After all the speculation, with premature declarations of its demise before it even got off the ground, this week the new EU-US "Privacy Shield" scheme – the framework to allow safe and compliant transfer of personal data from the EEA to the USA – finally declared itself up and running.
What does it look like?
Although this might read as if almost tantamount to enforcing an EU-style legislative framework on the US, that is not its practical effect. For one thing, sign-up to the scheme remains voluntary for US companies (a point stressed on the website). However, if an organisation is subject to either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation – and they must be to one or the other to be eligible for Privacy Shield – then, once they have publicly signed up to the scheme, that compliance commitment is enforceable under U.S. law by the relevant authority. The FTC was widely mocked for inaction by European privacy campaigners under the Safe Harbor regime, so it will be interesting to see how it steps up to the mark now.
How did we get here?
This development ends nine months of limbo (following the Schrems decision that brought down Safe Harbor – see previous editions of this newsletter) and follows hard on the heels of the official endorsement of the scheme by EC Commissioner Věra Jourová last month. This much progress so soon hardly seemed possible when, as recently as April 2016, the agenda-setting Article 29 Working Party of the EU Member States expressed "strong concerns" about the draft Privacy Shield agreement as lacking in "legal robustness" and clarity.
However, while its proponents will no doubt be looking over their shoulder for the next move of Mr Max Schrems, Privacy Shield has its fans. Jourová declared it "fundamentally different from Safe Harbor", and US secretary of commerce Penny Pritzker hailed it as a "milestone for privacy". A new annual joint review process is intended to ensure problems are addressed as they arise. As the landing site proudly announces, this was a cooperative enterprise to benefit "companies on both sides of the Atlantic... in support of transatlantic commerce."
What do we have to do now?
It was reported with great relief, when the floodgates to Safe Harbor opened last year, that the ICO was in no rush to use its enforcement powers while uncertainty still hung over the area. However, organisations renewing – or entering into new – IT contracts or other deals with transatlantic elements were understandably fretting that they could be criticised for not taking one of more industrial, heavy-handed routes to compliance such as complex binding corporate rules or boiler-plate "model articles" provided by the EU. Even the latter are now subject to legal challenge.
The new regime provides welcome clarity – for now. As the site Q&A sets out, "The Department of Commerce recognizes that it is critical to enable certifications as soon as possible to address the uncertainty that organizations on both sides of the Atlantic have faced. Given that need, acceptance of certifications will be available immediately August 1 to any eligible company." It also deals with an "initial timeframe for bringing existing commercial relationships with third parties into conformity" – essentially, that if you sign up in the first two months (up to 30 September 2016) you will have a further nine months to actually bring your commercial relationships in line with the principles of adequacy and accountability.
All this applies primarily to US companies, of course, since EU member states are already directly accountable under domestic law to their local Data Protection Authority (and, from 25 May 2018, the GDPR – General Data Protection Regulation). But it is still highly relevant to organisations here anxious to determine that they will not be criticise, put customers at risk or have action taken against them if they resume trading in data with the US. What is more, it gives us in the UK a little taste of what a post-Brexit e-commercial regime might taste like if we do not accept the direct effect of GDPR in 2018.
Of course, it is early days. We cannot state with confidence that Privacy Shield will be here forever – as the new website's introduction confesses from the outset, "While the United States and the European Union share the goal of enhancing privacy protection, the United States takes a different approach to privacy from that taken by the European Union". This has ever been the issue, and given rise to a belief that no self-accrediting scheme could satisfy the stringent requirements of EU law without fundamental legislative change in America. But to give Privacy Shield its due – its flexibility and built-in regular review seems to suggest it may be more capable of evolving to meet the required standards than its predecessor.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (owen.o'[email protected] ; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Intellectual Property and Technology page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, August 2016