Companies are relieved that there will now be a new Safe Harbor for cross-border transfer of personal data from Europe to the U.S.
This announcement will provide a degree of certainty going forward, in particular after the upheaval which the Schrems case decision of the European Court of Justice last year produced, striking down the then-existing Safe Harbor framework. Businesses should, however, also expect a more rigorous process by the U.S. Department of Commerce to qualify for the “new” Safe Harbor certification and by the FTC to enforce it.
While it will take some time for the authorities to reduce these elements to detailed text and obtain formal approval, several new components of the Safe Harbor arrangements (now referred to as the EU-U.S. Privacy Shield) are already clear from the announcements.
Strong obligations on companies handling Europeans’ personal data and robust enforcement.
U.S. companies wishing to import personal data from Europe will need to expressly commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor companies’ published Safe Harbor commitments for enforcement by the FTC. In addition, any company handling human resources data from Europe has to commit to comply with decisions by the various European Data Protection Authorities (DPAs).
Clear safeguards and transparency obligations on U.S. government access.
The U.S. has given the EU written assurances that access by U.S. authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has also, significantly, ruled out indiscriminate mass surveillance on personal data transferred to the U.S. under the new arrangement. To regularly monitor the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European DPAs to it.
Effective protection of EU citizens’ rights with several redress possibilities.
Any EU citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies will have deadlines to reply to complaints, and European DPAs can refer complaints to the Department of Commerce and the FTC. In addition, an Alternative Dispute Resolution process to address complaints will be provided free of charge, giving real teeth to the right of redress, something which was a major concern to the EU authorities during the course of the negotiations. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
Of course, we will need to see what the final text of the Safe Harbor framework looks like and, ultimately, what the regulations and guidance to be issued by the Department of Commerce and FTC around this will require. In addition and, as is so often the case, the practical implementation of the framework will be crucial.
In the meantime and until the text of the new Safe Harbor framework is agreed and published, businesses can continue to rely on model clauses, consents obtained from data subjects from whom data is collected and binding corporate rules. However, the EU Article 29 Working Party (a policy body made up of EU DPA heads) has also indicated in very recent announcements that they have concerns regarding the appropriateness of model clauses and binding corporate rules for transfers to the U.S., and will be reassessing those mechanisms in light of the new Privacy Shield framework once it is released. Thus, while they made clear that business may rely on model clauses and binding corporate rules in the interim, that issue will be subject to review expected to be completed by the end of April. Indeed, it is fair to say that the Privacy Shield itself, as well as the model clauses and binding corporate rules, are susceptible to a legal challenge to their ability to afford an adequate level of protection for the transfer of personal data outside of the EEA (in much the same way that Maximillian Schrems challenged the adequacy of the first Safe Harbor framework). Thus, as we indicated earlier, businesses should reevaluate their current EU data collection processes and consider other steps. The new EU General Data Protection Regulation (GDPR) due to be finalized this spring may have some effect on this also.
Here are some suggested steps for the near term:
Tom Smedinghoff is Of Counsel in Locke Lord’s Chicago office. He can be reached at email@example.com.
Sign up for our newsletter and get the latest to your inbox.