EU and US reach political agreement on transferring data to US

The European Commission and the US have reached political agreement on a new framework which will allow personal data to be transferred to the US. This follows on from the ECJ’s ruling in Schrems v Data Protection Officer that the “safe harbour” framework did not provide adequate protection and could not be relied upon to transfer data between the EU and the US. 

The EU-US Privacy Shield will:

• Place stronger obligations on US companies handling EU citizens’ personal data. They will have to commit to robust obligations on how personal data is processed and the US Department of Commerce will monitor publication of commitments, making them enforceable under US law by the US Federal Trade Commission. In addition, any company receiving human resources data from Europe will have to commit to comply with decisions of European Data Protection Authorities, including the Information Commissioner’s Office (ICO).
• Ensure that access to EU citizens’ personal data by US government agencies will be subject to clear limitations, safeguards and oversight mechanisms. The US government has ruled out indiscriminate mass surveillance on personal data transferred to the US. There will also be annual joint review of the arrangements conducted by the European Commission and the US Department of Commerce.
• Provide for several avenues of address for EU citizens. There will be deadlines for companies to reply to complaints, European Data Protection Authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission. In addition, alternative dispute resolution will be free of charge and a new Ombudsman will be created to deal with complaints relating to possible access by intelligence agencies. 

The European Commission considers that the EU-US Privacy Shield reflects the requirements of the ECJ judgment in Schrems. The Article 29 Working Party will be assessing its legality but in the meantime it will allow data controllers to use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) to transfer personal data to the US.

In the UK, the ICO has confirmed that organisations can continue to use SCCs and BCRs for transfers from the EU to the US. It also advises organisations to keep stock of the transfers they make and to have a proper understanding of the legal basis of any transfer. It also suggests that they flag to organisations in the US that the EU-US Privacy Shield may need to be considered in future. 

As regards enforcement action following the declaration that the safe harbour framework is invalid, the ICO has said that it will consider complaints under the usual ICO regulatory policy and will be guided by the risk posed to individuals and steps that can reasonably be expected of data controllers. This will be welcomed by data controllers whilst the current uncertainty continues.