In July 2016 the European Commission adopted Implementing Decision 2016/1250 which recognised that the USA ensure an adequate level of protection for personal data transferred from the EU to organisations in the USA under the EU-U.S. Privacy Shield.
The Privacy Shield framework comprises certain data protection principles together with official representations and commitments by various U.S. authorities. It is based on a system of self-certification by which U.S. organisations commit to these principles. The Privacy Shield relies on an undertaking by the U.S. Director of National Intelligence that bulk collection of data will only be used according to specific preconditions and indiscriminate mass surveillance will not take place. The Privacy Shield envisages direct resolution of a complaint by a Privacy Shield Company, free alternative dispute resolution and arbitration before the Privacy Shield Panel which may award non-monetary equitable relief such as correction, access, deletion.
U.S. companies wishing to avail of the Privacy Shield framework for data transfers must sign-up with the U.S. Department of Commerce which monitors their compliance. They are then registered on the Privacy Shield list and must self-certify that they meet the data protection standards set out by the arrangement. The Privacy Shield imposes stronger obligations on companies handling personal data compared to its predecessor (the Safe Harbor arrangement) particularly in relation to the publication of privacy statements and onward transfers of data. It also contains safeguards and transparency obligations in relation to U.S. government access.
Regardless of the heightened compliance requirements, many data protection activists were and continue to be sceptical about the practical implementation of the Privacy Shield. The Article 29 Working Party, which was an independent EU advisory body on issues of data protection under the Data Protection Directive (now the European Data Protection Board), made public commitments to monitoring the effectiveness of the Privacy Shield in practice. Despite all criticisms, the first annual review of the Privacy Shield, which took place in September 2017 and was thought to be of critical importance, gave rise to no major concerns.
The high profile Facebook-Cambridge Analytica data breach and the recent US Clarifying Lawful Overseas Use of Data Act ("CLOUD Act"), however, resulted in the European Parliament passing a non-binding resolution to suspend the Privacy Shield unless the U.S. comply with its obligations in full.
The Facebook-Cambridge Analytica data breach gave rise to serious concerns over the adequacy of the protection of personal data provided under the arrangement due to the fact that both companies are certified under the Privacy Shield.
The CLOUD Act regulates how U.S. law enforcement officials can access data stored outside of its territory. It puts new requirements on electronic communications providers to store and produce data to the U.S. government and empowers the executive power to enter into new executive agreements with foreign governments regarding disclosure of electronic communications. This has given rise to questions as to whether the CLOUD Act would meet the requirements of Article 48 of the General Data Protection Regulation (the "GDPR"), which stipulates that any court or tribunal judgment or decision of an administrative authority of a third country regarding a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the European Union or a Member State. The European Parliament's press release appears to suggest that the view of the majority of EU MEPs who passed the resolution for the suspension of the Privacy Shield is that the CLOUD Act could conflict with the GDPR.
It is important to note that Parliament's resolution is non-binding and the European Commission may choose to disregard it. While a suspension of the Privacy Shield appears unlikely at this point in time, the upcoming annual review of the Privacy Shield is very much anticipated and it will be interesting to see what the European Commission's finding and recommendations will be.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
