EU – US Privacy Shield (not the latest superhero blockbuster)26 Jul 2016
Last year’s shock invalidation by the European Court of Justice (ECJ) of the
Safe Harbor framework created chaos for those organisations transferring data to the US from the EU.
Brussels now hope that this has been addressed by the adoption of the EU – US Privacy Shield, a new legal mechanism recently agreed between the European Commission and the US Government.
Why is this important?
The UK Data Protection Act 1998 prohibits transfers of personal data outside the EEA unless the country to which it is being transferred ensures an “adequate” level of protection for the rights and freedoms of people in relation to their personal data.
If you fail to comply with this requirement the Information Commissioner may issue an enforcement notice prohibiting the transfer of data. Breach of such a notice is a criminal offence. Also, in the event of serious breach the Commissioner can currently impose a fine of up to £500,000 and soon this will rise to an eye watering €20,000,000.
If you deal with companies in the US, or your arrangements require the transfer of personal data to the US, then you may already have ensured that you are compliant with European data protection regulations by implementing the use of Model Contract clauses or Binding Corporate Rules.
However, if you do not have these arrangements in place then you should speak with the companies you are contracting with to ensure compliance. Following 1 August 2016, when US companies can begin to self-certify under the Privacy Shield Framework, you should check whether these companies are fully certified.
What is Privacy Shield?
From 1 August 2016 US companies can self-certify with the US Department of Commerce that they meet the Privacy Shield requirements addressing the following:
• Accountability for onward transfer
• Data integrity and purpose limitation
• Recourse, enforcement and liability
These principles are based mostly on the Safe Harbor principles, with some enhancements. There are also a further 16 supplemental principles that companies must follow.
How does this differ to Safe Harbor?
The European Commission’s hope is that the inadequacies identified by the ECJ when Safe Harbor was invalidated have been addressed. In particular, there is a focus on oversight and supervision, requiring regular compliance reviews in addition to the annual self-certification. These obligations are ongoing for as long as any data received under Privacy Shield is retained by a US company, regardless of whether it ceases to be a member.
Where there is an onward transfer of data there is an obligation requiring the US company to ensure that a third party provides the same level of protection. Finally, companies are only permitted to keep personal data as long as it serves the purpose for which it was collected.
There is additional regulatory oversight including an annual review conducted jointly by the European Commission and Department of Commerce. Written assurance has also been provided by the US Government that the access to data by US public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms (and the indiscriminate mass surveillance activities that lead to the invalidation of Safe Harbor will not arise).
Will it work?
Only time will tell. Many experts in the industry do not believe Privacy Shield goes far enough, and there remains a risk that the ECJ may still strike it down, for insufficiency, the next time there is a court case that relies on Privacy Shield. For those seeking to limit their risks here, we advise organisations to rely on the Model Contract and Binding Corporate Rules pathways instead or in addition to the “untested Shield”.
Contact us on 0161 832 3434 if you have any queries about data protection or would like us to review any contractual compliance with data protection laws.