The European Commission yesterday announced a new Safe Harbor deal which the Commission hopes to have in place within 3 months. We set out our initial views yesterday. Today the lead European Commissioner in this area, Věra Jourová, addressed the influential Article 29 Working Party (also known as WP29) and we have updated this alert with additional information from that speech.
This is the third speech Commissioner Jourová has given in the last 3 days but details still remain unclear. Commissioner Jourová said yesterday that the practical work on the new deal has only just started.
The new arrangement will be called EU-US Privacy Shield. It remains to be seen if the new deal can be a lasting solution. It is clear from today’s WP29 meeting that organisations who previously relied on Safe Harbor – either through their own registration or by using suppliers or services in Safe Harbor – cannot wait for Privacy Shield to come into effect.
Background
The Commission made its announcement yesterday after a grace period allowed by EU data protection regulators expired on Sunday. The issues behind the challenge to the original Safe Harbor by the Austrian law student Maximillian Schrems are now well known (see our earlier alerts and films here). Since the decision in October there’s been a round of shuttle diplomacy to put a new deal in place. The European Parliament was given an update by the European Commission on Monday night on the current state of negotiations and a meeting took place with the influential WP29 today.
The WP29 is largely composed of representatives of the national data protection authorities across the EU. It issues influential (but non-binding) reports on data protection issues of common interest and first suggested a postponement of regulatory activity on data transfer after the Schrems decision in October 2015. This postponement period ended on Sunday. It is important to stress that the law did not change overnight – the Schrems decision was effective from October – it’s the enforcement of the law which changed. As we said in our alert last month we know regulators in some countries including Germany and France have been planning enforcement campaigns now (see http://www.corderycompliance.com/end-of-january-deadline-post-safe-harbor-enforcement/).
What is the Commission proposing?
The Commission is proposing that the new Privacy Shield arrangement will be based on a unilateral decision from the European Commission that US data protection laws are adequate.
Power to do a deal
There’s likely to be debate on whether the European Commission has the power to do a deal binding data protection regulators. A read of the original decision in the Schrems case suggests that the Commission can’t do this alone – for example paragraph 56 of the judgement says:
Furthermore, it would be contrary to the system set up by Directive 95/46 … for a Commission decision … to have the effect of preventing a national supervisory authority from examining a person’s claim concerning the protection of his rights and freedoms in regard to the processing of his personal data which has been or could be transferred from a Member State to the third country covered by that decision.”
The original Safe Harbor deal was done between the US and the European Commission. The Commission could try and get a wider Safe Harbor consensus this time around. The European Parliament’s Civil Liberties, Justice and Home Affairs Committee (known as LIBE) held an extraordinary meeting on Monday night with Commissioner Jourová. Commissioner Jourová could also seek the European Parliament’s blessing for the deal – indeed the consensus in the LIBE meeting appeared to be that she should. Again however it’s hard to see how this will help make the deal a lasting deal. The deal still could not bind regulators and would be subject to court challenge in the same way as the original Safe Harbor deal – a point Mr. Schrems made on Monday night when he said he was looking to book another flight to Luxembourg (the location of the CJEU which heard the case in October).
Complaints
Both the CJEU decision in Schrems and the WP29’s initial response in October 2015 make it clear that local data protection regulators should continue to act on complaints. Complaints can be made to any regulator in any of the 28 EU countries. Examples include the original Schrems complaint to the Irish data protection authorities over the way in which Mr. Schrems alleges his data was handled by Facebook and transferred to the US. It is unlikely that a Privacy Shield deal can affect this – indeed it’s likely that Privacy Shield will include greater enforcement on both sides of the Atlantic. The forthcoming US Judicial Redress Act of 2015 which some in Europe see as a keystone in Privacy Shield will also give EU citizens more rights to complain about the way in which their data has been handled in the US.
In Europe, individual data protection regulators – including a number in Germany – have additionally made it clear that they will investigate any complaints they receive. Indeed following the Schrems decision it seems they will be duty bound to do so. They are already seized with complaints including the original Schrems complaint in Ireland, new Schrems-related complaints in Ireland, Belgium and Germany (see http://www.europe-v-facebook.org/EN/Complaints/PRISM_2_0/prism_2_0.html) and additional unrelated complaints in the UK. Given that these complaints affect data transfers already made it is hard to see how retrospective relief can be given by any Privacy Shield deal.
The Commission seem live to the possibility of challenge with Commissioner Jourová saying she expected new complaints & ‘new court rulings’.
What is WP29’s position?
Soon after their meeting with Commissioner Jourová WP29 issued an initial statement.
WP29 felt that at this stage it did not have the information it needed to determine whether Privacy Shield and the additional promises the US Government are expected to make will be sufficient. It said that local data protection regulators would not necessarily ‘wait and see’ but that (as we indicated yesterday) complaints would be acted on saying:
The WP29 recalls that since the Schrems judgment, transfers to the U.S. cannot take place on the basis of the invalidated Safe Harbour decision. EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis.”
It also called on the Commission to document the deal done with the US and to let WP29 see those documents by the end of this month. It said it would then set up an extraordinary meeting to discuss the new scheme. In the meantime whilst Safe Harbor cannot be relied on WP29 suggested that from their point of view EU Standard Contractual Clauses (also called EU model terms) and Binding Corporate Rules could still be used – there is an explanation of both of these methods of data transfer in our October alert here.
What else has Commissioner Jourová’ said?
Both the hearing at the European Parliament on Monday and yesterday’s press conference started late and were short on detail. Pending more information from the Commission our quick takeaways are:
- It is proposed that an exchange of letters records the deal rather than a formal agreement. Clearly this could be subject to challenge especially as it would seem hard to do a lasting deal with an outgoing US administration. Does for example the outgoing Secretary of Commerce or even an outgoing President have the power to bind a new administration? Equally in yesterday’s press conference there seemed to be a reluctance from the Commission to state exactly who within the US administration will make the expected promises.
- It is proposed that businesses signing up to Privacy Shield provide a free arbitration mechanism. Currently businesses are permitted to ask for a reasonable contribution. Will the provision of a free service lead to significantly more complaints? If so will the cost of maintaining an arbitration service for free outweigh any benefit of joining Privacy Shield? Will this make sense commercially?
- Commissioner Jourová said that whilst they would look to do a deal which would be renewed each year a US breach of Privacy Shield will result in suspension. It is relevant to note however that the Commission did previously threaten suspension of the original Safe Harbor deal but did not carry out this threat. Can organisations live with the uncertainty that this might bring?
- The US has proposed a new “high-ranking” ombudsman to police complaints from EU nationals. It seems to be proposed that this ombudsman is based at the US State Department. How this ombudsman would in fact supervise the NSA and other US government agencies remains to be seen. Additionally under the US constitution could a Federal agency in fact supervise individual US state agencies? Some on the European Parliament’s LIBE Committee have asked for a special hearing with US representatives to get answers before blessing any deal.
- US authorities will police Privacy Shield more rigorously and will have regular inspections of US corporations with sanctions – details on this are awaited.
- The Commission expects that the scheme will change regularly and be subject to annual renewal. This is likely to be unsatisfactory for many businesses who require certainty in their operations. Many will want to explore alternative more stable solutions like Binding Corporate Rules as a more lasting solution.
What should be done now?
The effects of the Schrems decision will continue to be considerable. Even on the Commission’s estimation the new deal will take 3 months and businesses transferring data now will need to do something to at least plug that gap. WP29’s statement today underlines the need to do something now.
Anyone transferring data will continue to have to have a detailed plan to legitimise those data flows even if a new Safe Harbor (or Privacy Shield) deal is done. There’s some guidance on how to do that in our earlier alert here.
Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com