Data Protection legal update – What next for transfers of personal data to the US?
Farewell Safe Harbor
The European Court of Justice ruled in October 2015 that its ‘Safe Harbor’ agreement with the US, that allowed the transfer of EU citizens’ data to the US, is no longer valid because it does not adequately protect consumers. This decision was made in the wake of the Edward Snowden revelations regarding mass surveillance by the US government of personal data held in the US. Now this agreement has been considered invalid, US companies can no longer rely on self-certification and must find another means to guarantee an adequate level of protection. This has significant implications if you are a UK business that transfers personal data to the US as you now need to use an alternative transfer option in order to comply with the Data Protection Act 1998.
Welcome Privacy Shield
On 2 February the EU and US reached political agreement on the replacement to the Safe Harbor arrangement. The new programme will be called the Privacy Shield and the earliest it is expected to be in operation is in three months’ time. Some of the key provisions of the new programme are:
Transparency – Improved transparency around the extent of and the limitations on US government surveillance.
Annual Review - An annual joint review of the effectiveness of the programme will be carried out, which will include input from both US experts and EU regulators.
Redress - The EU Commission will provide clear guidance to citizens on how to get legal redress under the Privacy Shield. EU citizens will have the right, for the first time, to access US courts in respect of data that is being used for law enforcement purposes.
Data handling obligations - There will be clearer safeguards and increased transparency around the level of access which US authorities will be permitted to have to data held by US companies.
Whilst US and EU negotiators have reached agreement, the Privacy Shield is not (yet) a final agreement. There is reason to be optimistic due to the Privacy Shield’s greater transparency and new dispute resolution mechanism, as well as an increased level of co-operation between the EU and US authorities. However, questions remain and EU Data Protection Authorities have reserved three months to comment on the agreement and may demand amendments. This means that the Privacy Shield may not be fully operational as quickly as hoped. The timetable for the next few months is as follows:
> A draft “adequacy decision” will be adopted by the EU in the coming weeks
> On the US side, the relevant authorities will need to prepare and then finalise the commitments which are to be given under the agreement
> Commitments have been given that the Privacy Shield will be compliant with the EU General Data Protection Regulation which will come into force in 2018.
Alternatives to ‘Safe Harbor’
The EU Article 29 Working Party (group of EU data protection authorities) confirmed on February 3 that it views the EU Model Clauses and Binding Corporate Rules as valid alternative transfer options whilst the Privacy Shield is being finalised. However, both of these mechanisms may also be subject to recommendations from the EU Data Protection Authorities and elements of the Privacy Shield agreement itself may be extended to apply to these alternative transfer options. You will need to watch this space in the coming months to see the shape of these proposals.
If I send personal data to the US what should I be doing now?
> Carry out an assessment of what personal data you transfer to the US (through the Safe Harbor arrangement or otherwise). Do not forget to check the location of any subcontractors that your suppliers use in the background!
> Assess and put in place the most suitable alternative to Safe Harbor. We recommend the EU model clauses or Binding Corporate Rules; and
> For sensitive data, use encryption if possible when transferring personal data to the US as this anonymises the data which means it is not caught by the legislation.
For more information contact Claire Jacques on 01235 836643 or email@example.com