Privacy Shield: up and running - for now...

Privacy Shield: a reminder of the story so far

You may recall our briefing in April this year. EU data protection law provides that personal data must not be transferred to a territory outside the EEA unless that territory ensures an adequate level of protection. The European Commission may make a positive finding of adequacy in relation to a third party territory (which is then binding on Member States). Even if a territory's laws have not been found adequate, a transfer of personal data may still be lawful on a number of other grounds, but these are beyond the scope of this briefing.

No general finding of adequacy has ever been made in relation to the US, so the "Safe Harbor" program was approved in 2000 as a method of providing adequate protection for data transfers to the US. (Other methods of permitting transfers to the US also exist).

In October 2015, the Court of Justice of the European Union (CJEU) declared the Safe Harbor framework invalid, in the case of Maximillian Schrems v Data Protection Commissioner. The case stemmed from a complaint filed by privacy campaigner Max Schrems at the Irish DPA, in respect of the transfer of his data by Facebook Ireland to Facebook Inc, located in the US. In July 2016 (after some delay and criticism from the Article 29 Working Party and others – see box), the European Commission adopted a replacement for the Safe Harbor – the EU-US Privacy Shield.

In light of the criticism received from the Article 29 Working Party and others (see box), can businesses rely on Privacy Shield?

The legal answer is yes. From 1 August 2016, transfers of personal data from the EU to Privacy Shield selfcertified/registered organisations in the US will be permitted.

The commercial answer is slightly more nuanced. Not all US based data importers can use the framework. As with Safe Harbor, it only applies to organisations that are within the jurisdiction of the US Federal Trade Commission or Department of Transportation (which excludes certain industries e.g. financial services, insurance and telecommunications).

Moreover, the adopted text of the Privacy Shield has already been criticised. Although the Article 29 Working Party have said that they will not make an immediate challenge to the decision of the EU Commission, the position will be assessed after one year. Moreover, their latest statement gives potential support to others who may plan a "Schrems" style challenge. In current circumstances some attack on the Privacy Shield seems likely.

So why use it? For organisations in the US whose business model involves the bulk import of personal data (cloud data hosting in particular) the Privacy Shield is relatively easy to adopt and therefore has attractions. Many US based IT service providers used the Privacy Shield forerunner, Safe Harbor, and this pattern may be repeated. And given the minimal administrative burden on data exporters, EU businesses will find it convenient to agree to use the Privacy Shield where it is on offer from their counter-party, while continuing to rely on other existing mechanisms (such as EU Standard Contractual Clauses, "model clauses") for, say, intra-group transfers. Of course, even these alternatives aren't necessarily safe from challenge: a case brought by the Irish Data Protection Commissioner is underway, which queries the legal status of data transfers under the model clauses. That said, as with the Privacy Shield, the possibility of future changes in regulatory analysis should not prevent businesses using these mechanisms for the time being.

How does Privacy Shield fit in with the GDPR?

The newly adopted General Data Protection Regulation (GDPR) will apply in all Member States of the EU from 25 May 2018 to replace the existing Directive. The GDPR adopts restrictions on the export of personal data from the EEA which are similar to the Directive (i.e. the need for "adequacy"), but raises the standards of what is "adequate". While the GDPR says that existing adequacy decisions under the Directive (which includes the Privacy Shield) remain in force until amended, replaced or repealed, the raising of the bar could well make successful challenge more likely, or put pressure on the EU Commission to conduct an early (and negative) review.

And what about Brexit?

Brexit is unlikely to take place before the GDPR becomes law in the UK, and the Privacy Shield will remain a useful mechanism for UK businesses until then (subject to challenge or amendment as described above). After Brexit the UK will need to have in place legislation which allows an EU adequacy decision to be made in its favour, in order to ensure the continued free flow of personal data between the EU and UK, i.e. equivalent to the GDPR (and if the UK joins the EEA, we will have GDPR in full anyhow). Because of that, something like the Privacy Shield will still be needed to facilitate the transfer of personal data from the UK to the US, with protection equivalent to the EU. However, at present the Privacy Shield only applies to the EU, so unless revised, a bi-lateral UK – US equivalent would seem to be needed.