Following the political agreement reached between the EU Commission and the US Government in February, the EU Commission has now published the detail behind the proposed Privacy Shield arrangements.
Privacy Shield effectively works in the same way as Safe Harbor. It is a scheme under which US organisations self-certify compliance with some of the EU data protection principles and subject themselves to oversight, principally by US regulators. Once certified, EU/EEA organisations can transfer personal data to that organisation without being in breach of the restrictions against transfers of personal data outside the EU/EEA.
The difference with Privacy Shield as against Safe Harbor is that US organisations are taking on extra commitments and US regulators (principally the US Department of Commerce and the Federal Trade Commission) are committing to provide effective oversight and enforcement. In addition, Privacy Shield aims to give EU citizens an effective means to police the use of their data when transferred to US organisations. This extends as far as being able to complain about the use of personal data by US Intelligence services via an Ombudsperson scheme set by the US State Department.
So, have we fixed the issues thrown up by the Schrems ruling and what should EU based organisations do? For the moment, the answer is to hold fire. The EU Commission draft Adequacy Decision which sets up Privacy Shield has to go through several stages of review in the EU by the EU Data Protection Regulators (the Article 29 Working Party), Member States and the College of EU Commissions. This could take several months. In addition, the European Parliament could refer the draft Adequacy Decision to the CJEU.
Assuming Privacy Shield is formally adopted by the EU Institutions, then it will be for US organisations to decide if they want to sign up to it. US organisations will have to carefully weigh up the pros and cons of Privacy Shield as against other (currently) available methods of legitimising transatlantic data transfers, such as EU Model Clauses and Binding Corporate Rules.
This is not straightforward. Privacy Shield will be much more onerous for US organisations with, for example: prescribed information to be contained in privacy policies and complied with; a modified form of subject access request for individuals; commitments on data security; a redress system for EU citizens where direct complaints to the US organisations have to be answered within 45 days with subsequent redress mechanisms all the way up to an Arbitration process; and, potentially, re-negotiation of contracts with sub-processors used by the US organisations. Those who sign up are also almost certain to come under close scrutiny from US regulators. It is likely that all of this will involve a considerable commitment of resources by US organisations.
Even then, the future of Privacy Shield is far from certain. It is almost inevitable that it will be challenged before the CJEU by privacy advocates, a process that will take a year or so. To be fair, the deal struck by the EU Commission and US government probably goes as far as might reasonably be expected, particularly when bearing in mind that the starting point is that the US has no broad Data Protection or Privacy Laws, as we in the EU would understand them. In seeking to provide equivalent protection to EU citizens’ personal data in the US the deal seeks to tackle this fundamental issue.
Finally, the Privacy Shield deal provides for an Annual Review mechanism between the EU and US to ensure that Privacy Shield is working effectively. If the EU believes it is not then it has the power to suspend or revoke Privacy Shield. The EU is obviously seeking to ensure the US sticks by its commitments.