If your organisation is still relying on the old Safe Harbour rules as a legitimate ground for transferring personal data to the US, you need to carefully review this.
Not so long ago…
In October 2015, the European Court of Justice held that the Safe Harbour framework (which had facilitated data transfers for the last 15 years) was contrary to EU privacy law. Consequently, Safe Harbour can no longer be relied upon to ensure the safe transfer of personal data from the EU to the US.
The EU commission promised a new framework that would introduce greater obligations on US companies receiving and handling personal data from the EU. As if by magic (given the speed at which a replacement was introduced), on 1 August 2016 the new EU-US Privacy Shield (“Privacy Shield”) came into operation.
What is the Privacy Shield?
Věra Jourová, the European Commissioner, has commented that the Privacy Shield “protects the fundamental rights of Europeans” and “ensures legal certainty for businesses“.
But exactly how does it do this?
- Stronger obligations on the US companies: US companies handling personal data from or to the EU must have, and be able to show that they have, vigorous internal data protection policies and procedures in place (akin to the strict thresholds placed upon companies within the EU). Specifically, any company handling human resources data from the EU will be required to comply with the decisions of European data protection authorities, which often involves seeking consent for the transfer from the relevant staff involved.
- Stronger enforcement in the US: US companies are now required by the US Department of Commerce (overseeing the certification under the Privacy Shield) to publish their data protection commitments. These commitments can in turn be enforced under US law by the Federal Trade Commission giving the Privacy Shield far more clout than its predecessor. The Federal Trade Commission has the power to publish sanctions ordered against non-compliant companies – the age old trick of naming and shaming.
- Stronger individual enforcement rights: An aggrieved individual under the Privacy Shield will have several remedies open to them, including making complaints directly to the company, to their national data protection authority and to a new US Ombudsperson regarding complaints involving access to data for national security purposes. For instance, seeking redress will become more fluid as the European data protection authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission.
- Stronger safeguards and transparency relating to US government access: The case law in this area has been a catalyst to trigger written assurances from the US to the EU to maintain the integrity of personal data in a law enforcement and national security context. That is, governmental and public authority access will be made clear and be subject to various safeguards.
Uptake to date?
High praise indeed by the European Commissioner, but high praise tends to also attract high criticism.
Now that the Privacy Shield has been active for over a month, just how receptive have the some 4000+ companies that operated under the old Safe Harbour rules been to the new framework? To date, only around 200 US companies and business entities have signed up to the Privacy Shield, a list of which can be found on the Privacy Shield website: www.privacyshield.gov.
Although prominent companies such as Microsoft and Google have agreed to the Privacy Shield rules, it appears that many organisations were caught napping by the uncharacteristic speed in which the EU Commission released a successor to Safe Harbour. Businesses that still rely on the Safe Harbour rules should be cautious, as they are potentially exposing themselves to sanctions for non-compliance with EU privacy law. The EU Commission has introduced higher fines for non-compliance based on percentages of company turnover.
As well as the Privacy Shield, it is not to be forgotten that organisations can also currently rely on EU Standard Contractual Clauses and Binding Corporate Rules as options for compliance. However, pending European case law testing the validity of these alternate mechanisms, we may see a greater number of companies join the growing list of Privacy Shield organisations.
If your organisation is still relying on the old Safe Harbour rules as a legitimate ground for transferring personal data to the US, you need to carefully review this. Technically, it would be considered illegal to continue doing so and you could potentially be at risk of enforcement action. Non-compliance is not an option.
Implementation of the Privacy Shield is one option. A sensible first step would be to check whether the organisations you transfer data in the US are looking to become part of the Privacy Shield. If the company is not certified you cannot rely on the Privacy Shield.
Since the implementation of the Privacy Shield, a number of publicly available guides have been issued by the Information Commissioner’s Office, the European Commission, the Article 29 Working Party and across the pond by the US Department of Commerce.
As well as keeping up to date and applying, where possible, the various commentary and guidance, companies that regularly transfer personal data to the US should consider undertaking an audit of their data receivers to ensure that they comply with the Privacy Shield obligations. Especially during the early stages of the new framework, organisations should avoid being caught lagging; the ICO or US Department of Commerce will undoubtedly be looking for examples of non-compliance to exercise its new powers on. EU companies that also discover their transatlantic counterparts do not comply, should encourage them to act quickly and join the growing list of Privacy Shield organisations.
The elephant in the room…Brexit
As if the news of declaring Safe Harbour invalid was not sensational enough, the UK took the decision to leave the EU just weeks before the Privacy Shield was announced.
Although it is currently unclear when the UK will break away, what is certain is that it cannot, at least technically, rely on the Privacy Shield as a protective framework once it does. Whether it is a separate agreement with the US or a tripartite arrangement involving the EU or some other mechanism, it will be interesting and telling to see how the UK government decides to protect the personal data of its citizens once it can no longer stand behind the Privacy Shield.
For now, companies would be well advised to continue achieving compliance under the existing regime, which now includes the Privacy Shield.