Latest Public Sector News

Safe harbor agreement to be replaced by EU-US privacy shield

Owen Evans, senior associate at Geldards LLP, advises public sector organisations on the shifting data protection situation as regards dealing with multinational IT firms.

In early February, the European Commission and the US agreed the key components of a new framework that should permit personal data to be transferred to the US from the EEA in compliance with the Data Protection Act 1998 (DPA). 

The framework, known as the ‘EU-US Privacy Shield’, hasn’t yet been finalised or approved by EU data protection authorities. However, if all runs smoothly, it’s hoped that a formal agreement will be in place by May – bringing to an end the uncertainty that followed the European Court of Justice (ECJ) decision in the case known as Schrems.  

Background 

Under the DPA, the eighth data protection principle prevents the transfer of personal data outside the EEA unless there is adequate protection in place. Under the Safe Harbor Agreement, if a US company belonged to the scheme, the US guaranteed protection in relation to the personal data of EU citizens. EU organisations could therefore transfer personal data to US companies and comply with the DPA. 

But in the Schrems ruling in autumn 2014, the ECJ declared the Safe Harbor agreement invalid, as it didn’t provide EU citizens with sufficient protection. 

The decision left many organisations in a quandary: what should they do about personal data processed in the US? How could they meet the eighth data protection principle? 

The EU-US Privacy Shield 

The key aspects of the new framework are: 

• Restrictions on and monitoring of access to personal data by the US for law enforcement and national security purposes
• No mass surveillance of EU personal data
• Annual review by EU and US
• Agreement by US data processors to strict processing rules and guaranteed rights for EU citizens
• Various rights of redress for EU citizens
• Appointment by the US of an independent ombudsperson

What does this mean for public authorities? If all goes to plan, public authorities who transfer personal data to US companies should, in the not too distant future, be able to do so with reasonable comfort that they are complying with the DPA. 

However, there are quite a few i’s that need to be dotted and t’s crossed before then. Even once final agreement is reached, the ECJ, in Schrems, made it clear that national courts and EU authorities have the final say on whether there is adequate protection. If, therefore, the Privacy Shield is challenged by an EU citizen (which is very likely), the validity of the new framework could be under review before the ink has even dried. 

Until final agreement on the Privacy Shield is reached, the position of public authorities transferring data to US organisations remains unclear. A period of grace from enforcement proceedings expired on 31 January – we do not yet know if a new period of grace will be granted whilst the finer points of the Privacy Shield are finalised. 

What can you do in the meantime? 

If it is not possible to delay making new data processing decisions until the Privacy Shield is finalised, it is essential that you take all possible steps to demonstrate that you are trying to comply with the DPA, including the eighth DPP. For example: 

• Are there alternatives to transferring personal data to the US? Can the data be processed within the EEA or another country with an ‘adequacy agreement’ in place (e.g. Canada)?
• Do your homework! Consider carefully the data security risks connected with the proposed processing, assess the pros and cons of different solutions and review the compliance record and credentials of providers. This will help you evaluate the risks and conclude whether the processing decision is justified.
• Consider using G-Cloud.
• If G-Cloud is inappropriate, incorporate the EU Model Clauses into your contract. Their validity has not yet been challenged. 

For existing US processing agreements, can you renegotiate to include the EU model clauses? Is there scope to negotiate improved security? Is there scope to require that processing is moved to the EEA? If not, is termination a legal or practical option? 

Keep an eye out for developments relating to the General Data Protection Regulation, which is intended to replace the DPA. It will introduce new compliance obligations for public authorities and increase the fines payable for non-compliance.

Tell us what you think – have your say below or email [email protected]