Access Alert: Behind the EU-US Privacy Shield – What is ‘Safe Harbour 2.0’?

The 'EU-US Privacy Shield' is hailed as 'Safe Harbour 2.0', but hurdles remain, and even clearing them is no guarantee of a harmonious data-transfer environment for tech companies. Our experts bring you up to date.

EU and US negotiators reached a non-legally-binding agreement on 2 February on a new mechanism for legal data transfers across the Atlantic – the ‘EU-US Privacy Shield’ – to replace the Safe Harbour agreement, which the European Court of Justice (ECJ) ruled invalid in October 2015.

What’s in the Agreement?

  1. A right of redress for EU citizens through various dispute mechanisms, including a new, last-resort arbitration entity (to be independent of US agencies)
  2. Strong and clear safeguards for personal data protection and oversight of those US agencies
  3. A US Department of State ombudsman for EU citizens’ data concerns
  4. Provision for annual joint review of the agreement
  5. Sanctions for non-compliant companies (including removing offenders from the list of authorised data handlers).

What’s Next?

The text is being finalised, but it must be sent to the Article 29 Working Party (WP29), a body comprising Europe’s data protection authorities, by the end of February. WP29 will then distribute it to its members and assess whether the Privacy Shield would bring all EU-US data transfers up to the standard required by the ECJ. This determination will come in April at the latest, at the same time as a judgement on other mechanisms for data transfer, such as binding corporate rules and model contracts.

It will also require approval from the College of Commissioners. This could take up to three months, during which time companies will need to continue using the alternative measures. The US Department of Commerce will require a few weeks to determine implementation procedures and institute an ombudsman.

What will WP29 Look For?

WP29 will be asking whether the Privacy Shield meets four criteria:

  1. Processing should be based on clear, precise and accessible rules.
  2. Necessity and proportionality with regard to the legitimate objective pursued need to be demonstrated.
  3. An independent oversight mechanism should exist that is both effective and impartial.
  4. Effective remedies need to be available to the individual.

Impact

  • The risk of enforcement is suspended. While action from individual member states cannot be ruled out entirely, the WP29 statement on the new agreement states that model contracts and binding corporate rules are still sufficient for the time being.
  • Companies will need to recertify. Details of new obligations are not yet fully known but companies will need to publish their data-protection procedures and those with European HR data will need to comply with the forthcoming WP29 decision.
  • It will be months before companies can make transfers under the agreement. Even if recertification is swift, WP29 isn’t expected to reach a judgement before April, while the process for a new adequacy decision from the Commission may take several months in its own right.
  • Even once agreed, it won’t be the end of the story. The ECJ has made it clear it will examine the Privacy Shield and other transfer mechanisms individually. Complaints against model contracts are already underway in several EU member states, and the new agreement itself will (probably) be challenged in future.

Related Articles

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Access Alert: What the abolition of Mexico’s telecoms and competition regulators means and what to do next

Mexico’s Congress has approved the constitutional reform for the elimination of the Federal Institute of Telecommunications (IFT) and the Federal...

25 Nov 2024 Opinion
Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

Access Partnership Concludes 2024 with Double Recognition: Best Tech Policy Advisory and Innovative Tech Consultancy of the Year

London, UK – Access Partnership has celebrated the end of 2024 by winning Best Technology Policy Advisory at The Business...

22 Nov 2024 General
Access Alert: New agency for digital transformation and telecommunications in Mexico

Access Alert: New agency for digital transformation and telecommunications in Mexico

The Mexican Congress has approved the creation of the Agency of Digital Transformation and Telecommunications, which will have the level...

19 Nov 2024 Opinion
Access Alert: The wider impact of Australia’s social media ban for under-16s

Access Alert: The wider impact of Australia’s social media ban for under-16s

Australia’s states and territories have unanimously backed a national plan to ban children under sixteen from most forms of social...

18 Nov 2024 Opinion