SafeHarbour, Privacy Shield, what is everyone talking about?
Update: we're adding new information to the bottom of the post.
If you are reading the news at the moment you might have stumbled upon a lot of coverage about Safe Harbour (or Safe Harbor), Privacy Shield and the talk of data transfers from outside of the EU, namely into the US.
We thought it was our duty to summarise to our users what is going and what this is going to change - also with online privacy notices in mind.
At its core the whole debate revolves around the fact how someone might lawfully transfer data from Europeans into states outside of the EU (again in this case the US). EU law requires sufficient levels of data protection for (personal) data by its citizens in order for these transfers to occur lawfully. One option to base these transfers on in a simple way was the Safe Harbour agreement. It was a simple certification for companies to basically exhibit the same data protection standards and thus be eligible to receive data from Europeans in an uncomplicated manner.
On 6 October 2015, the European Court of Justice declared that the widely applied Safe Harbour arrangement was invalid (in the so-called Schrems case). This decision then called for renewed negotiations in order not to leave European businesses in the unknown regarding their possibilities for data transfer into the US.
In the end of January 2016, a much-anticipated deadline elapsed for the communication of how the future shall look like in regard to data transfers.
What's the current state of things?
On February 2nd, the European Commission communicated that they and the United States have agreed on a new framework for transatlantic data flows: the EU-US Privacy Shield.
According to the European Commission, these are the promised upcoming contents of the new Privacy Shield agreement:
- Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
- Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.
What will the future bring?
Now that this framework is announced, not all is good yet. It will have to stand the scrutiny of the European data protection agencies in unison in the form of the Article 29 Working Group and then ultimately the national data protection agencies in each European country as well. The framework itself will be more closely looked at by the end of February, but it's time to shift the attention to the national data protection agencies and their views of the legality of data transfers to the US and what in their opinion would be the conditions for it.
In that sense, this is an ongoing issue that has to be followed closely in the next months if not years.
Schrems (who was responsible for the invalidation of Safe Harbour with his case in front of the European Court of Justice) writes in conclusion of the new Privacy Shield agreement:
“It is clearly too early for a final assessment. It seems the EU has tried to get as much as possible. This is also the first time we see at least some movement by the US side, after all letters and calls by European politicians were basically ignored. Going to courts over this matter and targeting the commercial sector seemed like a better strategy that most European politicians were so far using. Judging from the mere ‘headlines’ we know so far, I am however not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this – depending on the final text I may well be one of them".
As you can see, we all will need to be patient regarding this matter.
What does this mean for your privacy disclosures?
For Europeans, the big question following this debate is going to be whether they are allowed to send personal data to US-based companies and if yes, what is the basis for this data transfer:
- other requirements following the legal basis
At the moment, it seems that many jurisdictions still allow the use of alternative mechanisms like “binding corporate rules,” for transfers within multinationals, and “model clauses,” for transfers between companies. How will this look like in the future?
This is where at the moment people are still left in the unknown. The most likely answer would have to be that data transfers outside the EU to the US are not ok until there is a better framework in place. The data protection agency of Hamburg, one of the German state agencies, have hinted at these mechanisms probably also being out of date or at least, problematic. Some data protection agencies in Europe take a leaner approach and allow transfers if proper notices are part of them. No one has communicated definitive guidance yet, and this is what we'll gradually be seeing in the coming weeks and months.
- 11.2.16 ICO/UK: "Our position remains the same as in October – whilst complaints can be considered the usual ICO regulatory policy will be applied. We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome."
- 25.2.16 Germany: Since February, 24th, consumer protection associations may sue companies for data protection violations in Germany. At the last moment the responsible party ("the Ausschuss für Recht und Verbraucherschutz" added a grace period for companies that based their data transfers on Safe Harbor. The grace period runs until Sept., 30 2016. Read more about it on German IT Law.
- 29.2.16 European Commission: "The European Commission today issued a Communication summarising the actions taken to restore trust in transatlantic data flows since the 2013 surveillance revelations". Find the documents here.
This draft will now be examined and reviewed by a committee composed of representatives of the Member States and by the EDPS (“European Data Protection Supervisor”); it will then be submitted to representatives of the national data protection authorities (the Art. 29 Working Party) before the actual adoption of the final text by the European Commission.
- 1.3.16 Article 29 Working Party: the Art. 29 Working Party (a working group containing various European data protection agencies from the single member states) is going to analyze the documents and adopt a draft opinion at the next plenary meeting on 12 and 13 April 2016.
- 13.4.16 Article 29 Working Party publishes Opinion: "The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU".
- 12.7.16 European Commission adopts Privacy Shield with the words: "This new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the United States as well as bringing legal clarity for businesses relying on transatlantic data transfers.". It remains to be seen where Privacy Shield goes from here. We'll observe the situation with a bit scepticism.
- 26.7.16 Article 29 WP: "we are not going to challenge Privacy Shield until it has gone through its first annual review" as reported by Reuters.
- 29.8.16: Google Analytics adopts Privacy Shield.
- 26.10.16: "Privacy group launches legal challenge against EU-U.S. data pact" as reported by Reuters.