In the 21st-century world of social media, it seems many of us are willing to share our most intimate experiences. That’s fine — it’s our choice — but when someone else holds your personal data, you are no longer in control of what happens to that data. Within Europe, it is reasonable to assume that the law protects us against the data being misused or being passed on to a third party without our consent or even knowledge. However, that is not the case with transfers of personal data in, and to, the United States.
Consider the case brought by an Austrian citizen Maximillian Schrems, a long-term Facebook user. In the case, it was accepted that the protection afforded by the European Data Protection Directive over his online data, while transferred between EU countries was robust, but went out the window when it was transferred to the United States.
The ability of the US government’s National Security Agency to override the agreement between the EU Commission and the US Department of Commerce as to the protection of personal data, known as the “Safe Harbor” agreement, for reasons of national security, public interest or law enforcement, rendered the agreement invalid, according to the European Court of Justice (CJEU) in October 2015.
Since that decision, some 4,500 companies that were accustomed to being able to transfer data between the EU and the US and relying on the “Safe Harbor” agreement have had to use additional measures such as standard contractual clauses and binding corporate rules, to introduce safeguards for all personal data. The decision affects not only multi-national businesses but any business that uses cloud-based storage where data may be processed or held in the US.
Negotiations between the US and EU had been going on for some time before the decision last year, to agree to a more robust scheme of protection for personal data of EU citizens being transferred to servers in the US. The decision of the CJEU made that outcome more urgent, and on Feb. 2, 2016, it was announced that the EU Commission and the US Department of Commerce had established a new framework entitled the “Privacy Shield.”
Before the ink was dry on the announcement about the “Privacy Shield” the Article 29 Working Party, the committee of representatives of the national data protection authorities plus the European Data Protection Supervisor and the European Commission, issued a statement saying it still had concerns that the current US legal framework did not provide guarantees on four essential elements of personal data security in terms of its intelligence activities.
A. Processing should be based on clear, precise and accessible rules: this means that anyone who is reasonably informed should be able to foresee what might happen with her/his data where it is transferred;
B. Necessity and proportionality: a balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
C. An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks; and
D. Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
While the Working Party indicated it would await publication of the full terms of the “Privacy Shield” in Spring , it also issued an undisguised threat that the national data protection authorities would start to analyze all personal data transfers to the US. This resumption of enforcement action would involve investigation of transfers to see if they comply with the protections required by the existing Data Protection Directive. This action could result in penalties if the authorities are not satisfied that the “Privacy Shield” delivers the guarantees they are looking for.
While the EU authorities fret about the robustness of the amended agreement, on the other side of the Atlantic the US Department of Commerce still regards the original “Safe Harbor” agreement as valid for companies that are certified under that arrangement.
This difference of opinion about the need for greater protection of an individual’s personal data may prove to delay a new agreement between the two sides, and leave businesses with a great deal of uncertainty for the foreseeable future.
Standard contractual clauses and binding corporate rules may not withstand scrutiny in the long term, so businesses have also been finding ways of retaining data within the EU, by moving data processing centers from the US to EU countries. This may be a costly, and ultimately unnecessary, measure but it provides an element of certainty, by removing the problem of a transatlantic transfer.