This article co-authored with guest blogger Peter Wainman, a partner with Mills & Reeve LLP
Transfers of personal data from most European countries to the U.S. have been exposed to legal attack since October 2015, when privacy campaigner Max Schrems successfully sued the Irish authorities over data transfers made by Facebook Ireland. The main objection with the Safe Harbor was that transferring EU citizens’ data to the U.S. subjected the data to the U.S. government’s bulk surveillance.
That David-and-Goliath litigation saw the end of the “Safe Harbor” decision protecting transatlantic data flows when the European courts declared it invalid. While other legal methods of data transfer are available, the Safe Harbor was widely relied on especially by technology businesses.
A new Privacy Shield
Since then, the EU and U.S. authorities have been working on a replacement – the EU-US “Privacy Shield.” After a first attempt was rejected by national and EU regulators, a tightened-up version has now passed the test. The U.S. Department of Commerce has a useful fact sheet and a guide to certification available on its website. Likewise, the European Commission’s press release and FAQs document provide a helpful summary.
The revised version of the Privacy Shield consists of: an adequacy decision describing the system of self-certification through which US organizations commit themselves to a set of privacy principles; and a set of seven Annexes dealing with the arrangements that the U.S. authorities will implement to safeguard EU citizens’ data.
US companies will be able to self-certify with the U.S. Department of Commerce beginning on August 1. There will be an annual joint review process to check that the system is working.
Certainty offered by agreement of the Privacy Shield has been widely welcomed. The Privacy Shield requires the creation of a new U.S. authority intended to address concerns of EU citizens about U.S. government surveillance. However, this may not be the end of the story. Max Schrems, the activist responsible for the demise of its predecessor, has told journalists that Privacy Shield is full of holes, and as such is likely to fail a legal challenge – although he does not want to be the one to bring it.
What does this mean for the UK?
The UK privacy regulator, the ICO, has indicated that it will press for UK laws to track those of the EU.
It may be that the UK will adopt most of the changes due to take effect in 2018 under the GDPR, but leave out some of the more onerous obligations that could impede the activity of SMEs for example. If the UK ends up with a relatively distant relationship with the EU compared to an EEA member like Norway, privacy laws could diverge. In that case, the UK will have to demonstrate adequacy of protection for European citizens’ privacy, like the US has done, if it is to do business freely across Europe.