Following months of political tension and legal uncertainty, today the EU formally adopted the “EU/US Privacy Shield”, a new deal to replace the “Safe Harbour” (SH) invalidated last year by the European Court of Justice (ECJ) in Schrems v. Facebook. The intense negotiations were focused mainly on concerns around national security and commercial issues. This is an important step in restoring transatlantic stability, legal certainty and trust as the EU decision “establishes that the safeguards provided when data are transferred under the new EU-U.S. Privacy Shield are equivalent to data protection standards in the EU”.
Why does this new agreement matter?
Without the SH, the transfer of EU-originating personal data to the US was only permissible under EU law via more burdensome and often time-consuming means that imposed a greater burden on businesses that had relied on SH (like AOL and Terremark). The ECJ’s decision also created legal uncertainty around the continuing viability of other data transfer instruments, including those upon which Verizon Enterprise primarily relies. The Privacy Shield aims to address both concerns by making some of the redress mechanisms available more broadly to other transfer instruments such as “standard contractual clauses” (SCC). This is particularly important considering the ECJ is not done yet with its incursions into international privacy regulation and may question the validity of other transfer mechanisms in “Schrems 2”.
What is in the new Privacy deal?
The Privacy Shield is built on three main pillars: i) strong obligations on companies handling Europeans’ personal data and robust enforcement; ii) clear safeguards and transparency obligations on U.S. government access to data; and iii) effective protection of EU citizens’ rights with several means of possible redress. The deal also includes yearly joint EU/US reviews and the proactive involvement of Data Protection Authorities in national security and commercial issues. The final documents have not yet been released but the new agreement is expected to go fully into effect around the end of the summer.
How does the Privacy Shield impact Verizon?
AOL and Terremark customers had relied on the SH when allowing Verizon to transfer their data to the U.S. and the main impact of the SH saga has been on the additional efforts we deployed to adjust our processes to the elimination of the SH mechanism. In contrast, Verizon Enterprise predominantly relied on EU approved “standard contractual clauses”, not the SH, to meet its privacy obligations. Verizon Enterprise will continue to use these clauses, but in addition, we have nearly completed our transition to a third privacy model called “Binding Corporate Rules for Controllers and Processors” (BCRs).
For more information about the approved Privacy Shield, see the European Commission’s press release and dedicated website at: http://europa.eu/rapid/press-release_IP-16-433_en.htm