As negotiators for the US Department of Commerce (“DOC”), Federal Trade Commission (“FTC”), and the European Commission move towards an agreement intended to allow continued US-EU data transfers, a closer look at the history of “Safe Harbor” and the implications of the proposed “Privacy Shield” framework on multinational employers leaves some questions unanswered.
Safe Harbor Invalidation
Under EU Data Protection Directive 95/46/EC (the “Directive”), personal data controlled in the EU may be transferred to countries outside the EU only when an “adequate level of protection” is guaranteed. From 2000 to 2015, thousands of employers achieved this adequacy status through the US-EU “Safe Harbor” framework, an annual certification process approved by the European Commission and made available to US companies subject to the jurisdiction of the FTC or Department of Transportation.
But on October 6, 2015, the European Court of Justice (“ECJ”) invalidated Safe Harbor, finding that it violated the Directive’s principles as well as EU fundamental rights. The ECJ decision stemmed from a claim brought before the Irish data protection authority by Austrian privacy activist Max Schrems regarding the transfer of personal data to the US by Facebook’s European headquarters in Ireland. When the Irish authority dismissed Mr. Schrems’ claim, he took to the courts. The Irish High Court reviewed the claim and referred two narrow questions to the ECJ regarding the interplay between national and EU law under the Directive. The ECJ answered those questions but further issued a broader decision that struck down Safe Harbor.
In the four months since October 2015, negotiators on both sides of the Atlantic have scrambled to put together a new framework that will meet the legal requirements as interpreted by the ECJ. During this period of uncertainty, many multinational employers scrambled to implement Standard Model Clauses or took a wait-and-see approach.
Privacy Shield Overview
On February 2, 2016, the European Commission and the DOC announced that they have agreed on a new transatlantic data transfer framework, called the EU-US Privacy Shield. The Privacy Shield framework is intended to replace the Safe Harbor framework. Proponents of the Privacy Shield state that it will establish an obligation on companies to publicly commit to robust protection of any EU personal data that they handle; a set of clear safeguards and transparency mechanisms on US government access to EU citizens’ personal data; and a redress right to address complaints about improper access and surveillance.
Under the Privacy Shield arrangement, the DOC will be responsible for monitoring companies’ compliance with their commitments, and the FTC will have enforcement authority over these commitments. The US State Department will appoint an ombudsman, who will hear complaints from Europeans regarding US surveillance and will respond to inquiries from the EU’s Article 29 Working Party (“WP29”) (composed of Data Protection Authorities from each EU member state) about access to personal data by the US intelligence community. The DOC and the European Commission will meet on an annual basis to review all aspects of the Privacy Shield agreement, with intelligence agencies from both the US and the EU invited to take part.
Agreement on the Privacy Shield framework follows closely on the heels of the US Senate Judiciary Committee’s passage of the Judicial Redress Act (H.R. 1428) on January 28, 2016, which would give EU citizens the right to bring a civil action in the US against a US government agency related to the protection of their personal data. If enacted, the Judicial Redress Act will provide a means of redress for Europeans who feel that the US government has misused or improperly accessed their personal data.
The actual adequacy agreement still needs to be drafted, and the EU member states, as well as their independent Data Protection Authorities through the WP29, must be consulted. The WP29 has requested all necessary documentation regarding the Privacy Shield from the European Commission before February. After the WP29 is able to analyze the details of the Privacy Shield, the WP29 will continue its assessment of the Standard Model Contracts and Binding Corporate Rules in light of the Privacy Shield. The WP29 has not made any uniform statement as to whether or not companies formerly relying in Safe Harbor, and now waiting for the Privacy Shield, would become subject to enforcement measures if no alternative data transfer tools (Standard Model Contracts and Binding Corporate Rules) have been implemented. According to the WP29, the level of enforcement in those cases will depend on the national Data Protection Authority. This of course is an obvious contradiction to the WP29’s statements calling for a uniform enforcement approach throughout the EU.
European Justice Commissioner Věra Jourová told a press conference that she expects the agreement to be finalized in three months. While multinational employers generally celebrated the initial announcement of the new transatlantic data transfer framework, the mood of excitement seems to now be tempered. Privacy experts are already voicing fears that Privacy Shield will likely be challenged in the ECJ. In the meantime, employers on both sides of the Atlantic have expressed serious concerns about the legal limbo that they now face until the text of the agreement is revealed and approved. Major gaps remain to be resolved and employers require answers to important questions, including:
- When exactly will the Privacy Shield framework become legally binding?
- How soon will data importers be eligible for participation, and will there again be some form of certification procedure?
- How will Privacy Shield be regarded by the WP29?
- Have US and EU negotiators adequately addressed the ECJ’s interpretation of the laws to ensure that the Privacy Shield requirements will survive a legal challenge?
- What power will the new ombudsman have?
- Will there be a separate alternative dispute resolution system, or will the ombudsman be the final arbiter of complaints regarding national security?
- How will the Privacy Shield redress rights work with the rights provided under the Judicial Redress Act if it becomes US law?
- Will the Privacy Shield option be available to companies who were not eligible for Safe Harbor certification (e.g., because they are not subject to FTC jurisdiction)?
- Will companies transferring data to the US under EU Standard Model Contracts or Binding Corporate Rules be held to the higher Privacy Shield standards?
- Will the nearly 4,500 US companies that are Safe Harbor certified have any sort of advantage in their efforts to comply with Privacy Shield?
Multinational employers should be cautiously optimistic. Despite the new name, the initial outline of the Privacy Shield appears similar to the Safe Harbor insofar as the transfer of European employee’s personal data is concerned. That being said, multinational employers should consider the following steps: (1) watch for developments from the European Commission and the WP29; (2) if Safe Harbor certified, continue to comply with Safe Harbor; and (3) evaluate the usefulness of Standard Contractual Clauses as an alternative.