Privacy Shield – what now?
Cathrine Ripley, partner in the Commercial & Technology team, considers the aftermath of the European Commission’s adoption of the EU-US Privacy Shield arrangement.
On 12 July 2016 the European Commission adopted the EU-US Privacy Shield allowing US Companies from 1st August to begin data transfers of personal information from EU member states by submitting self-certifications to the US Department of Commerce. It has been a year since the previous transfer mechanism (Safe Harbor) was found to be inadequate but, despite the introduction of Privacy Shield, EU-US data transfers are still not free from uncertainty.
Comments from the Information Commissioner’s Office
Recently the Information Commissioner’s Office (ICO) published comments on EU-US data transfers, warning that organisations which continue to rely on Safe Harbor are in breach of the Data Protection Act 1998 and risk enforcement action.
The ICO also pointed out that although organisations may continue to use EU standard contractual clauses and binding corporate rules, these transfer methods are vulnerable due to upcoming European Court of Justice (ECJ) cases which may find they are invalid.
Challenges to Privacy Shield
The general consensus seems to be that Privacy Shield will be challenged in the courts in the near future. Before being adopted, the EU’s national data protection authorities (known collectively as the Article 29 Working Party) took the view that:
• Privacy Shield does not go far enough to address the previous concerns about Safe Harbor (such as allowing large amounts of EU personal data to be collected indiscriminately).
• the US ombudsperson who has been appointed to investigate complaints is not sufficiently powerful or independent.
Although the Working Party’s opinion is not binding on the European Commission, its members do have the power to suspend data transfers to the US. So for the time being a degree of uncertainty remains.
On top of this, Max Schrems (the privacy campaigner whose dispute with Facebook led to the decision that Safe Harbor was inadequate for the purpose of EU-US data transfers) has cast doubt on Privacy Shield, describing it as “the same as Safe Harbor with a couple of additions, and it’s going to fail like the one before”.
What should businesses be doing?
So far only a small number of US companies have certified under the Privacy Shield arrangement compared to Safe Harbor. The number of organisations certifying is expected to increase but the current uncertainty over the validity of the model contract clauses and the possibility of a legal challenge to Privacy Shield means that some US organisations are opting to use both mechanisms whilst others are adopting a wait and see approach.
For now, UK businesses should review the data they are transferring to the US and what safeguards they have in place to ensure it is protected:
• Are the US entities to which they transfer data participating in the Privacy Shield?
• If not are model contractual clauses or binding corporate rules being used?
If in doubt, up to date advice should be sought as to how best to reduce the risk of breaching current data protection law.