It’s finally here! The EU – U.S. Privacy Shield (aka Safe Harbour 2.0) has been approved by the European Commission which means businesses in the EU will be able to transfer personal data to U.S. self-certified companies without the need for any further safeguards.
There’s been an air of uncertainty around personal data transfers between the EU and the U.S. since the European Court of Justice (ECJ) invalidated the Safe Harbour scheme in October 2015; so this is great news for businesses in the EU which use service providers based in the U.S.
Rather than discussing the background of the invalidity of the original Safe Harbour scheme we’re going to focus this blog post on the practical reality of what this decision really means for your business.
Why is the Privacy Shield relevant and /or important?
Under the Data Protection Act 1998, a data controller can only transfer personal data to a country outside of the European Economic Area (EEA) that country “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.
Given EU data protection laws are among the most stringent in the world, this sets a pretty high threshold.
In the firm’s experience, the Safe Harbour scheme was the most popular method of ensuring this level of protection. Businesses in the U.S. were familiar with it and, once signed up, could deal with anyone in the EU without the need for consent or further contracts. The Privacy Shield has a similar framework and therefore the same benefits apply.
What European businesses need to do to benefit from this decision?
First, it’s important to understand that a U.S. company who is self-certified under the original Safe Harbour scheme is not automatically self-certified under the new Privacy Shield.
If you have used another method to ensure “adequate” protections are afforded to personal data which you have or will transfer to the U.S. (for example Model Contract Clauses), that is still valid and you won’t have to do anything.
If you haven’t, or you want to change to the Privacy Shield, you should contact your data processors in the U.S. and ask them whether they are ready and willing to apply for self-certification. Applications to the U.S. Department of Commerce opened on 1 August 2016.
This Department has issued a very helpful set of instructions on ‘How to Join Privacy Shield: Guide to Self-Certification’ if you are interested.
Other than that, you could say that the ball is really in the court of U.S. businesses. They are ones who have to develop compliant privacy policies, identify an independent recourse mechanic (i.e. dispute resolution program) and designate a contact for handling privacy questions, access requests, complaints etc. The list goes on.
Of course, UK businesses will still have to comply with all existing requirements under the Data Protection Act 1998; including having a written contract with the U.S. data processor which requires it to only act on the instructions from the EU data controller.
Furthermore, given that you (the data controller and data exporter) will still be responsible and liable to EU data subjects for compliance with the new framework, having warranties and indemnities around Privacy Shield membership and compliance are highly advisable.
What is our view?
We, along with many others, have questions about how the Privacy Shield will play out in practice. In particular:
- Will UK and U.S. businesses who have recently set up new adequacy protections in the aftermath of the invalidation of Safe Harbour join the Privacy Shield? No-one likes to negotiate twice.
- Will the Privacy Shield actually prove to be a workable and effective? Many, including the Article 29 Working Party – a body comprised of representatives from national data protection authorities, European Commission and the European Data Protection Supervisor – have their doubts. All eyes will therefore be on the results of the first joint annual review.
- What will be the relevance of Privacy Shield post-Brexit? No-one knows the answer to this. For the meantime it applies, but Brexit will require a reworking, or at least a restructure, of the legal requirements surrounding data flows between the UK and the EU, as well as the UK and the US.
This post was written by Lucy Archer, Associate, Intellectual Property, JAG Shaw Baker and Solicitor of the High Court of New Zealand