The European Commission recently announced a new Safe Harbor deal - being called EU-US Privacy Shield, which it hopes to have in place within three months. The Commission is proposing that the new Privacy Shield arrangement is based on a unilateral decision from the European Commission that US data protection laws are adequate when a company has signed up to the Privacy Shield Programme.
It remains to be seen if the new deal can be a lasting solution as it presently seems unlikely that Privacy Shield will be a complete answer to any organisation’s data transfer issues. With practical work on the deal still underway, it’s important that organisations act now to protect themselves. They must have plans in place to comply.
Here are some suggestions:
- Map data flows in your organisation to determine the following:
- What information travels outside the EU and on what basis?
- Is it inter-group or is it to third parties?
- Were these groups/third parties using Safe Harbor as an exemption; or are other measures already in place?
- Check your contracts with your third-party suppliers who used Safe Harbor. Are they dealing with the issues surrounding Safe Harbor? It’s a good time to start a dialogue on the measures being undertaken.
- Equally, if you are a supplier who relied on Safe Harbor to legitimise your processing activities, make sure that the Schrems invalidity ruling doesn’t put you in breach of any of your contracts, and perhaps consider reaching out to your affected customers too.
- Consider the options available to your business. Presently, they are:
- Stop transferring personal data to the US – for example, site your servers in the EU. This may be a draconian suggestion for some businesses, but for others it might be a relatively easy switch.
- Put in place "Model Contract Clauses". These are an easy fix as the terms have been fixed by the EU – but note that you shouldn’t change any of their terms. Also, they are legally binding documents that impose obligations on both parties, so must be clearly understood. Don’t adopt them lightly. Furthermore, they need to be entered into between the data controller (i.e. your organisation) and the data processor (i.e. the organisation that processes the data).
- Consider moving to “Binding Corporate Rules” ("BCRs"). This shouldn’t be a knee-jerk reaction as BCRs require a corporate “buy-in” to the protection of personal data, which is in fact their strength, and businesses who were “more seriously” into Safe Harbor may find that they are a long way down the path to making the changes required for BCRs. It’s worth pointing out that BCRs are not an overnight solution – they have to be approved by data protection regulators and the negotiation process can take some months. BCRs are also not a catch-all solution, and, some data protection authorities currently have no BCR option for data transfers in their jurisdiction. See here for more about BCRs.
Even though Privacy Shield is still ‘work in progress’, questions remain about enforcement – will it be piecemeal and connected with other investigations or orchestrated and widespread? Initial signs from France and Germany especially suggest enforcement is starting but how much of an issue that becomes is yet to be seen.