On Tuesday 12 July, the EU and U.S. signed the long-awaited Privacy Shield Agreement. The origins of the Privacy Shield Agreement derive from the Court of Justice of the European Union (CJEU) ruling on the case “Max Schrems v Irish Data Protection Commissioner (Safe Harbour)”. The case saw activist Max Schrems filing a complaint against Facebook, claiming that the company wrongfully handled his personal data. It escalated to the Court of Justice of the European Union (CJEU) which ruled in favour of Max Schrems and this ruling effectively struck down the Safe Harbour Agreement, leaving the EU and the U.S. without a reliable framework regulating transatlantic data flows.
Since then, both the EU and U.S. administrations have been extremely eager to adopt a new and more robust agreement. Today’s Privacy Shield provides a new framework that is designed to protect the ‘fundamental rights of anyone in the EU whose personal data is transferred to the U.S.’ in addition to providing increased legal clarity for businesses relying on international data flows.
What is in Privacy Shield?
The agreement provides a clear set of rules for U.S. companies and intelligence agencies with regards to the handling of EU citizens’ personal data. As it was for Safe Harbour, businesses will be allowed to self-certify that their data processing procedures comply with EU data protection standards. However, from now on the U.S. Department of Commerce is in charge of keeping track of signatories with a closer focus on the companies who decided not to sign up to Privacy Shield.
More redress mechanisms will be in place for EU citizens: they will still be able to take their complaints to the national Data Protection Authorities (in charge of processing complaints) which will collaborate closely with the Department of Commerce (aiming to respond within 90 days) or the Federal Trade Commission. However, in addition to this, individuals can also go straight to the company participating in Privacy Shield, or the U.S. Ombudsman, whenever they fear that their personal information has been used in an unlawful way by U.S. authorities in the area of national security.
Three things that are new for developers:
U.S. and EU based tech companies and app developers storing EU citizens’ personal data overseas are encouraged to self-certify and sign up to the Privacy Shield Agreement. By doing this, they effectively agree to adhere to a series of rules and procedures with regards to the handling of personal data.
- First and foremost, the tech company or app developer will now only be allowed to retain personal data for as long as the data serves its purpose.
- Second, the tech companies or app developers that sign up to Privacy Shield agree to tighter conditions for onward transfers of personal data to third parties. This means that a tech company that has signed up to Privacy Shield cannot transfer EU citizens’ personal data to another tech company that is not signed up to Privacy Shield, this is to ensure that the system is not abused or manipulated.
- Third, tech companies and app developers will be able to sign up for the agreement individually as of 1 August 2016. However, the major data storage service providers (Amazon, Microsoft, Google) have already announced that they will sign up Privacy Shield as soon as possible. Therefore, app devs are encouraged to reach out and understand what this means for them.
New challenges ahead for international data transfers?
The “standard contractual clauses” that companies adopted in order to comply with EU data protection laws after Safe Harbour were Commission-approved clauses.
The validity of these clauses has recently come under scrutiny so the Irish High Court is in the process of assessing them. When and if these challenges reach the CJEU in the next year or so, they will present a very different picture from the original Safe Harbour case: firstly, because several companies will be part of the case and, secondly, because these clauses are used to transfer data to all the countries that have not been considered “adequate” under the 1995 Data Protection Directive.
The final test of the solidity of international data flow rules is yet to come.
Policy Manager, EU