Privacy Shield: What does it mean?

On February 2, 2016, the European Commission announced the end of negotiations with the United States on a successor for the Safe Harbor Agreement that was annulled by the CJEU on October 6, 2015 (we reported in Update Data Protection no. 1 and 2). This new agreement called Privacy Shield is supposed to help facilitate transfers of personal data into the US as before under Safe Harbor.

Summary of basic principles

The exact wording of the new agreement is unknown so far. The European Commission and the United States only announced they had come to a basic agreement and released certain basic principles of the new agreement.
The wording needs to be finalized in the coming weeks so that it can be made part of an adequacy decision by the European Commission. On the basis of the adequacy decision an adequate level of data protection is recognized pursuant to Art. 25 (6) of the so called Data Protection Directive (Directive 95/46/EC). That way, data controllers in Germany can transfer personal data to the US pursuant to § 4b (3) German Federal Data Protection Act without prior authorization by the data protection authorities, the data subject’s consent or the use of the standard contractual clauses.
The basic principles so far released by the European Commission provide that under Privacy Shield companies in the US that receive personal data need to comply with new provisions on safeguarding data protection. In addition to that effective options for the data subjects will be introduced to provide means to defend against a misuse of the data subject’s personal data by the companies. For this, European data protection authorities will be entitled to directly complain to the US authorities. In particular, the US Department of Commerce shall review compliance with the new Privacy Shield obligations by US companies. Further, access by US authorities, in particular mass surveillance through governance agencies, will be limited and the data subjects can take legal steps by way of an ombudsman. The fact that such option was missing in Safe Harbor was one of the main criticisms the CJEU had when annulling Safe Harbor.

Outlook

It remains to be seen how the actual provisions will be worded. Until this is known and the European Commission has released its adequacy decision Privacy Shield can not be used for data transfers. Rather, data transfers that relied on the Safe Harbor Agreement infringe on data protection law since October 6, 2015 and could lead to administrative fines. The use of the so called standard contractual clauses at this time remains the only compliant method to undertake data transfers into the US without the data subject’s consent or authorization by the authorities. Should companies that until now use Safe Harbor not have made the switch so far they should do so as soon as possible. Since February 1, 2006, the grace period announced by the data protection authorities for use of Safe Harbor has expired and companies that have not implemented alternative tranfer mechanisms are subject to a high risk of an andimistative fine. To wait for the full wording of Privacy Shield is not an option.

Even after the European Commission makes its decision on Privacy Shield, companies should carefully assess whether to use this new method. It is highly expected that Privacy Shield will be attacked the same way as Safe Harbor. Whether such attacks may be successful can only be assessed after the full wording of Privacy Shield is known.