The Information Commissioner’s Office (ICO) has recently published its response to the news that political agreement has been reached on a new EU-US Privacy Shield to replace the Safe Harbor.
Most of what the ICO has to say will no longer be news to those that are following developments in the field closely, but the tone is calm, clear and reassuring, and this blog post provides a useful summary of where we are now in relation to the Safe Harbor.
ICO not looking to expedite Safe Harbor complaints
There is also some substantive comfort for companies about the ICO’s continuing measured approach to complaints about transfers under the Safe Harbor:
“We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome”.
Too early to say whether the Privacy Shield will work
The European Commission says the new framework will protect fundamental rights and ensure legal certainty for business, but the ICO makes it clear that it is too early to say whether the Privacy Shield will provide adequate protection for data passed from the EU to the US (see Legal update: EU-US reach political agreement on new data transfer agreement).
This seems a fair statement: after all the Article 29 Working Party (WP29), which is the group of European data protection authorities including the ICO, hasn’t seen the detail yet. No one has: it hasn’t been written. As the ICO says:
“…there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.”
While many have welcomed the attempt to reach agreement, most of the noise around the agreement has been sceptical, largely because the arrangement depends on an exchange of letters, not on any substantive legal changes in the US.
Nothing is going to happen fast
Assuming a best case scenario, that the Privacy Shield does pass muster with WP29, there are still many obstacles ahead. It’s just a political agreement, not binding, and it still has to be drafted into an adequacy decision and adopted. This will take months. WP29 has asked for documents relating to the agreement by the end of February so that it can assess its legality, whether it meets the four essential European guarantees relating to the processing of data by intelligence agencies and whether it provides legal certainty for the other transfer mechanisms. It isn’t planning to make a decision until the end of March/early April, when it will issue a statement on its findings.
Even if the Privacy Shield overcomes political and procedural hurdles, there is still the practical question of whether US companies will adopt it and whether EU companies will trust it if they do.
Whatever final form it takes, assuming it is adopted, is unlikely to be so robust that it is immune from challenge before the ECJ and challenge could bring with it years of continued uncertainty. Max Schrems certainly doesn’t appear to be taking this lying down and ended his statement:
“There will be clearly people that will challenge this – depending on the final text I may well be one of them.”
Keep doing what you’re doing, for now
WP29 and the ICO have publicly affirmed that organisations can continue to use alternative transfer mechanisms including standard contractual clauses and binding corporate rules. Many companies rely on these alternative methods for substantive contracts anyway, and most will already have taken stock of the transfers they make and communicated with their US counterparts. The ICO’s advice is to carry on with this work.
There is also a note of caution to sound around alternative methods. WP29 has said it will: “continue its work in assessing whether other transfer tools, such as standard contractual clauses and binding corporate rules can act as effective safeguards for personal data” transferred to the US.
That seems to suggest that there is a possibility that WP29 might conclude that, even in the renewed light of the Privacy Shield, they do not act as effective safeguards, meaning that these alternative transfer mechanisms may themselves be subject to recommendations on how to reinforce protection.
Looking to the future, assuming a long and wearisome period of uncertainty in this area is probably the right approach. Companies may well want to look at options that include avoiding EU-US data transfers altogether. Perhaps unsurprisingly, the news has been awash with announcements concerning new European data centres from Facebook, Oracle, Apple, OpenText, Tableau and Microsoft, to name just a few.
Don’t get distracted from the GDPR
Finally, it’s important in the excitement and uncertainty over the Privacy Shield not to lose sight of the bigger picture. The European Parliament and the Council will formally adopt the new General Data Protection Regulation (GDPR) early in 2016. At the Data Protection Forum at the end of last year, Steve Wright, Chief Privacy Officer at Unilever, reminded us of the urgency with which businesses need to get ready for GDPR and the steps they need to take to do so.