’s Information Commissioner’s Office. However, this option is not available in many EU countries.

Companies who have been looking at going down the model clause alternative would be well advised to continue to do so.

If you have any questions, please call Rhys Williams on +44 (0)1223 225284 or email [email protected].

_____________________________________



Looking for something specific?