This week the European Commission has finally announced the details of the “privacy shield”, outlining the new method of transferring data between the US and European countries
Although long awaited, this announcement has come ahead of the agenda originally set by the commission, and is a surprising, if not insulting, move towards the Article 29 Working Party, which has not yet had its thoughts considered publicly.
This move is legal and permissible. Yet why have no comments from the Working Party been included in the announcement? It is known that a number of the experts in Working Party 29 were sceptical about whether or not the privacy shield would work at all; and on the basis of the details revealed, it is likely there will be some friction.
The agreement is underpinned by the Judicial Redress Act, which causes some potential difficulties. The Data Protection Act, and the EU Charter of Fundamental Rights protects individuals in the EU, whereas the US-based Judicial Redress Act refers to citizens of a covered country. This poses the question: what happens to those individuals who are based in an EU member state, but are not citizens of that country? This will be a key point of consideration for the ECJ, and a challenge is likely.
If successful, the case of Schrems is likely to return to court, arguing that the EU is merely more aware of the activities of the US, but there is not sufficient or adequate protection of those whose data is being transferred from the EU to the US. The risk of this uncertainty will be a burden for businesses, who will not want to spend huge amounts on conforming with the new privacy shield only to find it overturned.
Advertisement
On the surface, the privacy shield is a political achievement and good news for businesses. It will give companies who self-certify greater freedoms to process personal data, particularly those who benefit from Big Data handling who do not want to be burdened by the full weight of European data protection and privacy law, but in reality there is still an element of doubt. Businesses need to consider the reactions of the Article 29 Working Party, and the data protection regulators in the countries in which they have operations, before deciding how to respond.
Recently, there has been a great deal of uncertainty about the transfer of data between the EU and US, so many businesses have implemented alternative methods of data protection compliance, including the use of model contracts. This is an expensive system to implement, but it is legal and secure.
The new privacy shield requires good compliance across key principles that affect many aspects of a companies privacy compliance and to a higher standard set than that under Safe Harbor. We must wait to see whether the attractiveness of the privacy shield will tempt companies to undo their recent work and enjoy this new regime, perhaps at the expense of individual privacy rights.
Ashley Winton is UK head of data protection and privacy at international law firm Paul Hastings, LLP and chairman of the UK Data Protection Forum