Information Matters: Goodbye Safe Harbour, hello Privacy Shield… for now

Over in the US, however, a short but critical piece of legislation was being passed by the Senate. Its effect was to remove a key obstacle to US/EU digital trade, which had been in a state of cold war since the Schrems v Facebook judgement in October last year.

As previously reported on these pages, whilst the longstanding debate about the efficacy of Safe Harbour traditionally focused on its status as a self-accredited scheme, the political torpedo which eventually saw it scuppered – first with Snowden, then Schrems – was distrust of the US government. Specifically, what led to the declaration of invalidity of the ancien regime by the CJEU was the NSA’s ability to snoop on any European citizens’ data being handled in the US – in ways which could not simply be contracted out of – without US law offering those individuals the judicial redress available to its own citizens.

What has changed all that is, simply named, the US Judicial Redress Act. The stated aim is “extend [US] Privacy Act remedies to citizens of certified states”, including those of the European Union. Widely held by observers to have forced open the door to agreeing a new Safe Harbour 2.0, the Senate’s announcement put sudden pressure on both sides of the trade negotiations to make the expected happen before the long-appointed deadline of 2 February (when the EU data protection authorities were due to meet).

What followed behind the scenes was three days of frenzied transatlantic horse-trading, building on three months of re-writing which had already taken place since Schrems. The deal agreed was so last-minute that some reports had already written off talks when Justice commissioner Věra Jourová confirmed, on February 1, that they were still “ongoing”. Then came the eleventh-hour announcement: Safe Harbor is out, and “Privacy Shield” is in.

If it were down to pure semantics, the rebrand alone would signify a firm ratcheting-up in terms of toughness. But after the fanfare, lingering doubts remain that the new system is as waterproof as it sounds – amid concerns that concessions were made, and issues fudged, in the attempt to get the deal on the table in time for approval. And the adequacy of the scheme still needs to be ratified by the Member States.

Commissioner Jourová has no such doubts, at least not publicly. "For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms," she cooed. "Also for the first time, EU citizens will benefit from redress mechanisms in this area." The US has also given assurances it does not conduct “mass or indiscriminate surveillance of Europeans” and, as a ringing endorsement of this new-found trust, it has agreed to submit to an annual joint review of this commitment.

Not everyone shares the enthusiasm, or the optimism. Chief among the naysayers is, unsurprisingly, one-man privacy shield Max Schrems. “If this case [Schrems v Facebook] goes back to the ECJ [sic], which it very likely will do, if there is a new safe harbour that does not meet the test of the court – then it will fail again," he predicted the day before the announcement (hastily adding, "…which nobody wants"). His position has not changed since the announcement. In his blog post based on a headline view, he stated: "There will be clearly people that will challenge this – depending on the final text I may well be one of them."

In fairness to Schrems, he has made some practical proposals in respect of using (and expanding the role of) certain US companies that fall outside mass surveillance laws. But the fact is that merely granting Europeans access to remedies under US privacy law does not have the effect overnight of bringing those laws on a par with what they would expect within the EU. In the meantime, with doubts over the future of the revamped Safe Harbour 2.0 before it is even ratified, the announcement does not place any UK and European companies (and other organisations) in any less of a limbo.  

It is to be hoped that the ICO, and other Data Protection Authorities across Europe, will continue to be watchful rather than rushing to use enforcement powers. But in the meantime, somewhat clunkier mechanisms such as binding corporate rules (BCRs) and model contract clauses (MCCs) remain the safer option for those entering into new trans-Atlantic data transfers – even though, ironically enough, many companies using these are just as vulnerable to US Government surveillance as those under the Safe Harbour scheme.

All told, the message must still be to "watch this space". There is still plenty more water to flow under this bridge before we can welcome back certainty to digital trade with America.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, February 2016