24th February 2016
The EU and US have finally agreed on a new data protection framework for the transfer of personal data from Europe to the US known as the EU-US Privacy Shield – but what does this really mean for US businesses?
Following Edward Snowden’s revelations about the extent of the US National Security Agency’s mass surveillance operations, an Austrian law student named Max Schrems alleged that Facebook Ireland was forwarding data to the NSA, via its California headquarters. The claims ended up before the Court of Justice of the European Union which ruled on 6 October 2015 that the Safe Harbor exemption was invalid.
As approximately 4,500 US companies are currently certified as complying with the Safe Harbor provisions, this has significant implications for both EU (including UK) and US businesses.
Companies that have signed up to the Safe Harbor principles are required to adhere to a specific set of standards, that are broadly similar to the principles set out in the UK’s Data Protection Act 1998 (DPA). Prior to the Schrems ruling in October, these were considered to offer “adequate protection”, which meant that US organisations signed-up to and compliant with the Safe Harbor were automatically authorised to accept data transfers from the EU, and UK companies were able to transfer data to these US companies without breaching the DPA.
It was announced on 2 February that the EU and the US had reached an agreement on the new framework which will include greater transparency around US government surveillance, redress for EU citizens and the ability to refer complaints to a US ombudsman.
The EU Commission expects the Privacy Shield to come into force in three months’ time. However, there is no guarantee that it will ever actually be adopted.
The full terms of the agreement are not due to be delivered to the Article 29 Working Party (which is composed of representatives of the national data protection authorities in the EU member states) (the Working Party) until the end of February. The Working Party will then hold an extraordinary meeting to discuss the new scheme and to decide whether it provides adequate protection. Its opinion is expected to be delivered in April.
The relevant US authorities will also need to formally adopt the scheme.
UK businesses are being advised to review their arrangements so that they can identify:
Once businesses have identified which third parties are relying on the Safe Harbor exemption, the advice is to discuss the issue and potential solutions with those third parties.
In the meantime, UK businesses are being informed that the following options are available to them:
After Safe Harbor was declared invalid, the Working Party issued a statement saying that it would allow organisations a 3 month grace period to put alternative data transfer mechanisms in place before any enforcement action was taken by local data protection authorities. This grace period ended on 31 January 2016.
Even though the Privacy Shield has now been agreed in principle between the EU and the US, the Working Party has stated that as it has not yet seen the details of the Privacy Shield, it is not in a position to confirm whether it adequately replaces Safe Harbor. In the meantime, local regulators may begin to take enforcement action in respect of “related cases and complaints on a case-by-case basis“. In fact, the French data protection authority has already issued a notice to Facebook ordering it to comply with the French data protection legislation (including ceasing to transfer data to the US under Safe Harbor) within 3 months.
The Information Commissioner’s Office (the ICO) has encouraged UK organisations to review their data transfers to the US, “so that they are in a good position to act, should they need to“. It has also now confirmed that it will consider complaints but it will “not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome“. However, as the ICO can issue fines of up to £500,000 for breaches of the DPA, UK organisations cannot afford to simply do nothing.
Firstly, US businesses should identify what data they receive or collect from the UK and other EU countries. This includes data which is:
Secondly, US businesses need to understand the basis on which they are receiving or collecting that data i.e. is it being transferred to the US in accordance with the DPA? If the data is being transferred in accordance with either the model clauses (issued by the EU Commission) or binding corporate rules, these will continue to be valid for the time being, and so currently no further action is required.
If the data is currently being transferred either pursuant to the Safe Harbor exemption or without any of these safeguards, then there is a potential breach of the DPA. In this situation, the organisations involved in the transfer will need to consider the alternative options for dealing with the data which are set out above.
Going forwards, US businesses should have a clear policy governing how they will acquire, safeguard, store, disclose and manage personal data.
In the meantime, organisations on both sides of the Atlantic will need to watch this space carefully so that they are ready to deal with the next development in the ongoing saga of Schrems and the Safe Harbor / Privacy Shield.
The Regulatory and Compliance Team have considerable experience helping businesses understand and comply with their data protection obligations. If you have any questions relating to the Privacy Shield or data protection generally, please contact Jeanette Burgess, Andrew Northage or another member of the team.