In October 2015, the Court of Justice of the European Union (CJEU) ruled that the EU-U.S. Safe Harbour framework, the long-standing trans-Atlantic data transmission channel, was invalid. This case originated with objections brought before the Irish courts by privacy campaigner, Max Schrems, against the transfer of data by Facebook Ireland to the U.S. The decision to strike down Safe Harbour led to months of legal uncertainty and prompted a collaborative effort between the U.S. and EU data protection authorities, culminating in the EU-U.S. Privacy Shield.
Privacy Shield Launch
The European Commission adopted the Privacy Shield on 12 July 2016 highlighting the social and economic importance of data flows between Europe and the U.S. and emphasising the certainty that the Privacy Shield would bring.
The Privacy Shield became fully operational on 1 August 2016, at which point U.S. organisations were free to sign up to its terms. While signing up is voluntary, the commitment to comply is enforceable under U.S. law, with the U.S. Department of Commerce tasked with verifying that privacy policies comply with the Privacy Shield standards.
The driving force behind the Privacy Shield is that personal data transferred to the U.S. should, as it does within the EU, have the benefit of data protection rules and safeguards. Accordingly, the Privacy Shield places various obligations on the relevant U.S. organisation, including obligations to hold that data securely (even if transferred to another entity) and allow information and access rights to the person whose data is held/controlled (who has the right to lodge a complaint and has several redress possibilities). In addition, the use of data for different purposes is limited, as is the period of time for which the data may be retained.
Further Change to Come?
The Privacy Shield has only recently been introduced but has already been the subject of much criticism. In March 2016, an earlier version was heavily criticised by civil rights organisations which claimed that it did not comply with the standards set by the CJEU. More recently, Max Schrems has called into question the effectiveness of the Privacy Shield and whether it will in fact offer any more protection than Safe Harbour.
Additional proceedings before the Irish courts could lead to further fallout for data transfers. Another case involving Max Schrems, Facebook Ireland and the Irish Data Protection Commissioner has already attracted global interest with the U.S. government and various international groups having been granted approval to join the case. The proceedings, which will be before the court again in February 2017, concern the validity of data transfers through European Commission-approved standard contractual clauses (“SCCs”). In addition, Digital Rights Ireland is taking a case in the General Court of the European Union claiming the Privacy Shield does not sufficiently protect the personal data of EU citizens.
While the adoption of the Privacy Shield is a welcome alternative to the uncertainty that followed the Safe Harbour decision, its effectiveness, and whether it is an improvement on the previous framework, is yet to be tested. This is a debate that will continue and should be monitored by businesses and individuals.
In the meantime, the Privacy Shield and SCCs are valid bases for transfers of data to the U.S. Any Irish organisations transferring data to the U.S. should continue to monitor their data transfer systems for compliance with these frameworks and check whether U.S. entities receiving such data have signed up to the Privacy Shield (see https://www.privacyshield.gov).