Safe Harbour Episode II: the “UE-U.S. Privacy Shield”

A new hope.  After the invalidation of the Safe Harbour Framework by the European Court of Justice, the “Article 29 Working Party” (WP29) just released a public statement dated February 3rd, 2016 approving that EU and US authorities have met the deadline of end January 2016 to reach an agreement and welcomes the birth of a new text called the “UE – U.S. Privacy Shield” awaiting for the text for its analysis.

Will the Shield protect efficiently European data from mass surveillance in the USA? This is the million dollar question to which only the final version of this new text will answer or eventually a Court shall decide. According to some websites, the arrangement may be called historic as it shall contain stronger tools and mechanisms to guarantee privacy for European data exported to the US (see more info here or here). A portion of the major US Internet actors as well as emerging IT companies have already begun to provide local data storage in Europe especially for sensitive data which is a very good move as far as there remain no access possible from the US. Reuters gives the example of the U.S. file-sharing company Syncplicity that has introduced “a software that keeps sensitive corporate data created in Europe within the region, offering new ways to store data in the cloud locally”. In the meanwhile, and as no text has arrived in the hands of WP29 yet, the public statement of the Working Party reminds four principles that have come up resulting from its assessment of the legality of the current available tools to transfer data to the US. These four principle shall be integrated into the Privacy Shield and are still applicable to any company having an activity in Europe:

  • Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where they are transferred;
  • Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
  • An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  • Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.

Already doubts on the new legal instrument. Some are confident about the text under negotiations and to be approved calling the Privacy Shield as a “historic arrangement“. In fact, the pressure coming from the press and the European legal framework and Schrems decision should not lead to a worst legal instrument. In the other hand, as we can read on the British press, some are ready to put into question and attack the Privacy Shield with their sword by bringing a legal action in case the agreement is not strong enough to protect European citizen’s data. The Inquirer also relates that the text is likely to be challenged by privacy advocates.

What is the current legal situation for individuals and companies? For the moment, there are three major issues : (1) individuals may still have their data illegally exported to the US,  (2) legal entities and companies may see a Court grant to individuals the right to claim for immediate cease of data transfer to the US if they are sued, which may have a big economic impact, finally (3) the US legal Framework remains hard to be changed, especially in a period of elections…While authorities have met their deadlines to reach an agreement on the principles of this new legislation, the Max Schrems vs. Facebook decision clearly implies that any of the 4,000 companies that has not put in place contractual measures to ensure safety of data transfer to the USA yet, is considered in a position of infringement. Very practically, it means that, to take the example of France, the “CNIL” authority could be brought by an individual to claim immediate cessation of the transfer of the data to the US which could also lead to sanction the company to a maximum fine of EUR 300,000 and eventually with five years in prison.

Individuals are entitled to seize competent jurisdiction. As long as the negotiations are ongoing, the European data privacy authorities have agreed not take action against companies, but will however examine any claim from an individual. Finally, it has to noted that the legal exceptions based on data privacy laws such as express consent of the individual, legal or contractual obligations, etc.. will remain a valid way to export data to the US, regardless of the ongoing negotiations.

Current tools are still valid to export data to the US. A key point of the press release of the Working Party for legal entities is that both Standard contractual clauses and Binding Corporate Rules are still valid instruments to legally transfer personal data to the US in accordance to EU laws and data protection principle, “for now” says the press and the International Association of Privacy Professionals (IAPP). In other words, this may be challenged depending on the content of this Privacy Shield once it will finally be agreed upon between UE and US.

What are the next steps? This new regulation that shall replace the Safe Harbour Framework has not yet been adopted as the final text has not been finalized. Furthermore, the WP29 awaits to receive all the relevant documentation and will have to assess whether the Privacy Shield will be sufficient or not to guarantee safe transfer of European data to the US in light of the Shrems c. Facebook ruling, the European Data protection principles and the US legal framework, especially the regulations related to the Patriot Act.

The Article 29 Working Party should be able to make a final statement in the course of March 2016. This further statement shall be interesting to read to evaluate whether this Privacy Shield contains real changes or is just another political agreement. For deeper insight from stakeholders of the negotiations, the Information Technology and Innovation Foundation (ITIF) published a 50 minutes live video, available on their website, describing the context of the negotiations and explaining the purpose and the idea behind this new framework.

What about Switzerland? As usual, the Confederatio helveticae is a neutral country always watching its neighbours and waiting for a solution from them to assess whether to follow or not their position. We may probably not have a lot more of input from the Swiss Federal Commissioner before the WP29 has given its final conclusion on the text later in March. The situation remains the same as before according to the last communication of the Commissioner which you can find on his website. Recently, you can read on his blog some content related to cloud computing services that he strongly recommend people not to use any could platform to stock any sensitive data because of the lack of encryption measures and control of the data given to the users.

Conclusion. With such a name, it would be hard to believe that the Privacy Shield wouldn’t meet the requirements imposed by the European Court of Justice in the Schrems decision to protect the data of the individuals. Well, it will depend on who will be protected by this Shield … individuals, companies or States? Future will tell us.

Stay tuned, and see you in March !