City lawyers are warning an agreement made between the EU and the US yesterday (3 February) replacing the Safe Harbour scheme is likely to be challenged in court.
The scheme will make it easier for organisations to transfer data across the Atlantic, replacing the now invalidated ‘safe harbour’ scheme.
In a last minute deal, negotiators from the European Union’s executive body and the US Federal Trade Commission forged terms for transatlantic data flow, to ‘protect the fundamental rights of Europeans where their data is transferred to the United States and ensure legal certainty for businesses.’
Now the new arrangement, rebranded as the EU-US Privacy shield, will offer safeguards such as an ombudsman for complaints, and will be annually reviewed.
It follows the European Court of Justice’s (ECJ’s) ruling in October that declared the old US safe harbour framework invalid. Austrian law student Maximilian Schrems succeeded in his legal challenge against Facebook’s ability to transfer personal data to the US after the ECJ decided that the US ‘does not afford an adequate level of protection of personal data.’ The decision had major implications across EU and ended 15 years of the ‘safe harbour’ scheme, allowing national regulators to suspend data transfers to the US, instead of letting exchanges of information go unexamined.
Fieldfisher data protection partner Phil Lee said the pact will ‘undoubtedly be welcomed by many’ but to bear in mind that this new Safe Harbour ‘will almost certainly be challenged by civil liberties groups (and possibly even some data protection authorities) pretty much immediately, only the foolhardy would place want to place their trust in a new Safe Harbour right now. Whether legal or not, its reputation is already shot to pieces.’
Paul Hastings UK head of data protection Ashley Winton warned about the US and EU’s imminent failure to agree the details of a new data sharing pact.
He added that while some detail has been revealed about what could be included in Safe Harbour 2.0, businesses operating across the EU and the US remain in the dark, and at increased risk of enforcement if they continue to transfer data to the US.
‘The results of months’ worth of negotiation appears weak and if adopted we are likely to see further legal challenge in the European courts. The European Commission still needs to make the case that the US system of privacy laws are essentially equivalent, that data subjects have real rights against disproportionate processing in the US, and that if there is disproportionate or illegal processing then citizens can have their personal data deleted and ultimately redress in an appropriate court.’