Following the invalidation of the 'Safe Harbor' programme by the Court of Justice of the European Union ("ECJ") in October 2015 and after months of negotiations between the EU and US, the European Commission formally adopted 'Privacy Shield' on 12 July 2016. Privacy Shield is designed to replace the Safe Harbor programme and to facilitate the continued flow of personal data as between the EU and the US. However, transatlantic data flows face further legal scrutiny in the context of the current Irish High Court case of 'Schrems II'.
Key features of Privacy Shield
Self-certification
US companies will be able to self-certify their compliance with Privacy Shield from August 1st 2016 once certain pre-conditions have been met, including:
- publishing a privacy policy on the company website and;
- having a dispute resolution mechanism in place.
As with Safe Harbor, only companies that are subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transportation are eligible to participate in Privacy Shield. The US Department of Commerce ("DOC") has established a Privacy Shield team to assist with enquiries as to eligibility for self-certification. The DOC will conduct regular reviews of participating companies to ensure compliance with the principles contained in Privacy Shield.
Redress mechanisms
There are several options under Privacy Shield for an individual who believes that his/her data has been misused including:
- making a complaint directly to the company itself who must respond within 45 days;
- making a complaint to the national data protection authority in Europe who will work with US authorities to investigate complaints; and/or
- accessing a free alternative dispute resolution mechanism as nominated by the company.
A Privacy Shield Panel with 'consumer-friendly' features (e.g. no cost, possibility to participate by video-conference, free of charge translation and interpretation) has also been created which will act as a last-resort arbitration mechanism for complaints. The Panel will be drawn from a pool of arbitrators designated by the DOC and the European Commission.
US Government commitments
The White House has given commitments that the data flowing from the EU to the US will not be subject to indiscriminate mass surveillance. In addition, there will be a US-based independent ombudsman who will be responsible for invoking the rights of individuals in circumstances where they believe their personal data has been unlawfully used by US security agencies.
Next steps
Although Privacy Shield provides a solution to the challenge of international data transfers following the invalidation of the Safe Harbor programme, there is a possibility that it will be challenged by privacy activists or European Data Protection Authorities by way of a referral to the ECJ for an assessment as to whether it actually provides protection to the standards imposed under EU law. Pending the outcome of such an assessment, the ability of Privacy Shield to serve as a reliable long-term method for data transfers is in some doubt. A decision invalidating Privacy Shield would leave companies that had self-certified under Privacy Shield scrambling to implement model clauses contracts (or other mechanisms) in order to continue importing personal data from the EU.
"Schrems II" High Court case
The invalidation of Safe Harbour by the ECJ occurred as a result of a complaint made by Austrian lawyer Max Schrems in relation to the transfer of his data from Ireland to the US by Facebook under the Safe Harbor framework. Mr. Schrems subsequently made a complaint to the Irish Data Protection Commissioner in relation to the use by Facebook of model clauses contracts for transfers of data between Ireland and the US.
The Irish Data Protection Commissioner, in a draft finding, concluded that Mr. Schrems had raised "well-founded" objections to the validity of model clauses contracts. When a "well-founded" decision is reached, the next step for the Commissioner is to seek to have the ECJ decide the issue, by way of a referral from the Irish High Court. The High Court case is ongoing but if a referral is made by the High Court, the ECJ will be asked to make a decision on whether the transfer of data to the US could mean that it can be processed and accessed in a manner that is inconsistent with the Charter of Fundamental Rights of the EU. Given the significant ramifications of the case, a number of organisations have successfully applied to join the case as amicus curiae, including the US Government.
EU businesses engaging in trade with the US will be following the Schrems II case and future developments in respect of Privacy Shield with interest.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
