Access Alert: Behind the EU-US Privacy Shield – What is ‘Safe Harbour 2.0’?

The 'EU-US Privacy Shield' is hailed as 'Safe Harbour 2.0', but hurdles remain, and even clearing them is no guarantee of a harmonious data-transfer environment for tech companies. Our experts bring you up to date.

EU and US negotiators reached a non-legally-binding agreement on 2 February on a new mechanism for legal data transfers across the Atlantic – the ‘EU-US Privacy Shield’ – to replace the Safe Harbour agreement, which the European Court of Justice (ECJ) ruled invalid in October 2015.

What’s in the Agreement?

  1. A right of redress for EU citizens through various dispute mechanisms, including a new, last-resort arbitration entity (to be independent of US agencies)
  2. Strong and clear safeguards for personal data protection and oversight of those US agencies
  3. A US Department of State ombudsman for EU citizens’ data concerns
  4. Provision for annual joint review of the agreement
  5. Sanctions for non-compliant companies (including removing offenders from the list of authorised data handlers).

What’s Next?

The text is being finalised, but it must be sent to the Article 29 Working Party (WP29), a body comprising Europe’s data protection authorities, by the end of February. WP29 will then distribute it to its members and assess whether the Privacy Shield would bring all EU-US data transfers up to the standard required by the ECJ. This determination will come in April at the latest, at the same time as a judgement on other mechanisms for data transfer, such as binding corporate rules and model contracts.

It will also require approval from the College of Commissioners. This could take up to three months, during which time companies will need to continue using the alternative measures. The US Department of Commerce will require a few weeks to determine implementation procedures and institute an ombudsman.

What will WP29 Look For?

WP29 will be asking whether the Privacy Shield meets four criteria:

  1. Processing should be based on clear, precise and accessible rules.
  2. Necessity and proportionality with regard to the legitimate objective pursued need to be demonstrated.
  3. An independent oversight mechanism should exist that is both effective and impartial.
  4. Effective remedies need to be available to the individual.

Impact

  • The risk of enforcement is suspended. While action from individual member states cannot be ruled out entirely, the WP29 statement on the new agreement states that model contracts and binding corporate rules are still sufficient for the time being.
  • Companies will need to recertify. Details of new obligations are not yet fully known but companies will need to publish their data-protection procedures and those with European HR data will need to comply with the forthcoming WP29 decision.
  • It will be months before companies can make transfers under the agreement. Even if recertification is swift, WP29 isn’t expected to reach a judgement before April, while the process for a new adequacy decision from the Commission may take several months in its own right.
  • Even once agreed, it won’t be the end of the story. The ECJ has made it clear it will examine the Privacy Shield and other transfer mechanisms individually. Complaints against model contracts are already underway in several EU member states, and the new agreement itself will (probably) be challenged in future.

Related Articles

Brazil and the Future of Democracy in the Age of Disinformation

Brazil and the Future of Democracy in the Age of Disinformation

Fake news is far from new. That said, digital tools such as social media and online bots have changed the...

25 Jan 2023 Opinion
GDPR: Is it still fit for purpose? 

GDPR: Is it still fit for purpose? 

The EU’s landmark General Data Protection Regulation (GDPR) has fundamentally changed how personal privacy is respected and protected. However, cracks...

25 Jan 2023 Opinion
Access Alert | Environmental Footprint and Data Collection by ARCEP

Access Alert | Environmental Footprint and Data Collection by ARCEP

The impact of the deployment of electronic communications networks, mass production of terminals, operation of data centres, and ever-expanding data...

23 Jan 2023 Opinion
Access Alert | The International Telecommunication Union Focuses on Metaverse 

Access Alert | The International Telecommunication Union Focuses on Metaverse 

The International Telecommunication Union’s Standardization Sector (ITU-T) has established a new Focus Group that will take the first steps towards...

20 Jan 2023 Metaverse Policy Lab