EU US agree replacement for Safe Harbour data transfer scheme
There had been mounting concerns about the extent to which use of the Safe Harbour scheme for transfers of EU personal data to the US was really sufficient for compliance with EU data protection rules for some time before the European Court finally declared the scheme non compliant so negotiations were already underway for its replacement before the judgement came through. Nonetheless the judgement was a spur to accelerate those discussions and only a few days late the outline of a new scheme was announced on 2nd February.
The full text has yet to appear but the press release from the Commission (europa.eu/rapid/press-release_IP-16-216_en.htm ) outlines the way in which it is to work. We are told that US companies will have to put in place “robust” structures for handling data and comply with rulings from European data protection authorities in their handling of European personal data. The US Department of Commerce will monitor compliance and there will be enforcement through the FTC and a new ombuds procedure. There will be an element of future proofing as we are told that the new US rules will be in line with the General Data Protection Regulation which will come into force in 2018. A major concern had been the US authorities indiscriminate mass surveillance activities however we are told that governmental access will be limited to specific and limited circumstances.
In addition to the Commission press release we have also now had an initial response from the influential Article 29 Working Party. They have asked for the papers around the negotiation to be submitted to it for consideration before the end of February and have made it clear that their review will consider the proposals against the four fundamental principles for intelligence activities – rule based processing, proportionality, independent oversight and availability of redress. Rather ominously they also have also said they will be reviewing whether Binding Corporate Rules and Standard Contractual Clauses - the two options under which data could still be transferred to the US after the death of the Safe Harbour – were still viable. If the rights of the US authorities are not sufficiently tied down and subject to court review it is hard to see how these can survive although the WP has said that these should continue to be used in the meantime. Its review is expected to be completed by the end of March.
So what happens now? The Commission will draft the detailed legal regulation which will then have to go to various advisory groups including the Article 29 WP while the US works on the details of the monitoring and enforcement procedures. The technical outcome of all this is to be an exchange of letters at a political level and not a treaty which of its self raises issues of legal substance which has already been noted by the parliament’s committee on Civil Liberties, Justice and Home Affairs. General opinion seems to be that the new regime is likely to be in force around May/June of this year but further delays should not be ruled out.