Safe Harbour Agreement to be replaced by EU-US Privacy Shield

Ceri Delemore, Geldards

Last autumn, as a result of the ECJ decision in Schrems[1], transatlantic transfers of personal data reliant on the EU/US Safe Harbour Framework (“SHF”) were declared illegal.  The decision left many UK organisations in a quandary about how to meet their obligations under the Data Protection Act 1998.

Political agreement between the EU and US has now been reached on a new privacy arrangement to replace the SHF, known as the “EU-US Privacy Shield”.  In this article, we take a look at the deal that has been reached, the next steps and the position of UK public sector bodies in the meantime.

A reminder of the issues

  • Under the Data Protection Act 1998 (“DPA”), the eighth data protection principle prevents the transfer of personal data outside the EEA unless there is adequate protection in place.
  • Transfers of personal data between the EU and the US were previously permitted under the Safe Harbour Framework (“SHF”).   If a US company signed up to the SHF, personal data transferred to the US was guaranteed a certain level of protection.
  • The SHF meant that EU organisations could transfer personal data to US companies and still comply with the eighth data protection principle.
  • In Schrems, the ECJ declared the SHF invalid as it didn’t provide EU citizens with sufficient protection.

The EU-US Privacy Shield

  • Following the decision in Schrems, the EU and US authorities were given until 31st January 2016 to put a new privacy agreement in place to protect transatlantic transfers of personal data.
  • The new framework was announced on 2nd February, but the text of what has been agreed is not yet available.
  • However, its known that the key features of the Privacy Shield will include:
    • Stronger obligations on US companies that sign up to the scheme and better monitoring and enforcement in relation to those companies;
    • Limitations on the access by US government agencies to the personal data of EU citizens and the introduction of safeguarding and oversight mechanisms;
    • An annual review by the EU Commissioner and the US Department of Commerce;
    • Specific rights of redress for EU citizens; and
    • The appointment by the US of an independent ombudsperson to investigate complaints relating to data access by US government agencies.

What does this mean for UK public sector bodies?

  • If your organisation uses a UK or EU based data processing solution, the decision in Schrems and the resulting developments will have no impact on you whatsoever.
  • However, if your organisation is currently reliant on data processing undertaken by US based data centres or is considering entering into a processing deal with US based suppliers, formal EU/US agreement of the Privacy Shield will mean that personal data can be transferred by you to the US in compliance with the eighth data protection principle (provided, of course, that you transfer data to a US company that has signed up to the new framework).
  • Unfortunately, we are still some way off final agreement of the Privacy Shield and it could be a number of months before this happens.
  • Also, even assuming the Privacy Shield is formally agreed, public sector organisations will still need to keep an eye on the headlines. This is because:
    • It is always possible that the Privacy Shield will be challenged in the European Court of Justice in the same way as the SHF was; and
    • The plan to review the Privacy Shield annually could mean that new compliance obligations emerge on a regular basis, which require organisations to change their arrangements/procedures.

What’s the position in the meantime?

  • Until the Privacy Shield is finalised and in place, EU organisations have been told that they can continue to use the EU Model Clauses (see guidance from the Information Commissioner’s Office for more information) to facilitate the transfer of personal data to the US. In no circumstances must you rely on the SHF!
  • Any new data processing agreements entered into before the Privacy Shield is finalised (assuming the data processor is a US company using US based data centres) should, therefore incorporate the appropriate EU Model Clauses verbatim. You should also ensure that you have the right to vary your contract once the Privacy Shield is finalised (as it is possible that the position relating to reliance on the EU Model Clauses will change).  It goes without saying that you should also carefully evaluate the security risks and the standing and reputation of the proposed data processor to ensure that the risks to personal data are kept to an absolute minimum.
  • If you are a party to an existing data processing agreement with a US company that processes your personal data in the US, the position is trickier for a number of reasons. However, your starting point should be to evaluate the current level of risk and then consider what can be done to improve the security of the personal data that is being processed. For example, you may be able to vary your agreement to incorporate the EU Model Clauses, agree better security measures and/or agree that processing will be moved to the EU. Alternatively, you may be able to exercise contractual rights to terminate your agreement.
  • Whatever position you are in, it is important that you think carefully and ideally take legal advice before you act.

And Finally…

As if there wasn’t enough to worry about, public sector bodies also need to keep an eye out for developments relating to the General Data Protection Regulation (“GDPR”) which will, eventually replace the DPA.  Although the GDPR won’t come into force for another 2 years or so, the changes it will introduce to data protection laws in the UK means that public sector bodies are advised to start thinking about compliance well in advance. Watch out for our forthcoming guide on what to expect.






[1]  Case C-362/14 Maximillian Schrems v Data Protection Commissioner