knowledge 12 July 2017 |

International Data Transfers - First Annual Review of Privacy Shield

Following the declaration of invalidity in relation to the Safe Harbor framework by the Court of Justice of the European Union in the Schrems case¹ in 2015, the EU Commission and the U.S. Department of Commerce jointly developed the Privacy Shield. The Privacy Shield facilitates transfers of personal data from the EU to the United States (the “U.S.”), so long as the relevant company in the US is self-certified as Privacy Shield compliant. To date, more than 2,000 organisations have self-certified under the Privacy Shield.

This first annual review is particularly important as the Privacy Shield has been the subject of much commentary and scrutiny since its publication (including from the Article 29 Working Party, which is a body made up of the EU data protection authorities. Some criticism of Privacy Shield has focused on concerns over the potential access by U.S. public authorities (such as law enforcement agencies) to personal data transferred to the U.S. Other criticisms include: (i) that certain principles of European data protection law, eg in relation to data retention and purpose limitation, are not adequately reflected in the framework; and (ii) that the Privacy Shield does not give users as much control in relation to the use of their personal data as provided for under EU data protection law. The Privacy Shield is also the subject of two separate legal challenges by NGOs (Digital Rights Ireland² and La Quadrature du Net³).

The Article 29 Working Party recently sent a letter to the EU Commission setting out its views and recommendations as to how the first annual review of the Privacy Shield should be conducted.

In addition, the Article 29 Working Party issued a press release highlighting its main concerns in relation to the operation of the Privacy Shield. The approach of the Working Party differs from the far more positive and practical view of businesses relying on the Privacy Shield to facilitate transatlantic transfers of personal data, who remain hopeful that the Privacy Shield will survive the review.

Regulators in both the U.S. and EU are expected to address concerns which have been raised in the past year, and obtain the necessary information and evidence to demonstrate the robustness of the Privacy Shield. Once the review is complete, a report will be issued by the European Commission to the Council and the European Parliament.

As discussed in further detail in our article here, while there may be merit in some of the criticisms of the Privacy Shield, the necessity for a mechanism for the transfer of personal data to the U.S. in compliance with EU data protection law cannot be denied. It is worth noting that the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce⁴ emphasise the importance of transatlantic trade and state that the principles were developed “to facilitate trade and commerce between the United States and European Union”. Indeed, Recital 101 of the EU General Data Protection Regulation (which will replace existing data protection law from 25 May 2018) acknowledges the importance of such data flows, stating that they are “necessary for the expansion of international trade and international cooperation”.

It is worth noting that there have been no negative changes to U.S. law or practice since Privacy Shield was adopted and, further, that the additional protections for data subjects under the Privacy Shield (in comparison with Safe Harbor) remain in place. Such protections are discussed in detail in our article here and include: (i) more detailed transparency/notice requirements; (ii) more choice for data subjects in relation to the uses of their personal data; (iii) strengthened requirements and accountability for onward transfers; (iv) changes in relation to data retention; (v) a wider range of enforcement mechanisms; (vi) the prospective appointment of an Ombudsperson; and (vii) annual re-certification by U.S. companies availing of the Privacy Shield.

In addition, further positive factors such as the National Security Agency’s announcement that its foreign intelligence surveillance activities under Section 702 of the FISA Amendments Act will no longer include any upstream internet communications that are solely "about" foreign intelligence targets, mean that businesses on both sides of the Atlantic remain optimistic about the continued ability to rely on Privacy Shield for the transfer of EU personal data to the U.S.