On 2 February 2016 the EU Commission announced that it had reached political agreement with the US Department of Commerce on new EU-US data transfer arrangements. The new framework is called the EU–US Privacy Shield and is a substitute for the previous Safe Harbour scheme which was declared invalid on 6 October 2015 (see Article: Data Transfers to the US – you can no longer rely on Safe Harbour!).
The full details of the Privacy Shield have not yet been published, but they are reported to include strong obligations on data processing and individuals’ rights, robust enforcement mechanisms, clear safeguards and transparency on US government access to data, and redress possibilities for individuals.
This is a step towards a new solution for EU organisations which transfer customer or employee data to the US, in order to overcome restrictions on international transfers of data under EU data protection law. However, the arrangements are not yet set in stone and there still a way to go before they become a definitive solution. The US has work to do to put in place the new framework, and EU bodies need to assess the Privacy Shield.
The Article 29 Working Party1 has requested full documentation and has said that it “stands ready to analyse” it in light of essential guarantees for intelligence activities relating to the use of personal data. If found appropriate, the EU Commission will issue a formal “adequacy decision” which would make the Privacy Shield an approved mechanism for overcoming EU to US data transfer restrictions.
In updated guidance on 10 February 2016, the UK Information Commissioner’s Office indicated that it will not be rushing into enforcement action, but advised businesses to take stock. This means organisations should be reviewing what personal data they are transferring outside the EU, where it is going to, and what arrangements are in place to make sure it is adequately protected (in the US or elsewhere).
Alternative solutions such as standard contractual clauses and binding corporate rules are still valid, but these are also under review. In particular, the Article 29 Working Party has indicated that it will be considering whether these mechanisms can still be used for personal data transfers to the US. In the UK, employers have the option of making their own assessment of adequacy based on the context and associated risks. This may therefore be an appropriate course of action for UK organisations whilst there are ongoing uncertainties over the new Privacy Shield and other previously approved transfer mechanisms.
Olivia Whitcroft, principal of OBEP, 11 February 2016
1 The Article 29 Working Party is a body made up of representatives from the data protection authorities of each EU Member State
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details