EU-US “Privacy Shield” Is Open for Business
But Is It for You?
David Bender, Esq.
Special Counsel, Data Privacy
GTC Law Group PC & Affiliates
Since 2000, the “Safe Harbor” program has provided a relatively painless way for US companies to acquire the personal information of European Union residents in compliance with the EU’s rigid restrictions on export of personal information. This program was created in 2000 by agreement between the US and the EU, and over 4,000 US companies participated in it. Many companies viewed it, hands down, as the best way to accomplish legal transfer of personal data from the EU to the US. But in October 2015 the European Union’s highest court, the Court of Justice of the EU (the “CJEU”), invalidated Safe Harbor, and also cast doubt on the validity of some of the other devices for lawfully transferring the personal information of EU residents to the US. There is an enormous amount of trade between the US and the EU, and much of it requires such a transfer. And the sanctions for violation of the EU data protection laws can be severe, in terms of fines and orders to cease transferring data. Accordingly, the CJEU’s opinion left both a vacuum and great uncertainty, and has caused much gnashing of teeth on both sides of the Atlantic.
Discussions between the US and the EU on modifying Safe Harbor were underway well before the court opinion, and moved into high gear immediately thereafter. On July 12, 2016 the US and the EU adopted a “Privacy Shield” arrangement to replace Safe Harbor, and, since August 1, 2016, companies have been permitted to self-certify to Privacy Shield. Like Safe Harbor, Privacy Shield is built around a set of seven privacy principles (generally, the principles of Notice, Choice, Access, Security, Enforcement, Onward Transfer, and Data Integrity), and permits US companies to self-certify to their compliance with these principles.
Nevertheless, Privacy Shield differs from Safe Harbor in several significant ways. First, the role of the US government has been intensified. In Safe Harbor, the US Department of Commerce (“DOC”) played the largely ministerial role of registration and record-keeping. Under Privacy Shield, DOC will be much more active, vetting initial certifications and annual re-certifications, and seeing that the list of certified companies remains current. Also, the Federal Trade Commission has represented that it would give “priority” attention to Privacy Shield complaints from EU residents. Further, under Privacy Shield the US has created a new position – the “Ombudsperson” – in the Department of State, and totally independent of the intelligence community. The Ombudsperson will investigate and respond to complaints of EU residents that their personal information had been inappropriately processed by the US intelligence community. One major focus of the CJEU decision was that National Security Agency (“NSA”) activity that the court believed to be “bulk collection” of the personal information of EU residents violated EU law. Accordingly, the EU insisted that any Safe Harbor successor must have some mechanism to guard against improper US governmental surveillance.
After Privacy Shield was initially proposed, it was analyzed by three EU bodies that lacked the power to veto it, but nevertheless had some influence on the entities that did have veto power. Among their criticisms were that data retention was not limited; there was no protection against decisions based solely on automated processing; onward transfer from the US was insufficiently framed; the specified redress mechanisms might, in practice, prove too complex and therefore ineffective; the Ombudsperson was neither sufficiently independent nor vested with adequate powers to exercise her duty effectively; and the national security representations did not exclude “massive and indiscriminate collection” of personal data originating from the EU which, according to critics, could never be considered proportionate and strictly necessary in a democratic society.
As a result of these criticisms and suggestions, the EU and the US had further discussions, and the US gave additional assurances regarding national security surveillance and the independence of the Ombudsperson. On that basis, Privacy Shield was approved. However, it seems clear that it will promptly be challenged judicially, and that such a challenge will surely result, in due course, in a reference to the CJEU, as was the case with Safe Harbor. Thus, one critical question is how Privacy Shield will fare before the CJEU.
The two biggest problems the CJEU had with Safe Harbor were the perceived free reign given the US government regarding national security surveillance of EU residents’ personal information, and the lack of redress that EU residents had with regard to US government surveillance. We believe that the success of Privacy Shield before the CJEU will depend largely on five factors, namely, the degree to which the court:
- concludes that Privacy Shield is meaningfully different from (and more privacy-sensitive than) Safe Harbor;
- takes proportionality into consideration (as the CJEU is required to, but did not, in its Safe Harbor decision);
- is willing to distinguish the factual basis of present US national security surveillance from the one (inaccurately) portrayed in its Safe Harbor decision;
- is willing to acknowledge (at least implicitly) the importance and realities of commerce; and
- views the Judicial Redress Act. and the Ombudsperson as providing sufficient judicial redress against US national security surveillance. The Judicial Redress Act, Pub. L. 114-126, 130 Stat. 282 (Feb. 24. 2016), was enacted in response to the EU’s complaint that EU residents lacked the rights that US citizens had against US government processing of personal data.
EU law permits several legal bases for export, but in the wake of the CJEU opinion several of them, beyond Safe Harbor, confront major impediments. One is the use of “standard contractual clauses,” i.e., there are three sets of model clauses adopted by the EU for export. These clauses were deemed adequate by the EU, and can be invalidated only by a ruling of the CJEU, and many companies now use them. However, they appear susceptible to invalidation because they suffer from the same perceived deficiencies that condemned Safe Harbor, namely, that they do not protect against US governmental surveillance. Nevertheless, unless and until the CJEU invalidates them, they may suffice to provide a legal basis for export.
Another legal basis that has attracted more attention in the wake of Safe Harbor invalidation is binding corporate rules (“BCRs”). With the approval of the supervisory agencies in the affected EU nations, these can be promulgated for a family of entities that are part of a single enterprise, e.g., the subsidiaries of a single parent corporation. However, BCRs are not available for entities not in an enterprise arrangement. Moreover, BCRs also may fall victim to the same disease that felled Safe Harbor – perceived inappropriate US governmental national security surveillance and lack of redress.
There are other modalities for export to the US, based on consent and on certain necessities. While they may not have been undercut by the CJEU decision, they are rather narrow and fragile, and difficult to use. Some companies have simply been transferring data as though the CJEU decision had never been handed down. This is perilous, as several data protection authorities (the independent governmental agencies that the EU requires each Member State to establish for the implementation and enforcement of data protection law) threatened to enforce the law against such exporters, and at least one (in Germany) has already fined several companies. And the situation is further complicated by the fact that in May 2018, EU law is scheduled to change, as the Directive is replaced by a more restrictive “General Data Protection Regulation.”
In light of all this, just what is a US company that is dependent on personal information from the EU supposed to do? That depends on the details of the company’s desired exports of personal data from the EU, and on internal resources and staffing. GTC Law Group has been helping clients structure their cross-border transfers for years, and has acquired extensive experience in doing so. We suggest that you communicate with your GTC contact soon to discuss how we can assist.