US Data Privacy Shield gets the go-ahead
On 12 July 2016 the EU formally approved the Privacy Shield as a mechanism for transferring personal data between the UK (and other EU countries) and the US, and US companies can start certifying their compliance from 1 August 2016.
Data Protection laws in the UK and the rest of the EU provide that personal data can only be transferred to a country outside of the European Economic Area (EEA) if that country ensures “adequate protection” for that personal data (or the transferor must ensure there are adequate safeguards). Some countries, like Australia for example, do ensure adequate protection because they have data protection rules similar to those in the EU. The US however does not have laws which offer the requisite protection. So in order to allow data transfers to flow between the US and the EU a “Safe Harbour” scheme was set up, whereby US companies could certify that they had a number safeguards in place and that was deemed sufficient to meet the adequacy test so that data transfers could take place. However, the ECJ ruled last year (in the Schrems case) that the Safe Harbour framework did not give adequate protection and was invalid. Ever since then, there has been considerable datauncertainty over the status of personal data transfers to the US from within the EU.
Following the Schrems decision, many UK businesses have been relying on including EU-approved standard “Model Clauses” in data transfer agreements with US companies whilst the EU negotiated a framework (the Privacy Shield) to replace Safe Harbour. However, the Model Clauses themselves may be the subject of future challenge as concerns have been raised that their protection is not adequate either.
The recently agreed Privacy Shield claims to be just that, a new scheme which will meet the EU’s data protection rules. Under the Privacy Shield (as with Safe Harbour), US organisations must self-certify their compliance with higher standards of data protection (equivalent to those under EU law) and submit to the authority of certain US government institutions (including the FTC) which can regulate and enforce those standards.
The key difference between the new Privacy Shield and the old Safe Harbour, which the EU and US hope will ensure that Privacy Shield is not invalidated by the ECJ, is the level of protection afforded to that personal data. The Privacy Shield involves greater assurances from the US regarding public authorities’ access to data (including for national security), greater rights for data subjects (including access to a dispute resolution panel), and provision for an annual joint review to help ensure compliance.
With these greater protections and practical measures, the hope was that the Privacy Shield would be rendered “Schrems-proof”. Reactions have been mixed however, and whilst the Privacy Shield should ready for action later this year, it remains to be seen how long it will last as a safe mechanism for data transfers. The arrangement will be up for review in a year’s time, and the impending arrival of the General Data Protection Regulation, with its even higher standards (which the Privacy Shield does not fully comply with), may mean the legality of this arrangement is short-lived. Then is also the unknown potential effect of Brexit to add to the mix.
With Safe Harbour invalidated, the Privacy Shield untested, and the model clauses subject to challenge, consideration should be given to all the options, including moving the relevant data centre into the EU if possible. For British businesses involved in transferring personal data to the US, the position remains frustrating.