12th February 2016
The EU and US have finally agreed on a new data protection framework for the transfer of personal data from Europe to the US known as the EU-US Privacy Shield – but what does this really mean for UK businesses?
Following Edward Snowden’s revelations about the extent of the US National Security Agency’s mass surveillance operations, an Austrian law student named Max Schrems alleged that Facebook Ireland was forwarding data to the NSA, via its California headquarters. The claims ended up before the Court of Justice of the European Union which ruled on 6 October 2015 that the Safe Harbor exemption was invalid.
As approximately 4,500 US companies were certified as complying with the Safe Harbor provisions, this has significant implications for UK businesses.
It was announced on 2 February that the EU and the US had reached an agreement on the new framework which will include greater transparency around US government surveillance, redress for EU citizens and the ability to refer complaints to a US ombudsman.
The EU Commission expects the Privacy Shield to come into force in three months’ time. However, there is no guarantee that it will ever actually be adopted.
The full terms of the agreement are not due to be delivered to the Article 29 Working Party (which is composed of representatives of the national data protection authorities in the EU member states) (the Working Party) until the end of February. The Working Party will then hold an extraordinary meeting to discuss the new scheme and to decide whether it provides adequate protection. Its opinion is expected to be delivered in April.
The relevant US authorities will also need to formally adopt the scheme.
Firstly, businesses need to understand:
Once businesses have identified which third parties are relying on the Safe Harbor exemption, they need to review the relevant contracts – do they deal with the current situation of Safe Harbor being declared invalid? If not, then they need to consider discussing the issue and potential solutions with those suppliers.
Businesses who engage in data processing on behalf of others will also need to check that they are not in breach of their contacts and consider opening discussions with their affected customers.
In the meantime, the following options are available to affected businesses:
After Safe Harbor was declared invalid, the Working Party issued a statement saying that it would allow organisations a 3 month grace period to put alternative data transfer mechanisms in place before any enforcement action was taken by local data protection authorities. This grace period ended on 31 January 2016.
Even though the Privacy Shield has now been agreed in principle between the EU and the US, the Working Party has stated that local data protection regulators may not wait for the details of the new framework to be published to determine whether this adequately replaces Safe Harbor, and that they may begin to take enforcement action in respect of “related cases and complaints on a case-by-case basis“.
To date, the Information Commissioner’s Office (the ICO) has encouraged organisations to review their data transfers to the US, but it has given no indication as to whether it intends to take any enforcement action or how harshly it will deal with any non-compliances. However, as the ICO can issue fines of up to £500,000 for breaches of the DPA, organisations can ill afford to take a “wait and see” approach.
The Regulatory and Compliance team have considerable experience helping businesses understand and comply with their data protection obligations. If you have any questions relating to the Privacy Shield or data protection generally, please contact Jeanette Burgess, Andrew Northage or another member of the team.