Personal data - new agreement on Safe Harbor in the pipeline
On 2 February 2016 the EU and the United States entered into a new political agreement on the transfer of personal data between the United States and the EU. The previous scheme - the Safe Harbor scheme - was found invalid by the Court of Justice of the European Union in the autumn of 2015. The agreement paves the way for a new version of the Safe Harbor scheme which will be known as the EU-US Privacy Shield.
From Safe Harbor to EU-US Privacy Shield
On 6 October 2015 the Court of Justice of the European Union delivered judgment in the Schrems case (C-362/14) about the European Commission's Safe Harbor decision. By this judgment, the Court of Justice of the European Union set aside the European Commission's formal decision that US enterprises that had joined the Safe Harbor scheme were considered to be in a safe third country to the effect that European data controllers had a legal basis for transferring personal data to the relevant US enterprises.
The reason for the Court setting aside the decision was not, as frequently alleged, that the Court of Justice of the European Union had discovered specific problems in with the situation in the United States, but merely that, for example, the European Commission had not considered sufficiently in its formal Safe Harbor decision the US authorities' access to personal data processed by US enterprises subject to the Safe Harbor scheme. This misconception was so widespread among the general public that Koen Lenaerts, the President of the Court of Justice of the European Union, stated as follows in the Wall Street Journal about the judgment:
"We are not judging the U.S. system here; we are judging the requirements of EU law in terms of the conditions to transfer data to third countries, whatever they may be."Read the article from the Wall Street Journal (login required)
However, already in 2013 the European Commission announced publicly that it had identified several deficiencies in the Safe Harbor scheme and that it would commence negotiations with the US authorities about amendments to the Safe Harbor scheme.
The negotiations concerning a revision of the Safe Harbor scheme were at a relatively advanced stage in October 2015 even though the remaining issues, not surprisingly, were also the most difficult issues to solve.
Following the judgment of 6 October 2015, the European data authorities in the Article 29 Working Party had given the European Commission a deadline until 31 January 2016 to secure a satisfactory new Safe Harbor scheme with the US authorities.
The deadline was not observed and just as everybody held their breath and awaited the data authorities' reaction, the European Commission quite unexpectedly announced on 2 February 2016 that it had reached a political agreement with the United States about the amendments to US conditions that the European Commission had estimated were necessary for the European Commission to be able to issue a new Safe Harbor decision later.
The amendments are, among other things, that European citizens' rights are strengthened in relation to the US authorities. If you want to know more about the new scheme - read the EU Commission's press release and a fact sheet from the US Department of Commerce.
At the same time, the name of the scheme will be changed to the EU-US Privacy Shield.
It is important to emphasise that all amendments take place in the United States and that such amendments are not relevant to European data controllers that would choose to use a future Safe Harbor decision as the basis for the transfer of personal data to the United States. The amendments merely serve to provide the European Commission with the necessary basis for being able to issue a new EU-US Privacy Shield decision in accordance with the requirements following from the Personal Data Directive and the Court of Justice of the European Union's judgment.
It is expected that the European Commission will distribute a draft for a new decision in a couple of weeks and when the hearing process relating to the draft has been completed in about three months, a EU-US Privacy Shield decision will be issued that may form the basis for the transfer of personal data to US enterprises that have joined the EU-US Privacy Shield scheme.