Breakdown of Trust
The European Commission and the USA have reached a political agreement on a new framework for EU/US data transfers: the “EU-US Privacy Shield”.
The political agreement was concluded on 2 February 2016 and came after three months of negotiations between the Commission and the US. The deal ends the hiatus resulting from the European Court of Justice’s (CJEU) ruling in October 2015 (in Maximillian Schrems v Data Protection Commissioner (Case C‑362/14)) that the previous framework, “Safe Harbour”, was unlawful. Vice-President Ansip and Commissioner Jourová have now been mandated by the Commission to prepare the necessary steps to put in place the new framework. According to the Commission, the EU-US Privacy Shield reflects the requirements laid down by the CJEU in the Schrems judgment. The new arrangement will achieve this through:
These are explored in further detail below.
As alluded to above, Vice-President Ansip and Commissioner Jourová will now prepare a draft "adequacy decision" for adoption by the Commission. Once adopted by the Commission, the EU-US Privacy Shield would become a part of EU law. This adequacy decision will be subject to review by the Article 29 Working Party (WP29) (the EU entity representing national Data Protection Authorities (DPAs) and a committee composed of representatives of the EU member states). The US authorities will also need to implement the new framework. This process is anticipated to take around three months.
The EU-US Privacy Shield in further detail:
According to Commissioner Jourová, the EU-US Privacy Shield is “fundamentally different to Safe Harbour". The Commission believes that the new framework meets the requirements of the CJEU in Schrems as follows:
The WP29 has reserved its judgment on the adequacy of the new framework. It has noted that many of the key details about the EU-US Privacy Shield remain to be outlined. Accordingly, the WP29 has asked the Commission to provide it with all documents relating to the new framework by the end of February 2016. The WP29 will then review the framework and will also consider alternative transfer mechanisms such as binding corporate rules and model contract clauses.
The WP29’s caution about the new framework is prudent. The new framework, for now, exists merely as a political agreement (by way of an “exchange of letters”) between the EU and the US, rather than an international agreement.
Any conclusions about the legality of the EU-US Privacy Shield are therefore premature. Businesses that need to transfer EU citizens' personal data to the US should wait until the WP29’s view is published (most likely in mid-April) before relying on the EU-US Privacy Shield to provide legal protection. The new agreement does nothing to effect the functioning of Safe Harbour. Accordingly, it remains illegal for companies to rely on Safe Harbour to justify transatlantic data transfers.
It is also important to remember that the agreement will require implementation in the US. This may be more difficult in an election year. Given the difference in attitudes towards privacy in the US compared to those in the EU, it remains to be seen whether the US will actually change is domestic legal regime to provide for the framework – the US government may instead be planning on providing the framework through political commitments. Privacy campaigners in Europe have already said that this agreement not likely to stand up to scrutiny by the CJEU. Watch this space!
Skip to content Home About Us Insights Services Contact Accessibility