The EU-US Privacy Shield: Where are we now?
The issue of transferring personal data from the UK and Europe to the United States has been very much in the news over the past six months. Here we summarise the background, the latest state of play and what organisations can do to ensure they are complying with data protection rules.
What's happened so far?
Back in October 2015, we reported on a landmark decision by the Court of Justice of the European Union, which ruled that the Safe Harbor framework could no longer be relied upon to legitimise data exports to the US. This was potentially very significant for the thousands of organisations that had previously relied upon it. See The end of Safe Harbor.
Later that month, the UK's data protection regulator, the Information Commissioner's Office, urged organisations not to panic and suggested action for data controllers to take whilst waiting for the EU and the US to negotiate a replacement for Safe Harbor. See Safe Harbor: update.
In December, the Commission and the US Government announced that they had opened negotiations over a replacement for Safe Harbor, called the 'EU-US Privacy Shield'. They announced an agreement in February 2016, and details of the requirements for certification under the new scheme were released later that month. See From Safe Harbour to the Privacy Shield: US data exports revisited
Where are we now?
In order to rely on the Privacy Shield as a legal mechanism for data transfers, the European Commission must make a decision that it provides adequate protection (in accordance with the eighth data protection principle). A draft decision was published in February and is the subject of on-going consultation.
Last Wednesday 13 April 2016, the Article 29 Working Party (WP29) published its opinion on the Privacy Shield and the draft adequacy decision. The WP29 is an umbrella body composed of data protection regulators in every EU member state that advises the Commission on matters concerning data protection. Its opinions are not binding but they are considered particularly influential. The full opinion can be found here
The WP29 acknowledges that the Privacy Shield incorporates significant improvements on Safe Harbor and has been produced with due urgency. However, the WP29 stated that it could not approve the Privacy Shield in its current form without a number of clarifications and greater consistency. For a brief summary of the WP29's reasoning, see Progress, but still some way to go.
So, is it back to the drawing board?
Not quite. The WP29's assessment is not fatal as the Commission does not need its approval to make an adequacy decision. Nevertheless, it is a very influential body that the Commission must consult and its concerns carry weight. It should be noted that the WP29 did not outright reject the Privacy Shield, but simply urged the Commission to resolve the concerns raised in order to ensure that the Privacy Shield offers an essentially equivalent level of protection of personal information as there is within the EU and reflects the new GDPR.
The ball is now firmly back in the Commission's court, and there are likely to be some amendments to the Privacy Shield before the Commission makes an adequacy decision.
What should data exporters do now?
In the meantime, data exporters are reminded that the alternative methods under the current data protection regime remain valid. Model Contractual Clauses and Binding Corporate Rules may still be used to legitimise transfers of personal data between the EU and the US, and this will remain the case at least until the Commission publishes its final Privacy Shield adequacy decision.
If you have concerns about the legality of data transfers in your business, or would like advice on any aspect of data protection or information governance, please get in touch with our specialist data protection lawyers who would be happy to help.
We also offer a range of data protection training sessions. For more information or to book your place, click here.