Following months of negotiations, the United States and the European Union have formally approved the Privacy Shield, establishing a revised framework for data sharing between the U.S. and the EU. Since the invalidation last October of the previous data sharing regimeknown as the Safe Harbor, companies have relied on Standard Contractual Clauses and other more ad hoc means of facilitating international data transfers. While the approval of the Privacy Shield was welcomed by governments and companies on both sides of the Atlantic, it is expected that the Privacy Shield will face new legal challenges.
The Safe Harbor framework offered a recognized legal means to transfer data between the EU and the U.S. between 2000 and 2015. After the extent of U.S. mass surveillance efforts came to light, the Safe Harbor was challenged and ultimately struck down by the European Court of Justice (ECJ) in Maximilian Schrems v. Data Protection Commissioner. Following the invalidation of the Safe Harbor, U.S. and EU authorities negotiated to establish a new framework that would facilitate the multibillion-dollar economic activity surrounding trans-Atlantic data transfers while also providing more robust data privacy protections. This week, that agreement became final and, on July 12, the Commission adopted its decision on the adequacy of the protection provided by the Privacy Shield.
New Requirements for Privacy Shield Participants
The Privacy Shield was crafted with an eye toward complying with the requirements laid out by the ECJ in the Schrems case and satisfying the concerns identified by the EU member state data protection authorities. Under the Privacy Shield, companies will face more stringent rules surrounding data sharing and retention, and more vigorous oversight by the U.S. Department of Commerce and the Federal Trade Commission.
Parties to the Privacy Shield will be subject to new requirements related to onward transfers of data to third parties after an initial transfer from the EU to the U.S. Companies engaging in thes onward transfers must notify customers of the transfers and enter into a contract with the third party that limits the third-party’s usage of the information. In effect, the new third party transfer requirements impose an obligation on the transferor to ensure that the third party adheres to the principles of the Privacy Shield. Parties to the Privacy Shield are also required to minimize the amount of data that they store, retaining it only so long as necessary to satisfy the purpose for which it was transferred.
The Privacy Shield also establishes an ombudsperson who will report to the U.S. secretary of state and will be charged with receiving and investigating complaints. Privacy Shield participants must resolve complaints from customers within 45 days of receipt, and participants must provide an independent mechanism to resolve any complaints. Individuals may also submit complaints to EU-based data protection authorities. In these cases, the Department of Commerce is responsible for facilitating resolution of the complaint within 90 days. Where these mechanisms fail to resolve a dispute, Privacy Shield participants must commit to binding arbitration by an independent panel designated by both the Department of Commerce and the EU Commission.
Potential Legal Challenges
As noted above, the Privacy Shield’s predecessor, the Safe Harbor, was invalidated by the ECJ, and the new data sharing framework is likely to be the subject of litigation once it becomes fully operational. The body composed of the EU’s national data protection authorities, known as the Article 29 Working Party, voiced concerns regarding the Privacy Shield when a draft was issued earlier this year, and it remains to be seen whether amendments to the framework will satisfy this influential group. Following the European Parliament resolution adopted in May 2016 pointing out the potential flaws of the agreement, Max Schrems, the Austrian national who successfully challenged the Safe Harbor before the ECJ, has made public his intention to challenge the new framework.
Legal challenges would likely be grounded in a claim that, whatever its improvements, the Privacy Shield does not provide a level of data security and privacy protection that is “essentially equivalent” to that which is guaranteed internally within the EU. This essential equivalence standard has become the touchstone for evaluating the sufficiency of legal frameworks for data sharing arrangements with EU member states since the Schrems decision. While the Privacy Shield requires the U.S. government to provide additional clarity and transparency regarding its surveillance and data collection activities, it remains to be seen whether these measures, coupled with the additional safeguards provided by the Privacy Shield, will sufficiently mitigate the concerns of all individuals whose data is transferred under this framework.
Where We Are Headed
How companies should respond to the approval of the Privacy Shield will depend in large part on the extent to which they have made alternative arrangements to facilitate data transfers since the invalidation of the Safe Harbor. Companies that have utilized the Standard Contractual Clauses will not necessarily be compelled to change their data-transfer protocols, though the ECJ is also investigating the adequacy of these mechanisms. Many companies, including those in the finance and health care sectors, may also already be subject to specific laws or regulations that mandate levels of customer privacy and data protection sufficient to comply with the Privacy Shield. Nonetheless, companies engaged in transnational data transfers should be aware that entities like the Department of Commerce and the Federal Trade Commission may be eager to demonstrate the vitality of the new framework through enforcement actions, and that aggrieved individuals now have a new, more robust means to challenge transfers of their data under the Privacy Shield.