Here we are again, only a few months after the Schrems’ data protection case that lead to the prohibition of usage of the well-known Safe Harbor Scheme. We now have a new and fancy EU to US Privacy Protection Shield for the safe transatlantic transfer of data.
Just two days after the deadline (31/01/2016), that Working party 29 (WP29) gave to all the working groups in European Commission, a substitution of the Safe Harbor’s unlawful scheme, has been brought to WP29’s and world’s attention.
In response to the announcement of this ‘Shield’ there are inevitably going to be questions. In this post I’ll be raising and attempting to answer the following questions:
How sufficient is the Shield?
Does it do the job it is meant to?
Is the transfer safe now?
It would be fantastic if all these boxes could be ticked right away, but unavoidably, there is a little work to be done before the green light can be given.
The new Shield is designed to comply with EU regulations and it is meant to impose:
Binding US assurances, with an annual joint review mechanism that US law enforcement and national security access to personal data will be proportionate and necessary, subject to clear limitations, safeguards and oversight mechanisms and not indiscriminate mass surveillance
Stronger data processing obligations on companies wishing to import personal data from Europe with enforceability of commitments under US law by the US Federal Trade Commission (FTC)
Enhanced redress opportunities for EU citizens who consider that their data has been misused including Alternative Dispute Resolution, deadlines imposed on companies to address complaints, referral of complaints to the US Department of Commerce and FTC by European data protection authorities and the creation of a new Ombudsman person.
Security of HR Data
It also has been brought to the commission’s attention that US companies who handle HR data from Europe will specifically be obliged to comply with decisions of European data protection authorities. It is still to be seen what powers the European data protection authorities will have over such US companies.
Upon receipt of all the documents that appertain to the Privacy Shield from the EU Commission, the WP29 will evaluate them in light of the European jurisprudence on the basis of four guarantees, as follows:
1. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to stipulate what might happen with his/her data where they are transferred.
2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and stipulated (generally national security) and the rights of the individual.
3. An independent oversight mechanism should exist, that is both effective and unprejudiced.
4. Effective remedies need to be available to the individuals.
The new Shield is still under construction so you may rightly be asking what to do until a firmer position is decided by WP29? The answer is keep doing what you were doing. Use the Module Contracts, make sure that you have at least a minimum agreement in place with your clients or use Corporate Binding Rules, something the Working party 29 is considering implementing in the Shield. Businesses transferring data across the Atlantic, no doubt are eagerly awaiting the outcome of this process, which could take up until mid to late April 2016, until then they should remain stringent.
It sounds great in theory, but how realistic is the 'Shield' solution's success?
Whist the new Shield is a step in the right direction, it leaves me with mixed feelings. On one hand I can see the desire of the party and government to create and enforce something that can once and for all solve a huge problem in worldwide transatlantic transfer of data and its protection.
It is however somewhat idealistic. The reformist nature of the proposed ‘Shield’ is a romantic notion. To have a solution right now would be fantastic, however it would be inept of us to accept we are there yet. Such an intricate and all encompassing solution would realistically take the working groups more than just a few months to achieve, they would need at least a year to address all the issues and perhaps more to orchestrate a solution that addresses them all.
When you consider how nascent digital and programmatic are in the context of the laws applicable to them, it’s obvious more security issues will continue to arise. As technology in this space develops and those who threaten security find more sophisticated ways to render current data protection methods mute, the government and work parties need to be realistic and proactive in their approach to constantly identifying updating and innovating security for the exchange of data.
It is definitely a great and a huge challenge to see the adaptation and implementation of the new Shield. It is also important to remember that the agreement will require implementation in the US. This may be more difficult in an election year. Given the difference in attitudes towards privacy in the US compared to those in the EU, it remains to be seen whether the US will actually change its domestic legal regime to provide for the framework. The US government may instead be planning on providing the framework through political commitments. Privacy campaigners in Europe have already said that this agreement not likely to stand up to scrutiny by the CJEU.
Whatever happens it will be an interesting one to follow, which I definitely will.