Uncertainty Still Surrounds Data Export To The US
European businesses exporting data to the US can now breathe a sigh of relief (albeit, it may be temporary) as a political agreement was reached yesterday to put in place an alternative to safe harbour. Once the necessary legalities have been put in place, personal data can be sent from Europe to the US again without the formalities which have been required in the last 4 months.
Until October 2015, many European businesses sent data to the US using the safe harbour scheme. This was a self-certified registration scheme and meant that data could be sent to those businesses on the register with little formality. It meant that even the smallest businesses could take advantage of e.g. cloud solutions or outsource their backroom services without having to jump through expensive legalistic hoops such as putting in place mandated contractual provisions or getting consent from each person affected.
Safe Harbour was never popular with privacy campaigners, however, as the lack of oversight, redress and the self-certification nature of the scheme meant that many didn’t think that it gave meaningful protection. This view was taken by privacy campaigner Max Schrems and at the beginning of October his case was heard by the European Court of Justice. The Court agreed with Mr Schrems and safe harbour was declared invalid with immediate effect. This left a lot businesses exporting data to the US illegally or running around trying to put alternatives in place at short notice.
We were promised a fix to the problem with “safer harbour” and after months of negotiation, this has now become a privacy shield. In a nutshell the privacy shield will do the following:
1. US businesses who sign up to the privacy shield scheme are required to commit to more robust obligations on what they do with the personal data which will be enforceable under US law.
2. Any US business who processes human resources data must abide by decisions of European data protection authorities.
3. Law enforcement and security organisations in the US are to be subject to limitations and safeguards and the US has ruled out indiscriminate, mass surveillance. There will be a joint annual review of the arrangement by the US and the European Commission.
4. There will be a new ombudsman for individuals to complain to in relation to access by the security services.
5. Redress for misuse of other data will be either direct with the companies concerned or the European data protection authorities can complain to the US Department of Commerce.
A formal decision of adequacy now needs to be made to legalise the privacy shield and the US needs to put in place the mechanisms it has committed to implementing.
Expert Opinion
“Can business breathe a sigh of relief with the new privacy shield and get on with business as usual or does it have holes? I think businesses should be cautious as all we have seen so far is a broad statement of intent and the devil is in the detail – it may not pan out as expected and it still requires formal approval. Also, it has already been criticised by privacy campaigners, including Mr Schrems, as not going far enough. There is still a risk therefore that if it goes in front of the ECJ, it won’t stand up and we could be back to where we were in October. Unfortunately uncertainty still surrounds data export to the US and is likely to do so for the foreseeable future.” Joanne Bone - Partner