The Privacy Shield has earned a lot of praise from both sides of the pond, but does it hold up to scrutiny upon a closer look?
A decade ago, or perhaps even half a decade ago, tell someone you were involved in data privacy rights and they’d be bored to tears from the outset. Compare that to now, following Edward Snowden, Max Schrems, the invalidation of Safe Harbor and Apple’s battle with the FBI over encrypted iPhones, data privacy and security are some of the hottest topics not only in the international law context, but in the news generally. The average citizen, on both sides of the Atlantic, is now far more aware of their data privacy rights, and when those rights might be jeopardized, than any time in the digital age.
In general, we seem to be entering a new regulatory framework in which data privacy protections have matured greatly and are being taken much more seriously. The EU General Data Protection Regulation (GDPR), a long-awaited effort to unify and strengthen the approach to personal data protection for all 28 member-states, will carry steep administrative fines for violations, including up to 4 percent of annual, global revenue. Moreover, the U.S. Judicial Redress Act, signed by President Obama in late February, gives EU citizens unprecedented access to U.S. courts to challenge U.S. companies’ disclosure of their private data to the government. It also includes a provision for the U.S. government’s use of the data.
And into that regulatory climate comes the EU-U.S. Privacy Shield, hammered out by the European Commission and the U.S. Department of Commerce, the draft text of which was released by the Commission on February 29. As a reboot to the Safe Harbor Agreement, which was invalidated by the European Court of Justice in the Schrems case in October 2015, the Privacy Shield indeed reflects much of the spirit and letter of that decision. EU Commissioner for Justice, Consumers and Gender Equality Vera Jourová said in a statement that the Privacy Shield is “based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.” On the U.S. side, U.S. Secretary of Commerce Penny Pritzker called the Privacy Shield “a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”
That’s a lot of high praise, but does the Privacy Shield hold up to scrutiny? Let’s have a quick look at some of the basics:
U.S. companies seeking to transfer data across the Atlantic from the EU (as well as from Switzerland, under a similar arrangement) must submit to a certification process with the Department of Commerce. Certification will require that companies submit to, and demonstrate, robust compliance with Privacy Shield principles, including limiting the collection of personal information, adhering to tightened conditions for onward data transfers, and responding to individuals’ complaints within 45 days. In addition, those companies handling human resources data from Europe will be bound by data handling, processing and other decisions established by European Data Protection Authorities.
Moreover, U.S. companies registering under the Privacy Shield must follow an alternative dispute resolution system, created for the benefit of EU nationals. Under the system, companies will be required to publish information about the dispute resolution body, including where consumers can address their complaints and a link to the website of the companies’ selected dispute resolution provider. Should a case not be resolved, EU nationals will have further recourse under the “Privacy Shield Panel”, a final mechanism for dispute resolution. Decisions of the panel are binding against companies certified under the Privacy Shield.
Finally, the European Commission and the U.S. Department of Commerce will conduct an annual joint review of the Privacy Shield’s effectiveness, providing a continual improvement process to ensure proper functioning of the framework, and adequate protection for EU citizens’ data transferred to the U.S.
The Privacy Shield has been reviewed by the Article 29 Working Party, the group of Data Protection Authority representatives from all EU member states. Their take, while advisory, is interesting, especially regarding compliance mechanisms and the adequacy of the framework. While the Working Party noted that the Privacy Shield made significant improvements to the Safe Harbor decision, they had a number of data transfer concerns on both the commercial and government sides.
There has been some question among lawyers and data protection law experts as to whether the Privacy Shield really is a valid method for protecting EU citizens’ data. Is it just a giant exercise in paper-pushing, a slightly better dressed Safe Harbor, or an effective means of maintaining the data privacy rights of EU citizens?
So let’s jump back to the Judicial Redress Act for one moment. While granting a private right of action to non-U.S. citizens for alleged privacy violations that occur in the U.S., the act limits that redress to non-U.S. citizens from countries which (i) permit the “transfer of personal data for commercial purposes” to the U.S., and (ii) do not impose personal data transfer policies that “materially impede” U.S. national security interests. That second point is a troublesome one, because it was precisely those bulk-based data surveillance activities, carried out in the name of U.S. national security, that the ECJ ruling in Schrems made clear are absolutely un-acceptable under European privacy law.
Despite the enthusiasm of officials on each side of the pond, if you’re getting the sense that many of the developments regarding the Privacy Shield are leading to corporate unease, you’re on the right track. Transatlantic data transfers are absolutely essential to many businesses, and European regulators have been mostly silent as to what data transfer solutions are truly best for ensuring compliance. Furthermore, those companies considering participation in the Privacy Shield probably want to start thinking now about how they will live up to the increased obligations and the greater oversight under the new framework. The path forward is not particularly clear at the moment.
Despite similarities to Safe Harbor, all indications seem to imply that the Privacy Shield will not be “plug and play”: There will be a series of hurdles and processes for companies tasked with bringing EU-based personal data transfers into conformity with the Shield.
Perhaps the strongest piece of advice for e-discovery service providers and other businesses, in advance of more certainty about the efficacy, adequacy and final compliance processes for the Privacy Shield framework, has been to implement binding corporate rules (BCR) for big data processing. This is easier said than done. BCRs require member state Data Protection Authority approval, and those requests can be time-consuming. However, companies accountability and compliance concerns can be sufficiently addressed through BCRs, avoiding the Privacy Shield altogether.
I can suggest one final thing: meticulously review your current corporate processes and policies for handling, processing, storing and securing EU-based personal data. Look to data localization as a practical means of avoiding the massive, regular transfer of data, and encouraging “in-country” document and data review, wherever possible.
Posted by Ryan T. Costello, Esq. – Operations Manager, eTERA Europe. Ryan can be reached at firstname.lastname@example.org.