When the European Court of Justice ruled on October 6, 2015 that the Safe Harbor agreement between the EU and the USA, which had been in place since the year 2000, was no longer valid (Schrems decision), there was a major outcry. The future of the transfer of personal data to the USA was at stake, affecting more than 4000 companies. Even though various instruments were and continue to be available to ensure the required suitable data protection levels for the transfer of personal data into a third country in which the data protection is questionable, such as the E.U. standard contractual clauses as well as binding corporate rules. Nevertheless, individual German regulatory agencies were quick to point out that they considered these instruments invalid for the transfer of data to the USA. At the same time, the “Düsseldorfer Kreis”, the panel of data protection bodies of the German federal and state governments, doubted in its statement of October 21, 2015 the admissibility of data transfers to the USA based on standard contractual clauses or binding corporate rules. The Article 29 Working Party, the body of European data protection authorities, issued a deadline for the European Union to develop a successor agreement for the Safe Harbor agreement by the end of January 2016.
Rather unexpectedly, the European Commission actually agreed with the USA on February 2, 2016 on a draft for an EU-US Privacy Shield as a successor to the Safe Harbor agreement. According to a statement by the European Commission, the new agreement contains the following elements:
- Strong obligations on companies that process the personal data of European citizens, and robust enforcement. The US Department of Commerce will monitor companies that process personal data from Europe.
- Safeguards and transparency obligations on U.S. government access. The U.S. also agreed to monitor its own judicial and security authorities.
- Protection of EU citizens’ rights with several redress possibilities. Citizens who feel that their data protection rights were violated in the name of U.S. national security can turn to an Ombudsperson mechanism independent of national security services.
The German economic sector, such as the digital association Bitkom, mostly welcomed the agreement. However, they were also opposed by a large number of critics and skeptics. Rightfully so! Skepticism is called for, if only because to-date there is no binding written document that unequivocally specifies the above-stated principles. Regarding the monitoring by the U.S. Department of Commerce one cannot help but wonder why this monitoring mechanism is expected to function now, since it obviously had not been functional throughout the past years. At the time of the Safe Harbor agreement, the Düsseldorfer Kreis had already criticized the lack of monitoring and enforcement of the requirements by U.S. authorities. It also remains questionable whether an Ombudsperson mechanism independent of U.S. national security services is really suited to ensure the protection of basic rights as requested by the European Court of Justice. One may rightfully fear that this is just another paper tiger. After the signing of the “Judicial Redress Act” by the U.S. president Barack Obama, EU citizens were also given the right to bring a civil action against U.S. agencies for personal data protection violations. However, many hurdles and exceptions limit this right.
In light of the above, it is therefore not surprising that the Article 29 Working Party has reserved the right to examine and analyze the Privacy Shield in detail. In particular, the European data protection authorities will have to determine whether the new agreement complies with the requirements of the Schrems decision of the European Court of Justice. An according statement of the Article 29 Working Group is not expected before the end of April 2016. “Until then, data transfers to the USA can be carried out based on standard contractual clauses or binding corporate rules,” confirmed the Article 29 Working group.
Things are expected to continue to be interesting in the area of EU-US data protection agreements.