EU and US negotiators reached a non-legally-binding agreement on 2 February on a new mechanism for legal data transfers across the Atlantic – the ‘EU-US Privacy Shield’ – to replace the Safe Harbour agreement, which the European Court of Justice (ECJ) ruled invalid in October 2015.
What’s in the Agreement?
- A right of redress for EU citizens through various dispute mechanisms, including a new, last-resort arbitration entity (to be independent of US agencies)
- Strong and clear safeguards for personal data protection and oversight of those US agencies
- A US Department of State ombudsman for EU citizens’ data concerns
- Provision for annual joint review of the agreement
- Sanctions for non-compliant companies (including removing offenders from the list of authorised data handlers).
The text is being finalised, but it must be sent to the Article 29 Working Party (WP29), a body comprising Europe’s data protection authorities, by the end of February. WP29 will then distribute it to its members and assess whether the Privacy Shield would bring all EU-US data transfers up to the standard required by the ECJ. This determination will come in April at the latest, at the same time as a judgement on other mechanisms for data transfer, such as binding corporate rules and model contracts.
It will also require approval from the College of Commissioners. This could take up to three months, during which time companies will need to continue using the alternative measures. The US Department of Commerce will require a few weeks to determine implementation procedures and institute an ombudsman.
What will WP29 Look For?
WP29 will be asking whether the Privacy Shield meets four criteria:
- Processing should be based on clear, precise and accessible rules.
- Necessity and proportionality with regard to the legitimate objective pursued need to be demonstrated.
- An independent oversight mechanism should exist that is both effective and impartial.
- Effective remedies need to be available to the individual.
- The risk of enforcement is suspended. While action from individual member states cannot be ruled out entirely, the WP29 statement on the new agreement states that model contracts and binding corporate rules are still sufficient for the time being.
- Companies will need to recertify. Details of new obligations are not yet fully known but companies will need to publish their data-protection procedures and those with European HR data will need to comply with the forthcoming WP29 decision.
- It will be months before companies can make transfers under the agreement. Even if recertification is swift, WP29 isn’t expected to reach a judgement before April, while the process for a new adequacy decision from the Commission may take several months in its own right.
- Even once agreed, it won’t be the end of the story. The ECJ has made it clear it will examine the Privacy Shield and other transfer mechanisms individually. Complaints against model contracts are already underway in several EU member states, and the new agreement itself will (probably) be challenged in future.