Safe Harbour's successor: 'EU-US Privacy Shield' political framework

The European Commission (‘Commission’) and the United States (‘US’) have agreed on a new framework on 2nd February, the ‘EU-US Privacy Shield’ (‘Privacy Shield’), for data flows between them, following the earlier striking down of ‘Safe Harbor’ in October 2015.

The new Privacy Shield will install a new framework for transatlantic data flows intended to provide legal certainty for business.  The three significant changes that are intended to overcome the limitations of Safe Harbor’s shortfall are:

1. Strong obligations on companies handling European citizens’ data 

US companies using EU citizens’ data will need to commit to robust obligations with the US Department of Commerce monitoring compliance, enforceable under US law by the Federal Trade Commission.

2. Clear safeguards & transparency obligations on US government access

The failure of Safe Harbor was substantially predicated on indiscriminate surveillance on the basis of national security by the NSA.  The US has now committed to stop that practice going forward.  The exceptions will only be where such access is necessary and proportionate and both the EU and US authorities will review access jointly annually.

3. Protection of EU citizens’ rights with redress options

Critically, the Privacy Shield provides redress mechanisms for EU citizens that believe their data rights are being infringed:

a.    They can complain to the Company concerned with a deadline for response

b.    An EU Member State’s supervisory authority can refer complaints to the Department of Commerce and the Federal Trade Commission in the US

c.    No-cost alternative dispute resolution mechanism 

d.    Complaints regarding access for US national security reasons will be dealt by a new ‘Ombudsman’ in the US to be created specifically for this purpose.

What happens next?

The political agreement will now pave the way for a new Commission ‘adequacy decision’ to effectively replace the old Safe Harbor adequacy decision, a draft of which will initially be prepared and then reviewed by the Article 29 Working Party (‘Working Party’), a collective of the Member States’ supervisory authorities, the European Data Protection Supervisor and the Commission.  

On 3rd February 2016, the Working Party commended the fact that the Commission had reached political agreement with the US and that it would now wait to receive the text of the agreement, following which it would come to a decision as to its suitability for an adequacy decision.  The end of April 2016 is cited as probably the earliest point at which the Commission may be able to make an adequacy decision, assuming there are no issues in to further negotiate with the US authorities. 

The Working Party also stated that businesses can, until such time as an adequacy decision is made, rely on other tools (BCRs or Model Clauses) in place of the old Safe Harbor mechanism.  Data Protection Authorities will, however, be free to commence enforcement action against businesses not having any mechanism in place to transfer data to the US.