Transfer of personal data to the United States: Privacy Shield v Safe Harbour

Invalidation of the Safe Harbour decision created a gap in the system for transfer of data from Europe to the US. The question arose of how to evaluate the legality of existing data transfer practices based on Safe Harbour, and what rules to apply in the resulting vacuum.

On 6 October 2015 the Court of Justice of the European Union ruled that registration by American companies obtaining personal data under the Safe Harbour system is not sufficient grounds for transferring personal data from the EU to the US. The court held that the requirements of that programme did not ensure an adequate level of data protection, and therefore more restrictive security measures than those provided by Safe Harbour are required.

Doubts as to the adequacy of Safe Harbour had been building for years, and mostly resulted from the absence of a mechanism for involving the US administrative and judicial system in guaranteeing and enforcing data protection, as well as the practically unlimited possibility of subcontracting the processing of personal data to entities operating outside of the Safe Harbour system.

The operational paralysis following invalidation of Safe Harbour required the involvement of stakeholders as well as measures to restore trust in the transatlantic flow of data after reports of surveillance from 2013, and development of new rules.

When the European and American sides began working on filling the gap left by Safe Harbour, the parties had already reached an “umbrella agreement” (the European Commission announcement on completion of the negotiations begun in 2011 was published on 8 September 2015). It establishes at a high degree of generality the legal framework for cooperation between the parties in protection of personal information relating to the prevention, investigation, detection and prosecution of criminal offences, including terrorism. The umbrella agreement includes such mechanisms of protection as:

  • Limitation of data processing to clearly defined purposes
  • Obligation to obtain consent of the national data protection authority of the country originally providing the data in the case of onward transfer of data beyond the EU or US
  • Prohibition of retaining data beyond the period needed for processing of the data
  • Right of data subjects to access and rectify their data
  • Duty to notify breaches of data protection rules
  • Right of data subjects to pursue claims arising out of data violations in the country where the violation occurred (within the EU or the US).

As indicated, the umbrella agreement has very limited application, as it is generally addressed only to law enforcement authorities. Thus it replaces Safe Harbour only to a small degree. But it cannot be ignored that the agreement provides for a system of enforcement of data protection rights that did not exist before in relations between the EU and the US, and also recognises the primary of European principles.

Then, on 29 February 2016, the European Commission announced that together with the US Department of Commerce it had completed negotiations of the rules for transatlantic exchange of personal data for commercial purposes, i.e. de facto it had completed work on a mechanism to replace Safe Harbour.

The negotiations resulted in publication of a draft adequacy decision—Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield.

Both the draft decision and the texts implementing the rules for safe transfer of data include rules for data transfer which must be observed by businesses, as well as written assurances by the US government concerning enforcement of the arrangements, including guarantees and limitations on access to data by public authorities.

The Commission confirms that the level of data protection after adoption of the rules will be adequate: the guarantees in force in the case of the flow of data between the EU and the US under the new rules will be the same as the standards for data protection within the EU. This will be achieved through:

  • Strong obligations on companies and robust enforcement
  • Tighter conditions for onward transfer of data by businesses participating in the programme
  • Ensuring transparency in access to personal data by the US government, including enabling Europeans to pursue claims against American intelligence services
  • Implementation of several mechanisms for redress of claims (including a fixed deadline for companies to respond to complaints, arbitration and other forms of ADR)
  • Annual joint review mechanism under which the parties will monitor the functioning of the rules for safe transfer of data and other issues.

It will still be some time before the final version of the decision is issued and it enters into force. On the EU side the draft decision must be approved by representatives of the member states and presented to the Article 29 Working Party (composed of the EU’s national data protection authorities) for an opinion. The American side must prepare the procedures and instruments necessary to ensure the enforceability of the Privacy Shield programme.

Sylwia Paszek, Personal Data Protection Practice, Wardyński & Partners