From “Safe Harbour” to “Data Protection Shield”?

In November 2015, the European Court of Justice (ECJ) declared the agreement between the EU and the USA, which was to facilitate the transmission of personal data to enterprises in the USA (“Safe Harbour”) to be ineffective, and ever since there has been considerable legal uncertainty in the matter. It was and is clear that the transmission of personal data on basis of this agreement is no longer admissible.

In order to relieve the affected businesses, the European data protection authorities agreed on a “moratorium”. Pursuant thereto, they decided not to proceed against European companies transmitting their data on the “Safe Harbour” basis to the USA, at least until the end of January 2016. Shortly after the expiration of this moratorium the EU Commission and the US Government have recently announced that they have agreed on a new regulation. Little is known so far regarding the contents of the new regulation. Evidently no fully drafted regulation is yet available, only the name (“EU-US Privacy Shield” = “data protection shield”) is known.

Among the already known basic information about the new agreement is that EU citizens are to be given the option of retaining an ombudsman in the USA free of charge. In addition, U.S. companies shall be examined more closely by the U.S. Commerce Department than was previously the case.

However, it is still unclear how the new agreement will deal with the ECJ’s largest objection. The ECJ based its decision mainly on the fact that the U.S. security agencies are given virtually unrestricted access to personal data. A change in the U.S. legislation is evidently not planned.Rrather it seems that the EU Commission essentially relies on the promises of the U.S. secret service co-ordinator.

It is therefore not surprising that the planned new agreement is already being heavily criticized. Data protection proponents doubt whether an agreement with the currently known contents would be upheld by the ECJ.

The union of the European data protection authorities (the so-called “Article 29 working group”) has so far expressed itself with great reserve and has announced a comprehensive review. In the meantime, in the opinion of the working group at least all data transmissions to the USA on the basis of the Safe Harbour Agreement are inadmissible. The national supervisory authorities are to decide in individual cases whether and in what form they will proceed against violators. However, data transmissions to the USA on the basis of EU standard agreements or “Binding Corporate Rules” are still being tolerated during the test phase. With the expiration of the test phase - expected in March - the working group wants to decide whether data transmissions on this basis will continue to be permitted.

Unfortunately, this is only limited good news for companies. What is to be seen positively is that the EU Commission and the US Government are actively looking for a solution. However, until further notice the substantial legal uncertainty will remain. Companies are therefore well advised to closely examine any data transmissions to the USA (including the use of IT services of U.S. providers, such as e.g. cloud solutions). The need for urgent action exists for those companies that still rely on Safe Harbour.