New EU-US Safe Harbour Agreement

Michael Decicco and Eryn Fanjoy

On February 2, 2016, the European Commission announced that it reached a deal to replace the EU-US Safe Harbour framework that was declared invalid last year by the Court of Justice of the European Union (CJEU).  Referred to as the “EU-US Privacy Shield”, the new framework should provide businesses with guidance for the safe transfer of personal information of citizens of the European Union (EU) to the United States. 

Background

The CJEU declared the old Safe Harbour framework invalid on October 6, 2015.  Under the EU Data Protection Directive, the personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards. The old Safe Harbour agreement, negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU businesses to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States. One of the CJEU’s primary concerns with the old framework was the massive and indiscriminate surveillance of personal information of EU citizens in the United States, which was viewed as incompatible with the “fundamental rights” of EU citizens. 

 Regulators provided a grace period ending January 31, 2016 for the negotiation of a new agreement, during which European Data Protection Agencies would not pursue penalties against businesses improperly transferring personal information of EU citizens from the EU to the United States.

Features of the New Framework

While the terms of the new agreement have not been settled, the European Commission released some details of the EU-US Privacy Shield.

  • Obligations on businesses in the United States with respect to personal information of EU citizens and enforcement mechanisms: Similar to the original Safe Harbour, businesses in the United States will need to commit to obligations regarding how personal information will be processed and how individual rights will be guaranteed.  The Department of Commerce will ensure that businesses publish their commitments and the Federal Trade Commission will be enforce these commitments.

  • Transparency and safeguards relating to United States government access: The United States government has given assurances that personal information of EU citizens transferred to the United States will not be subject to government mass surveillance programs, and that access to such personal information for law enforcement and national security purposes will be subject to limitations, safeguards and oversight mechanisms.

  • Remedies: Companies operating under the new framework will have deadlines to reply to complaints.  European data protection authorities may refer complaints to the Department of Commerce and the Federal Trade Commission.  Any dispute resolution mechanisms offered under the EU-US Privacy Shield will be free of charge.  For complaints relating to possible access by national intelligence authorities, EU citizens may issue a complaint with a new dedicated ombudsperson based in the United States.

Next Steps

The European Commission must prepare an adequacy decision to approve the EU-US Privacy Shield as a valid data transfer mechanism under the EU Data Protection Directive, which is expected to take several weeks.  Once prepared, the adequacy decision must be adopted by the College of EU Commissioners after receiving and considering the advice of the Article 29 Working Party.  Authorities in the United States will need to take various actions, including establishing the ombudsperson and implementing monitoring mechanisms.

EU-US safe harbour for data transfers declared invalid - Canadian implications

Michael Decicco

On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the decision underlying the European Union’s (EU) safe harbor structure for cross-border data transfers from the EU to the United States in Schrems v. Data Protection Commissioner of Ireland (Schrems).  Shortly following the CJEU’s decision, the Article 29 Data Protection Working Party (Working Party) issued a statement outlining its views as to the consequences of the CJEU decision in Schrems.  The decision may directly impact Canadian businesses which transfer data from the EU to the United States or which host data in the United States.

Safe Harbor and Schrems

Under the EU Data Protection Directive, personal information of EU citizens can only be transferred from the EU to countries with adequate data protection standards.  Safe Harbour, which was negotiated between the European Commission and the United States Department of Commerce, was one of a number of mechanisms available to EU companies to ensure there was an adequate level of protection when transferring personal data of EU citizens to the United States.  To benefit from Safe Harbour, a company was required to self-certify to the United States Department of Commerce that it complied with specified EU privacy standards. 

In Schrems, the CJEU declared Safe Harbor invalid.  The CJEU held that ensuring an adequate level of data protection for EU citizens, as is required by the EU Data Protection Directive, means providing “a level of protection of fundamental right and freedoms that is essentially equivalent to that guaranteed within the European Union.” The CJEU found that Safe Harbor failed to meet this standard since it did not prohibit the United States government from collecting and examining the personal information of EU citizens.

The Working Party’s Opinion

The Working Party is an advisory board consisting of EU data protection authorities and was created pursuant to the EU Data Protection Directive.  The views of the Working Party are typically followed by EU regulators.

On October 16, 2015, the Working Party issued a statement which noted that it was still considering Schrems and acknowledged the uncertainty Schrems has created. The Working Party confirmed that certain other mechanisms permitting the transfer of EU citizens’ personal information to the United States will remain valid, such as the “Standard Contractual Clauses and Binding Corporate Rules”. However, the Working Party noted that this will not prevent EU data protection authorities from investigating individual cases.

The Working Party emphasized the need for EU data protection authorities to have a “robust, collective and common position” to successfully implement Schrems. The statement adopts the position that the core element to Schrems was the issue of massive and indiscriminate surveillance in the United States, which the Working Party previously stated is incompatible with EU law.

In addition, the Working Party called on EU member states and institutions to enter discussions with the United States in order to find political, technical and legal solutions to enable transfers of personal information to the United States, while respecting the fundamental rights of EU citizens. The Working Party stressed the need for “clear and binding mechanisms”, as well as “obligations on the necessary oversight of access by public authorities, on transparency, on proportionality, on redress mechanisms and on data protection rights”.

Canadian Implications

In light of Schrems and the Working Party’s statement, it is likely that any future decisions by EU data protection authorities with respect to adequate levels of protection under EU safe harbour rules will include an analysis of the laws and agreements regarding data transfer of the country to which EU citizens’ personal information is being transferred.  It will be worthwhile to monitor future decisions of EU data protection authorities and whether they call any other safe harbour structures into question.

Canadian businesses which rely on Safe Harbour to transfer personal information of EU citizens from their operations in the EU to the United States or which host personal information of EU citizens with service providers operating in the United States should promptly work to adopt one of the alternative means available to comply with the EU Data Protection Directive.