Digital

Preparing for uncertainty

As Europe and the US reach a new agreement for the transfer of personal data, eolas questions the strength of the new framework and the impact the agreement will have on businesses that rely upon it.Following the collapse of the Safe Harbour clause as a result of a legal challenge last October, the European Union and America have reached an agreement on the framework for a new deal that will allow companies to move personal data about their users across the Atlantic.

The Safe Harbour clause which had existed since 2000, allowed technology companies to ship personal information about their European users to America, in spite of the fact that American privacy regulations are viewed as significantly weaker than those on this side of the Atlantic. The clause was used by roughly 4,000 companies but late last year and following revelations about US surveillance made by the whistleblower Edward Snowden, the European Court of Justice found that European citizen’s data could not be assumed to be safe.

Provisions

In negotiating this new deal, the United States of America has made several assurances that the data of European citizens will be protected. A statement released by the European Commission stated that the arrangement includes the following elements:

•   a strong obligation on companies handling European citizen’s personal data and robust enforcement;

•   clear safeguards and transparency obligations on US government access;

•   effective protection of EU citizens’ rights with several redress possibilities.

The obligation for companies to handle European citizens’ personal data will ensure that US companies wishing to import personal data from Europe will need to commit to robust measures on how personal data is processed and ensure that individual rights are guaranteed. The US Department of Commerce will be tasked with ensuring companies publish their commitments. This will ensure they will be enforceable by US law. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European data protection agencies.

Similarly, the US has also given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. In a case where data is accessed, the data must be used only to the extent necessary and proportionate. The US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of this arrangement, an annual joint review by the European Commission and the US Department of Commerce will be established which will also look at the issue of national security access. As part of this review intelligence experts from the US and European data protection authorities will be invited to provide their view and assessment of the workings of the agreement.

Any European citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies will have deadlines to reply to complaints and data protection authorities can refer complaints to the US Department of Commerce and the Federal Trade Commission. In addition to this, alternative dispute resolution will be free of charge and a new Ombudsperson will be created for complaints on possible access by national intelligence authorities.

Views

Speaking following the announcement of the agreement, the European Commissioner for Justice, Consumers and Gender Equality, Věra Jourová said: “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.”

This view was supported by the Vice President for the Digital Single Market, Andrus Ansip who stated that the decision brings the vision of a trusted and dynamic Digital Single Market in the EU one step closer. However, Max Schrems, whose challenge against Facebook’s data transfers ultimately led to the Safe Harbour provision being declared invalid, suggested that whilst there has been some movement by the US, he expects many challenges to this framework in the European Court of Justice.

While many businesses who may have struggled from a financial and operational point of view with the removal of the safe harbour provision will welcome the announcement of a new agreement for now it is little more than a number of general statements, vague on specifics and depending on political buy-ins by the US.

The EU-US Privacy Shield will have to comply with and be consistent with the EU’s General Data Protection Regulation which is intended to strengthen and unify data protection for individuals within the European Union. Adding further doubt to the potential for this framework to prove effective is the current legal battle between Microsoft and the US Department of Justice.

The US authority wants access to data held on an Irish server regarding a criminal suspect. Microsoft believes that a US search warrant is not valid and the access should be requested via the Irish Government using the Mutual Legal Assistance Treaty (MLAT).

There are two possible alternatives to this provision in the short term. First, processors could use EU data centres to simply hold data onshore until a more stable agreement emerges. The other option is to resort to ‘model contract clauses’ which are approved procedures between data exporters (in the EU) and importers (in the US). These are complex and possibly expensive frameworks that make explicit safeguards should they be challenged before the EU-US Privacy Shield becomes stable.

Conclusion

Ultimately, despite the announcement of a deal, it is entirely unclear as of yet as to how the Privacy Shield will stand up in either the European Union or the US. Most of the changes add new but largely toothless restrictions including expedited dispute resolution requirements, solely on private sector organisations. The Court of Justice’s rejection of the Safe Harbour provision was based entirely on potential US government practices and there has been little indication of changed policy or procedure in this area.

Final approval of the Privacy Shield deal, will include reviews by the Commission itself, its member states and further legal challenges are all but guaranteed meaning it could be months if not years before cloud internet based companies can be sure of their legal rights with regards to the transfer of user data.

Show More
Back to top button