Editor’s note: this is a guest post from Sarah Pearce, a partner in the Cooley Technology Transactions Group. Next week, privacy watchdogs from EU member states are set to issue their opinions on the EU-U.S. Privacy Shield, the new, post-Safe Harbor framework agreement for transatlantic data flows. Below is a primer on what is in it (and what isn’t).
The Safe Harbor agreement was negotiated and enshrined in law as recently as the year 2000, and was declared no longer valid just a decade-and-a-half later.
The speed of these developments reflects several factors; the relative novelty of legislators attempting to get to grips with the massive post-digital shifts in the sharing, transmitting, safeguarding and storing of information, the speed with which the sphere is still changing and developing and, perhaps most tellingly, the differing attitudes within the EU and the US when the privacy of citizens is under consideration.
In short, Safe Harbor was intended to confer European levels of protection to private data once it made its way into the systems of companies based within the US.
This was a laudable aim which came off the rails in dramatic fashion in the wake of the Edward Snowden leaks, not least of which was the revelation that the US NSA (National Security Agency) could access private information held by the likes of Facebook, seemingly quicker than you can say ‘Patriot Act’.
The collapse of Safe Harbor caused a degree of panic amidst businesses relying on the cross Atlantic transmission of material. This panic may have subsided somewhat following the announcement, at the start of February, that the European Commission and the US Department of Commerce had struck a deal to replace it.
The new solution, known as the Privacy Shield, is intended to be an upgraded version of Safe Harbor, providing reassurance that information crossing borders and jurisdictions from the European Economic Area (EAA) to the US will enjoy consistent levels of protection and privacy. Such an arrangement is needed because the flow of data between the EAA and the US is now a key, if not the key component enabling billions of dollars, euros and pounds worth of trade to take place.
This can only take place, under European Data Protection Law, if the information in question has guaranteed protection in place. This can be achieved via contractual tools such as express consent, Model Clauses and Binding Corporate rules.
By far the simplest, quickest and most cost-effective means of doing so, however, is by setting up an ‘adequacy test’, covering all information, under which the country in question, through a combination of domestic legislation and adherence to international law, provides suitable levels of protection.
Safe Harbor ultimately failed in this aim and was declared invalid by the European Court of Justice (“CJEU”) in October of last year. The question now being asked is whether the Privacy Shield will offer a more robust and practicable solution to the privacy conundrum. Like Safe Harbor, the Privacy Shield will depend upon organisations and businesses in the US self-certificating – basically promising to adhere to European levels of data protection.
What’s changed is that, in this case, the levels of adequate protection these bodies are pledging to meet are underpinned by a set of seven core and 16 supplemental Privacy Principles, as well as official representations and commitments taking the form of signed letters from US authorities, including Secretary of State John Kerry, Secretary of Commerce Penny Pritzker, the Federal Trade Commission (‘FTC’) and the Office of the Director of National Intelligence.
The Principles themselves represent the criteria which the self-certificating organisations have to meet, and are intended to reflect the core principles of EU data protection legislation.
With this in mind they have been given names such as the ‘Notice Principle’, ‘Choice Principle’, ‘Security Principle’ and ‘Access Principle’. The aforementioned representations and commitments, for their part, offer promises on behalf of the wider US authorities, guaranteeing adherence to the levels of protection required by the European Commission.
The differences between the Privacy Shield and Safe Harbor are a reflection of several factors; the fact that, as long ago as 2013, the European Commission had drawn up a list of 13 recommendations intended to improve Safe Harbor even prior to the Snowden revelations; the ramifications of those allegations themselves; and the reality that Safe Harbor was regarded as being so far beyond improvement or ‘fine tuning’ that the Commission opted to scrap it altogether.
Bearing all of this in mind, the Privacy Shield has been designed with stronger obligations and firmer foundations engineered in from the ground up. The Commission itself breaks the Shield down into four distinct and complimentary parts:
- Commercial Sector – the Privacy Shield will implement stronger obligations on US companies to protect EU personal data, accompanied by stronger monitoring and enforcement via oversight mechanisms, sanctions and tightened conditions for onward transfers to companies’ partners.
- US Government – unlike before, the US government has provided written assurances that it will employ and maintain clear safeguards and transparency obligations. The assurances state, for example, that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
- Redress – several new mechanisms will be on offer to EU citizens seeking redress if they feel that their private data has been misused. They will be able to apply directly to the company in question, in which case the company must reply within 45 days; they will have access to free alternative dispute resolution mechanisms, available via telephone or video conference; they will have access to national data protection authorities (‘DPAs’), which will work with the US Department of Commerce and FTC to resolve the complaint; and they will ultimately be able to apply to the newly formed Privacy Shield Panel, via an arbitration mechanism, in an attempt to ensure an enforceable decision.
- Monitoring – the Joint Annual Review will monitor the functioning of the Shield, including, crucially, access to data for law enforcement or national security reasons. The Commission and the US Department of Commerce will conduct the review, with assistance from US national intelligence experts and European DPAs. The Commission will also hold an annual privacy summit and issue a public report to the European Parliament and the Council.
The overarching question is whether these measures, working together, will offer the required level of protection for data emanating from the EAA, particularly when issues of national security come to the fore. Under Safe Harbor, the chief concern was that national security was utilised by US authorities as a kind of ‘get out of jail free card’, overriding all other concerns and allowing virtually untrammelled access to information.
The ultimate arbiter in the case of the shield is the Commission and they, at least for the moment, seem satisfied with the safeguards being offered.
These safeguards include Presidential Policy Directive 28, under which the bulk collection of data for intelligence operations will be confined to six specific national security purposes:
- To detect and counter threats from espionage
- To combat terrorism
- To detect or combat weapons of mass destruction
- To detect or combat threats to the Armed Forces
- To detect or combat transnational criminal threats
The hope is that stricter conditions such as these, combined with the presence of an independent Ombudsperson within the Department of State, will better protect the privacy of all persons, including non-US citizens. Any final judgement regarding the efficacy of the introduction of the Shield, however, will be left to the Article 29 Working Party, made up of the national DPAs, and ultimately the CJEU, which is bound to examine a selection of test cases in the coming months.
One of the caveats which must be raised against the Privacy Shield is the more than slightly complex question of precisely who will be in charge of policing it.
The US Department of Commerce is, without doubt, the most important player, charged with receiving, reviewing and resolving complaints, monitoring the privacy policies of companies and ensuring that they meet the principles of the Shield, maintaining an up to date list of Privacy Shield members and removing those who have left the Shield from this list. Even after being removed from the list, companies will be monitored by the Department of Commerce to ensure that personal data received when they were in the Shield has the principles of the Shield applied to it for as long as it is retained.
The FTC will also have a vital role to play, working closely with the various DPAs to provide enforcement assistance by prioritising referrals from EU DPAs, the Department of Commerce itself, privacy self-regulatory bodies and independent recourse mechanisms. The FTC have also committed to establishing a dedicated point of contact and a standardised process via which EU DPAs can refer complaints.
The ‘home’ DPA of a European citizen will remain the first port of call for a complaint, which will then be referred to the Department of Commerce or other appropriate body, whilst the newly created Ombudsperson mechanism will handle complaints revolving around EU citizens who fear their personal information has been used unlawfully by US authorities working in the field of national security. In the event of a complaint not being resolved, arbitration will be offered as the last resort, and the Privacy Shield Panel will offer a dispute resolution mechanism able to issue binding decisions against US self-certified companies.
It shouldn’t be forgotten, either, that somewhere amidst this complex nexus of panels, departments, authorities and regulators, the CJEU will still have a part to play.
In short, then, the answer to the question of who’s in charge of the Shield is everybody and nobody, the hope, presumably being that the overlapping interest and concerns will provide a comprehensive safety net.
In practical terms, for businesses or individuals with concerns in the area of data transfer, privacy, cross-Atlantic business or outsourcing, the unveiling of the Privacy Shield will have little immediate effect. The text of the Shield has not yet been formally reviewed and accepted by the Article 29 Working Party, the European Council and the CJEU.
In the short term, the situation remains much as it was after Safe Harbor had been scrapped and its replacement was being negotiated, namely that EU subsidiaries of US companies and EU companies transferring personal data to the US would be well advised to carefully check their method of transfer.
They should bear in mind that, if the Shield operates as intended then EU citizens will have access to greater levels of both transparency and protection.
For the time being, companies on both sides of the Atlantic whose businesses involve a transfer of data from the EEA to the US can, provided they have appropriate alternative mechanisms in place, sit tight until Europe’s final checks are complete.
Featured image credit: welcomia / Shutterstock