The EU and the USA announced on 2 February 2016 that they had reached an agreement, known as the “Privacy Shield”, which will permit businesses to transfer personal data across the Atlantic. This is a welcome development, after several months of uncertainty following the decision of the Court of Justice of the European Union (CJEU) in October 2015 in Schrems v Data Protection Commissioner (Case C-362/14), in which it declared the previous “Safe Harbor” transfer mechanism to be invalid.
The current EU data protection regime is set out in the Data Protection Directive (95/46/EC). In general terms, it requires member states to implement national laws that impose standards on the way in which entities that collect data relating to individuals collect, use and distribute those data while under their control. The transfer of personal data by a data controller to a country outside the EEA is prohibited unless that country ensures an “adequate level of protection” for the data.
In relation to the USA, the European Commission declared on 26 July 2000 (2000/520/EC) that the US “Safe Harbor Privacy Principles” ensured an adequate level of protection of personal data transferred from the EU to organisations established in the USA (this was known as the “Safe Harbor” decision). From that date, US companies were, in effect, able to self-certify their data protection policies.
But then, following the Edward Snowden revelations in 2013 and in a subsequent claim against Facebook by the privacy campaigner, Max Schrems, the CJEU found in October 2015 that US law required US recipients of personal data transferred under the Safe Harbor principles to disclose or grant access to those data to US public authorities under conditions that interfered with EU data subjects’ rights and freedoms. Accordingly, it declared the Safe Harbor principles invalid. This meant that any data transfers to the USA taking place under the Safe Harbor scheme were now unlawful, which stood to have a widespread impact, particularly on small businesses in the EU that were using services provided by global digital operators, such as Google, Apple and cloud storage providers. Commentators in both Europe and the USA had expected regulators to block transfers by the end of January 2016, and some businesses had made preparations to transfer data to appropriate locations.
At the eleventh hour, the USA has now agreed to give EU personal data a greater degree of protection through the new “Privacy Shield” agreement. The European Commission said in a statement: “US companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed … The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”
With the Privacy Shield now in place, EU businesses that are reliant on US corporations for their data storage services no longer have an urgent need to relocate their data storage facilities to the EU, or to enter into EU model contracts, as had been the case since the Safe Harbor decision was declared invalid back in October 2015. Andrus Anzip, Vice-President for the Digital Single Market on the European Commission, said: “We have a duty to check and will closely monitor the new arrangement to make sure it keeps delivering.”
Complying with the new regime
As Tom Thackray, the Competitive Markets Director of the CBI, has rightly commented: “Businesses now need clarity fast on what they need to do to comply with the new framework so it can be implemented quickly and effectively.”