Privacy Shield - Safe Harbor Mark II
The EU and US negotiating teams have announced a breakthrough in their deliberations on finding a replacement for the Safe Harbor scheme. Readers will recall that Safe Harbor, an arrangement that had been in place since 2000, provided justification for the transfer of personal data between EU and US companies by setting out seven principles by which the data would be protected in the US.
Unfortunately, the scheme was deemed no longer ‘fit for purpose’ by the EU Court of Justice back in October 2015, primarily due to the persistent surveillance by US security structures of EU citizens’ communications and correspondence.
Faced with the possibility that any transfer of personal data to destinations outside the EU might have to be substantially halted, the key stakeholders (the Article 29 Working Party representing EU interests, and the Dept of Commerce and the Federal Trade Commission covering US interests) have been meeting to find an alternative arrangement. Since last October, the target date for resolution has been the end of January, 2016.
Only two days late, and following a final push on Monday, we now have Privacy Shield, a commitment by the authorities in both trade blocks to monitor and enforce the principles of EU privacy legislation in a more effective and credible manner. In a press release issued by the EU Commission yesterday, the ‘bare bones’ of this new arrangement were set out.
The new arrangement will include the following elements:
- Strong obligations on companies handling Europeans' personal data: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.
- Active Enforcement: The Department of Commerce will monitor that companies publish their commitments, which will make them enforceable under U.S. law by the US. Federal Trade Commission.
- Jurisdiction: Any US company handling HR data from Europe has to commit to comply with decisions by European Data Protection Authorities.
- Transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.
- Annual Joint Review of adherence: To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and will invite national intelligence experts from the U.S. and European Data Protection Authorities to attend.
- Redress for EU citizens: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. US companies will have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission.
- New Office of the Privacy Shield Ombudsperson: Under the new arrangement, dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson’s office will be created.
To date, we only have this outline of the key principles on which the negotiating parties are agreed. This structure now needs to be articulated in formal, legal language in order to see the detailed undertakings and procedures. This could take up to six months.
In the interim, it will remain the responsibility of each Data Controller in their respective jurisdiction to ensure that appropriate security safeguards are in place to protect any personal data which they decide to share with, or send to a firm based in the US.
Observers have already commented that the same flaws which brought about the demise of Safe Harbor have not been addressed – namely, the ability of the US authorities to cite Homeland Security as the basis for surveillance of any and all personal correspondence coming into the US, or held on the databases of US-based firms. The provision in the new scheme that such surveillance should be “necessary and proportionate” is still quite subjective, and will only require a credible narrative by
the US authorities to proceed.
Of course, we must remember that the US security authorities are not alone in this. Understandably, as recently as the terrible events in Paris and Brussels, several EU countries, including France, Belgium, Germany and the UK, stepped up their security surveillance of personal correspondence and social media postings. However, the EU would argue that such surveillance is permissible and protected by protocols approved by the courts in each of these jurisdictions. It remains to be seen whether the
Privacy Shield will offer such oversight and reassurances.
Throughout all of this, spare a thought for the good people of Vancouver, Canada, who launched the “Privacy Shield” app as a protection against online fraud and social media scams (Available in the US and Canada only). I am sure they are very proud that the EU Commission and the Feds adopted their product name for this new multi-jurisdictional programme. If nothing else, it will be good for publicity, and the ‘hit rate’ on their home page is likely to increase exponentially in the coming days.
Nonetheless, the EU Commissioner and the US Feds might do worse than to adopt the strap-line of this app as their motto for the new scheme: “True Freedom To Connect Confidently”.