What does the new EU-US Privacy Shield mean for US businesses?

24th February 2016

The EU and US have finally agreed on a new data protection framework for the transfer of personal data from Europe to the US known as the EU-US Privacy Shield – but what does this really mean for US businesses?

Safe Harbor ruled invalid

Following Edward Snowden’s revelations about the extent of the US National Security Agency’s mass surveillance operations, an Austrian law student named Max Schrems alleged that Facebook Ireland was forwarding data to the NSA, via its California headquarters. The claims ended up before the Court of Justice of the European Union which ruled on 6 October 2015 that the Safe Harbor exemption was invalid.

As approximately 4,500 US companies are currently certified as complying with the Safe Harbor provisions, this has significant implications for both EU (including UK) and US businesses.

Companies that have signed up to the Safe Harbor principles are required to adhere to a specific set of standards, that are broadly similar to the principles set out in the UK’s Data Protection Act 1998 (DPA). Prior to the Schrems ruling in October, these were considered to offer “adequate protection”, which meant that  US organisations signed-up to and compliant with the Safe Harbor were automatically authorised to accept data transfers from the EU, and UK companies were able to transfer data to these US companies without breaching the DPA.

The new framework

It was announced on 2 February that the EU and the US had reached an agreement on the new framework which will include greater transparency around US government surveillance, redress for EU citizens and the ability to refer complaints to a US ombudsman.

When will the new framework come into force?

The EU Commission expects the Privacy Shield to come into force in three months’ time. However, there is no guarantee that it will ever actually be adopted.

The full terms of the agreement are not due to be delivered to the Article 29 Working Party (which is composed of representatives of the national data protection authorities in the EU member states) (the Working Party) until the end of February. The Working Party will then hold an extraordinary meeting to discuss the new scheme and to decide whether it provides adequate protection. Its opinion is expected to be delivered in April.

The relevant US authorities will also need to formally adopt the scheme.

What advice is being given to UK businesses?

UK businesses are being advised to review their arrangements so that they can identify:

• what information they transfer to the US
• who they transfer it to – is it a group company or a third party? and
• the basis on which the information is transferred – are they using the Safe Harbor exemption, model clauses or some other mechanism to keep personal data safe and secure?

Once businesses have identified which third parties are relying on the Safe Harbor exemption, the advice is to discuss the issue and potential solutions with those third parties.

In the meantime, UK businesses are being informed that the following options are available to them:

• stop transferring data to the US – for example, by using UK based data processors or making sure that servers are located in the EU
  • Contracts with server suppliers need to be checked carefully to ensure that the host company does not permit its US affiliates to access information stored on those servers, as this may amount to data being transferred to the US.
• anonymise the data to be transferred so that it falls outside the scope of the Data Protection Act 1998 (the DPA)
  • However, the data may lose its usefulness if it is anonymised or, depending on the volume and type of data being transferred, it may simply be too onerous to anonymise it.
• amend existing contracts to include “Model Contract Clauses”
  • The Working Party has confirmed that these will continue to be valid, at least until the Privacy Shield comes into force.
• adopt binding corporate rules (only available for intra-group transfers)
  • The Working Party has confirmed that these will continue to be valid, at least until the Privacy Shield comes into force. However, the application process for adopting these rules can be lengthy and cumbersome.
• assess their own compliance by way of “self-assessed adequacy”
  • This is a risky option as it does not guarantee compliance with the DPA.

Why the urgency?

After Safe Harbor was declared invalid, the Working Party issued a statement saying that it would allow organisations a 3 month grace period to put alternative data transfer mechanisms in place before any enforcement action was taken by local data protection authorities. This grace period ended on 31 January 2016.

Even though the Privacy Shield has now been agreed in principle between the EU and the US, the Working Party has stated that as it has not yet seen the details of the Privacy Shield, it is not in a position to confirm whether it adequately replaces Safe Harbor. In the meantime, local regulators may begin to take enforcement action in respect of “related cases and complaints on a case-by-case basis“. In fact, the French data protection authority has already issued a notice to Facebook ordering it to comply with the French data protection legislation (including ceasing to transfer data to the US under Safe Harbor) within 3 months.

The Information Commissioner’s Office (the ICO) has encouraged UK organisations to review their data transfers to the US, “so that they are in a good position to act, should they need to“. It has also now confirmed that it will consider complaints but it will “not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome“. However, as the ICO can issue fines of up to £500,000 for breaches of the DPA, UK organisations cannot afford to simply do nothing.

So what do US businesses need to do?

Firstly, US businesses should identify what data they receive or collect from the UK and other EU countries. This includes data which is:

• transferred to the US within a group of companies
• collected in the US from individuals using a device in the UK or another EU country or through the use of cookies or
• stored on servers located in the EU but which can be accessed by people in the US.

Secondly, US businesses need to understand the basis on which they are receiving or collecting that data i.e. is it being transferred to the US in accordance with the DPA? If the data is being transferred in accordance with either the model clauses (issued by the EU Commission) or binding corporate rules, these will continue to be valid for the time being, and so currently no further action is required.

If the data is currently being transferred either pursuant to the Safe Harbor exemption or without any of these safeguards, then there is a potential breach of the DPA. In this situation, the organisations involved in the transfer will need to consider the alternative options for dealing with the data which are set out above.

Going forwards, US businesses should have a clear policy governing how they will acquire, safeguard, store, disclose and manage personal data.

In the meantime, organisations on both sides of the Atlantic will need to watch this space carefully so that they are ready to deal with the next development in the ongoing saga of Schrems and the Safe Harbor / Privacy Shield.

The Regulatory and Compliance Team have considerable experience helping businesses understand and comply with their data protection obligations. If you have any questions relating to the Privacy Shield or data protection generally, please contact Jeanette Burgess, Andrew Northage or another member of the team.

If you would like a copy of our data protection booklet Data Protection: issues applying to US businesses operating in the UK and throughout Europe, please contact Jeanette or Andrew.