On January 28th, we published an article entitled “Safe Harbor: how does its revocation affect European companies?” detalling the legal insecurity of personal data transfers between the European Union and the United States that individuals are now facing. The article offered recommendations for European companies, with the aim to mitigate any difficulty.
It's been two and a half months since then and, although the European Commission announced on February 2nd its intention to reach an agreement between the U.S. and the EU (known as the "US-EU Privacy Shield," hereinafter referred to as “the agreement”), to date there continues to be the same level of legal uncertainty, since legislation relevant to the international transfer of European data to companies located in the U.S. still does not exist.
Below are the most important aspects of the agreement that will aid an analysis of the situation described in the previous paragraph.
Why have the actual contents of the US-EU Privacy Shield not yet been published?
This post is also available in Spanish.
What was actually published on February 2nd was a simple agreement of intent of the so-called "US-EU Privacy Shield" and currently the US Department of Commerce are in talks with the European Commission to negotiate and draft the full content of the agreement.
There is currently no legal basis for the international transfer of data between companies located in the U.S. and the EU. In this regard, the only data protection agencies in Europe that could be considered legal are those that adhere to data protection clauses or binding corporate rules, and they instantly become illegal if they take one step outside of the afore-mentioned scenario.
What is the content of the US-EU Privacy Shield likely to be?
No full agreement has been reached between the U.S. and the EU yet. To date, only a draft text in English has been circulated, reflecting the possible issues agreed upon by both parties, as well as establishing a general framework that will regulate the final pact between the U.S. and the EU. A FactSheet review published by the European Commission lists the different elements that are likely to feature in the agreement. The most important ones are:
a) At a commercial level, strict obligations include:
- Greater transparency.
- Monitoring mechanisms to ensure that companies comply with rules.
- The disqualification of companies for breaching any rule.
- Application of stricter conditions to subsequent data transfers.
b) Guaranteed transparency on the part of the U.S. government regarding data access:
- Access of the American public authorities to personal data of European citizens will be subject to clear limitations and monitoring mechanisms.
- Access to data by the American public authorities cannot be indiscriminate.
- A report containing the approximate number of access requests must be issued.
- The creation of an "ombudsman" or public advocate, acting independently of American intelligence authorities and responsible for defending the rights of any affected parties as well as resolving any complaints made.
c) Resources that must be implemented by companies:
- Reply within a period not exceeding 45 days to complaints filed by citizens or individuals.
- Implement alternative methods of resolving conflicts or complaints, at no cost to citizens.
- Work with the data protection authority to resolve complaints submitted by EU citizens.
- Implement an arbitration mechanism to ensure any decisions are enforced.
d) The necessity of a mechanism for joint annual review:
- A mechanism will be implemented to monitor the Privacy Shield and commitments pledged by the U.S., in particular compliance of obligations regarding data access for national security purposes.
- An annual summit with NGOs and stakeholders will take place to analyze the impact of the Agreement on European legislation.
- The European Commission will submit a report to the European Parliament and Council related to the annual joint review of the Agreement and other relevant sources of information (e.g.: transparency reporting by companies).
What impact will the US-EU Privacy Shield have on the future of Data Protection Regulation?
The Agreement will be applicable to the Data Protection Regulation, specifically to the paragraph regarding international transfers. This is why the US-EU Privacy Shield must be consistent with the data protection rules that have recently been approved..
The Regulation and Decision that implements the content of the regulation, form part of the same package of policy measures required in the EU to ensure the treatment and protection Euroepean citizens’ data.
What observations presented the Article 29 Working Party on the content of US-EU Privacy Shield?
The Working Party of Article 29 (hereafter referred to as “Art.29 WP”) is an independent body that offers consulting and advisory functions to entities of the European Union on issues related to the privacy and treatment of data protection. Art.29 WP has a crucial role to play in the development of the US-EU Privacy Shield, as it is formed by the 28 European data protection agencies who seek practical ways of resolving privacy and data protection issues. Art.29 WP has the function of impartially reviewing US-EU Privacy Shield’s contents and submitting comments on the degree to which the Agreement’s implementation accords with European standards and principles.
On Wednesday April 13th, Art.29 WP president Isabell Falque-Pierrotin issued a statement on the Agreement’s draft content, indicating that although it represents a breakthrough from the Safe Harbor days, there are still many important issues within the Agreement that need to be reviewed and clarified by the European Commission and the U.S. Department of Commerce.
Falque-Pierrotin stated the following:
- The Agreement is complex and difficult to understand;
- It is not consistent with the principles outlined in European data protection legislation,
- Any guarantees regarding the “ombudsman” are not sufficient, nor does it state that this entity would need to be an independent authority;
- It is important that the rules applicable to terrorism, espionage and cyber security are clarified – three of the six exceptions applied by the U.S.;
- There is a growing tendency on the part of the U.S. authorities to collect data in a massive and indiscriminate way on the basis of a fight against terrorism.
The statements issued by Art.29 WP are not binding either by the European Commission nor the U.S.. However, in the coming months these entities will be seeking a solution to bring the US-EU Privacy Shield in line with the guidelines and comments submitted by Art.29 WP. It is estimated to be some months before such revisions are made, leaving European citizens no choice but to carry on their operations without a definitive agreement governing transatlantic data transfers in place.
Implications and recommendations
Art.29 WP statement confirms the legal uncertainty that has caused Safe Harbor to be called into question, as well as the precarious nature of the attempted US-EU Privacy Shield. This situation has already created a great deal of commercial uncertainty, since Europeans do not have any kind of legal guarantee when making international data transfers to the US, and such transfers are still being made nonetheless.
On Wednesday April 13th, Art.29 WP indicated that, while the Agreement is pending, it is recommended that international data transfer between the U.S. and the EU are carried out based on the most relevant data protection clauses in force or binding corporate rules. It should however be mentioned that the European data protection authorities are entitled to start investigations against companies that violate European data protection legislation at any time they deem appropriate.
The "draft Agreement" must be reviewed and adapted in coming months by the European Commission and the U.S. Department of Commerce according to observations discussed by Art.29 WP. In this context, European companies have been advised to heed the recommendations made at the end of our blog post published on January 28th.
This post is also available in Spanish.
This is a guest posts by Ana Martiza Vega Suárez.
- Safe Harbor: how does its revocation affect European companies?
- eIDAS: a new era for eSignatures in Europe (1/2).
- Big Data: how to minimise risk in data analysis.