Navigating from Safe Harbour to Privacy Shield

Following revelations regarding mass surveillance operations by the US National Security Agency, the mechanisms through which the personal data of EU citizens is protected when transferred to US organisations have come under considerable scrutiny.

In October 2015, the European Court of Justice found one of the existing main mechanisms, the so-called “Safe Harbour” framework, to be inadequate and ruled that it was no longer valid.

Since then, negotiations between the US and EU authorities to provide a viable alternative have been on going. On 2 February 2016 a replacement framework, the EU-US Privacy Shield, was announced. The new arrangement aims to impose stronger obligations on US companies to protect personal data and ensure greater enforcement measures by US authorities. It also aims to provide increased rights of redress to EU citizens, obliging companies to respond to complaints and appointing a new ombudsman to handle disputes.

The Privacy Shield is yet to come into force and guidelines as to how organisations should now proceed have not yet been produced. So how should companies respond? The EU requires that EU citizens are able to take legal action against US data processors/controllers in case of any infringement of their data privacy rights. Consequently, during this interim period before the Privacy Shield comes into force, national data protection authorities could take action against companies that have not taken steps to ensure adequate protection of the data they handle.

Doing nothing and waiting for the details to be announced and the Privacy Shield to come into force is not a recommended course of action.

Organisations should begin with a risk assessment to establish where their data is located, what their data subjects have agreed to and whether it will be adequately protected. GoodCorporation’s Data Protection Framework can be used as the basis for such an assessment.

Companies that do not necessarily need to transfer data to the US and can have their data physically located within the EU may want to ensure that none of their service providers use servers outside the EU and actively keep data off US servers. Avoiding the US might also be useful in the light of the EU’s new General Data Protection Rule (GDPR) that will come into effect early to mid-2018 and impose stronger requirements EU-wide to safeguard personal data.

However, this does not solve the problem of multinational companies who will need to access or transfer data from the EU to the US.

To address this issue, companies may want to consider getting explicit permission for data to be transferred to and/or housed in the US. This can be quite difficult, as it is sometimes contentious how far consent goes, and the companies need to be certain that the consent they obtain really does cover all the actions relating to personal data. Obtaining consent will have a much higher threshold with the new GDPR, but for now the old rules apply.

If data is housed in the US or will need to be transferred across the Atlantic, the following interim steps could also be considered:

  • Incorporating Model Clauses into contracts governing data transfers or into other agreements between the relevant entities – this is essentially a bilateral agreement between the EU-based organisation and its US-based partner. However, this can turn into an administrative headache for big companies, as you will need a contract for each of the entities between which data is transferred.
  • Establishing a set of binding corporate rules which are approved by the national data protection authority – as with the Model Clauses, such rules aim to ensure that the data subject’s rights will not be prejudiced as a result of transfers made to countries that do not have an adequate level of protection. However, this is time-consuming and, in the UK, can take up to 18 months or even longer.
  • Relying on self-assessment – there is a possibility, at least in the UK, to self-certify. This is subject to challenge so an organisation would need to ensure that it had substantive proof that they have taken steps to safeguard the relevant data.
  • Employing anonymisation techniques – if organisations can anonymise the relevant data so that it is not possible to identify the relevant data subject, the rules regarding data protection do not apply. To the extent possible, data controllers should therefore use anonymisation techniques to minimise their compliance burden; and
  • Considering other available derogations. Consent is one of the possible derogations, but others which may be relevant include the necessity of transferring personal data to perform a contract. If the contract cannot be performed without a data transfer, then this usually constitutes a derogation from the need to have other mechanisms to safeguard the data. Another derogation would apply if the transfer is in the vital interest of the data subject.

Managing data is becoming an increasingly challenging area for companies. Clear policies, regular risk assessments and a detailed understanding of the changing and complex legal landscape are essential. Organisations need to undertake periodic reviews of the effectiveness of their data management and boards should be demanding regular reports from data protection audits, covering feedback on any breaches, risks and relevant mitigation measures. At the very least, the safe harbour ruling and the new GDPR mean that all companies should be doing a careful review of the data they collect, where it is housed and how it is used.

GoodCorporation’s data protection framework is designed to help managers, without a legal or IT background, to cut through the jargon and to understand in a straight-forward way what they need to do to ensure that data is properly protected and used responsibly.

Published February 2016