European Commission approves EU-US Privacy Shield adoption
Certification to commence on August 1 for agreement that sets out new safeguards and scrutiny measures for transfer of European personal data to the US
The European Commission has adopted the EU-US Privacy Shield agreement, which details new requirements for data transfers outside of the bloc as part of wider European overhaul of information management that is expected to impact the UK public and private sector.
Replacing the ‘Safe Harbour’ agreement that was invalidated by the European Court of Justice (ECJ) late last year, the new transatlantic data sharing deal aims to set out clear safeguards for handling EU personal information and will allow US companies to begin certifying their operations against these standards from August 1.
Critics of the agreement have maintained that the 'Privacy Shield' is likely to be a temporary measure that fails to ultimately address wider issues on sharing data beyond national and EU borders, meaning it could face similar legal challenges that led to the end of Safe Harbour.
The introduction of the Privacy Shield follows the European Parliament's approval of the new General Data Protection Regulation (GDPR) earlier this year that will be now implemented over a 48 month period. It is expected that both the privacy shield and GDPR will impact UK-based organisations and companies regardless of the country’s future outside the EU following last month's referendum vote.
Referring specifically to the approval of the Privacy Shield, Andrus Ansip, European Commission vice president for the proposed digital single market, claimed the agreement would protect personal data.
“Data flows between our two continents are essential to our society and economy – we now have a robust framework ensuring these transfers take place in the best and safest conditions,” he said.
Vera Jourová, European commissioner for Justice, Consumers and Gender Equality, described the Privacy Shield as a robust system to better ensure legal certainty around personal data.
“The European Commission and the US notably agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on retention and onward transfers,” said a statement on the Privacy Shield.
The agreement is said to have been devised around several core principles that includes “tightening” conditions for handling data and onward transfers of information to a third party body. This will have implications for the US Department of Commerce, which will help oversee the agreement, requiring regular updates and reviews of companies participating under the agreement.
“The US has given the EU assurance that the access of public authorities for law enforcement and national security is subject to clear limitations, safeguards and oversight mechanisms,” said the commission.
EU citizens are also expected to be given a redress mechanism in the form of a US Ombudsman role to deal with concerns about potential unwarranted US government access of information for law enforcement or national security purposes.
“The US has ruled out indiscriminate mass surveillance on personal data transferred to the US under the EU-US Privacy Shield arrangement,” said the commission. “The Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible.
An annual review mechanism is also included as part of the agreement, with the Privacy Shield expected to be scrutinised between US and European authorities, as well as local data protection organisations.
With the ‘Article 50’ clause that will formerly commence a two year negotiation period with the EU on ending the UK’s membership yet to be triggered, economic and political uncertainty has followed the vote to leave the bloc last month.
However, data protection experts in the UK have argued that both the Privacy Shield and GDPR will be both directly and indirectly vital for the future of information management in the country.
Just this week, the information Commissioner’s Office (ICO) said that with the GDPR expected to come into force on May 25, 2018, the government of incoming Prime Minister Theresa May would need to consider its impact on UK data transfers.
“As Baroness Neville-Rolfe said at the Privacy, Laws and Business conference, the future will be more uncertain,” said interim deputy data commissioner Steve Wood.
“But she was right to add that while the detailed future may be different from what was envisaged days ago, the underlying reality on which policy is based has not changed all that much.”
In working to set out UK guidelines for the legislation, Wood said UK-based organisations would need to be prepared for new features included in the legislation as part of a wider overhaul of how information is shared and managed between businesses, organisations and individuals.
“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to explain our view that reform of UK data protection law remains necessary,” he said.
On the back of the ‘Brexit’ vote, Peter Wright, managing director for DigitalLawUK and chair of the Law Society Technology and Law Reference Group, said that the future of national data sharing and protection requirements was "up in the air".
Despite the uncertainty, he recommended that the UK ensure it can meet the strictest data protection practices - such as those adopted in Germany - as part of efforts to ensure it follows best practice and can share information beyond its borders.
Wright however has maintained that the Privacy Shield functions like a "sticking plaster" for the wider issues around sharing and protecting information - such as a gap in regulatory standards when comparing US legislation to that of Europe.