The majority of RMCs embarked on amendments to their contracts with clients and suppliers, incorporating EU-approved Model Contract Clauses which bind parties to standards of data privacy which comply with EU law. On the other hand, some organisations opted to do nothing, largely on the assumption that a Safe Harbour 2.0 would ride to the rescue.
Well, we don't have Safe Harbour 2.0, but instead, we learned on 2nd February that the EU and US authorities have agreed in principle on a new arrangement, to be known as the 'EU-US Privacy Shield'. But, before we get over-excited by this triumph for transatlantic diplomacy, there are a couple of big provisos:-
The full details of the “Privacy Shield”, are not yet known and will be drafted in “the coming weeks”;
Once drafted, the new agreement will then be put to the committee with the zappy title: "Article 29 Working Party" (representatives from each of the national data protection regulators), who will advise the European Commission on whether or not the new agreement should be adopted.
So, assuming approval, is the EU-US Privacy Shield the solution which the relocation industry has been waiting for? What will change?
The Privacy Shield is intended to provide a more robust and transparent mechanism through which EU-US personal data transfers can be protected. The new arrangement will impose stronger obligations on US companies to protect personal data and greater enforcement measures by US authorities. EU citizens will have increased rights of redress, with companies having deadlines to reply to complaints and the option to refer a dispute to a newly appointed Ombudsman.
If all this sounds positive, there are also some serious limitations and practical concerns
Firstly, there continues to be a lack of clear guidance as to how organisations should proceed in the interim until the EU-US Privacy Shield comes into force. The Article 29 Working Party has stated that enforcement will likely be left to individual Member States' data protection authorities. On the positive side, the UK's data protection authority, ICO, has stated that it will not be seeking to expedite complaints about Safe Harbour while the process to finalise its replacement remains ongoing. But, by contrast, its French counterpart, CNIL, has issued a formal notice against Facebook, including the complaint that Facebook is still transferring data to the US under the now-invalid Safe Harbour regime.
Secondly, the longevity of the EU-US Privacy Shield is directly related to the security situation in the US and the extent to which lawmakers can prove EU citizens' data can be adequately protected under the new scheme. Will the EU-US Privacy Shield be more successful than Safe Harbour in withstanding the scrutiny of the European Court of Justice? It is highly likely that the new arrangement will be tested in the EU's highest court as soon as it comes into force.
It is intended that, by April 2016, the Article 29 Working Party will have completed its consultation with EU Member States and reported on the adequacy of the Privacy Shield proposals. It has stated that it will assess the proposals against 'four essential guarantees' to enable intelligence activities to take place:
- processing should be based on clear, precise and accessible rules;
- any processing should be necessary and proportionate with regards to any legitimate national security objectives;
- an independent body must provide effective oversight; and
- individuals must be provided with effective remedies before an independent body.
Helpfully, the Article 29 Working Party has confirmed that Model Contract Clauses will remain valid for now, but has also stated that as part of its review it will consider whether these provisions will remain valid following the introduction of the Privacy Shield.
Within the relocation sector, companies which have rolled out Model Contract Clauses can take comfort from the fact that their EU to US data transfers continue to be legally protected. For those companies which opted to take no action in the hope of a Safe Harbour 2.0 coming into effect, some uncertainty on the legal status of their data transfers will continue for at least a few more months.