Anybody storing EU data in the United States has probably been a little worried since October 2015. That’s when a ruling by the Court of Justice of the European Union (CJEU) essentially made it unlawful to transfer EU data to the United States under the Safe Harbor Agreement. [See also: EU-US Privacy Shield Agreement – Five things to know about Safe Harbor replacement]
But there was no real reason to panic. The EU Commission recognised the economic impact of sanctioning the thousands of companies who were suddenly breaking the law and gave the US until the end of January 2016 to come up with an improved framework.
That new framework, which came just a little after the end of January 2016, was branded “Privacy Shield”, to distinguish it from “Safe Harbor”. After requesting and receiving several modifications to the document, on July 12, 2016, the EU Commission judged Privacy Shield as providing adequate data protection.
But the story is far from over. To understand what might happen with the new Privacy Shield framework, one must understand exactly how the Safe Harbor framework came about – and how it was eventually shot down.
EU Data Protection laws prohibit the transfer of personal data to a country outside of the EU, unless that country ensures an adequate level of protection. The EU Commission judges the data protection adequacy of a non-EU country based on that country’s domestic laws and international commitments.
As they stand, the US domestic laws do not provide an adequate level of protection. To bridge the gap, the US developed the so-called “Safe Harbor” framework to which US companies self-certify. By self-certifying, companies make a public statement that they adhere to the rules of the framework. The US Federal Trade Commission can then sanction those companies who don’t live up to the commitment under unfair and deceptive acts and practices. The EU Commission accepted Safe Harbour in 2000.
Fast-forward 15 years. In October 2015, the CJEU invalidated the EU Commission’s decision. In the so-called Schrems decision, named after Maximilan Schrems, the Austrian citizen who brought the issue to court, the CJEU was of the opinion that the US government collects data indiscriminately, and that the Safe Harbor agreement doesn’t provide adequate mechanisms for EU citizens to redress in cases of violation of European Data Protection laws.
While that threat may have caused a few CIOs to lose sleep as they waited for an updated agreement over the Christmas and New Year holiday season, most took into account the business interests behind international data transfers. After all, when there are business interests between countries, governments find a way to get along.
US companies certainly have a big stake in reaching an agreement with the EU. Worldwide Cloud Storage market is worth tens of billions of dollars, and most of the leading providers are US companies. What’s more, those Cloud Storage companies rely on storage platforms, and the top five storage systems providers also happen to be based in the US.
But US economy isn’t the only economy benefiting from data transfer. To run effectively, EU companies have grown to depend on the services provided by the US companies – let’s face it, there’s no turning back on the globalization of data storage. It’s precisely because businesses and governments on both sides of the Atlantic are keen to see a workable agreement that authorities on both sides scrambled to reach a workable framework.
The US government and the EU Commission came up with a new agreement, which it branded “Privacy Shield”, and delivered the details in a 130-page document four weeks after the WP29 deadline expired. That was early 2016.
As mentioned above, after modifications to the original documents, the US government and the EU Commission finally reached agreement; and on July 12, 2016, the European Commission adopted Privacy Shield. (Keep in mind that, as we saw with the CJEU Schrems decision, even though the EU Commission has declared Privacy Shield adequate in protecting EU data, EU courts can still rule that the agreement does not provide the required protection.)
Meanwhile, on June 23, while WP29 was mulling over Privacy Shield, the UK voted to leave the EU. Brexit raises two new questions. Is Privacy Shield still relevant to the UK? And will the EU consider UK data protection adequate as is, or will the UK be required to negotiate an agreement with the EU similar to Privacy Shield?
To get answers to these two questions, I asked an expert: Andrew Dunlop, head of the Data Protection team at independent UK law firm Burges Salmon LLP.
In answer to the first question, Andrew Dunlop said: “The status of the Privacy Shield in the UK post-Brexit will depend on the model adopted by the UK in its departure from the EU. If the UK ends up remaining part of the European Economic Area (EEA) – for example, following the Norwegian model – UK organisations will continue to be able to transfer personal data to self-certifying US businesses under the auspices of the Privacy Shield. However, if the UK leaves the EU and EEA completely, an alternative arrangement will likely need to be put in place between the UK and the US.
“An analogous example would be the Safe Harbor agreement between the US and Switzerland which sat alongside the Safe Harbor agreement between the US and the EU member states.”
In answer to the second question, Dunlop replied: “The current UK regime under the Data Protection Act 1998 would be considered adequate if the UK left the EU today, as it derives from the 1995 EU data protection directive. However, the General Data Protection Regulation (GDPR) – coming into effect in May 2018, likely several months ahead of the effective date of the UK’s departure from the EU – contains a number of significant developments as regards the 1995 directive framework.”
“In order to obtain that adequacy finding, it is very likely that the EU decision-making bodies will expect the UK to put in place legislation to track substantially all of the developments seen under the GDPR, such that the UK’s data protection regime continues to mirror what’s in place across the EU.”