News broke late Tuesday that the United States and the European Union Commission have agreed upon a revised and updated version of the U.S.-EU Safe Harbor, providing a new framework for transfers of personal data from the EU to the U.S. The updated framework has been re-branded as the EU-U.S. "Privacy Shield". The framework potentially provides a mechanism to avoid a significant disruption in digital commerce.
This development came as a surprise to some, as it had appeared that an agreement would not be finalized close to the January 31, 2016 deadline set by the Article 29 Working Party, which represents Data Protection Authorities across all EU Member States. Following the European Court of Justice's decision invalidating the Safe Harbor, the Working Party indicated that coordinated regulatory enforcement against businesses relying on Safe Harbor to transfer personal data from the EU to the U.S. would not begin until January 31. Less surprising is that the agreement reached so far is only "in principle." While we have some indication of the key points agreed to at a high-level, the finalized framework is still some way off. Before taking effect, the new Privacy Shield will require additional steps in the U.S. to implement agreed upon regulatory and legislative changes and another EU Commission "adequacy decision".
Formal press releases and statements from the various government agencies are available as follows:
- U.S. Secretary of Commerce, Penny Pritzker: click here
- EU Commission: click here
- U.S. Federal Trade Commission: click here
- EU Article 29 Working Party: click here
Here is what we know so far, together with our initial thoughts on the issues.
U.S. Businesses' Compliance: stronger commitments and more robust enforcement
- U.S. businesses wishing to import personal data from the EU will be expected to give more robust commitments regarding data processing and how individual rights are guaranteed. For this to achieve what is intended, personal data transferred from the EU would have to be collected and processed by businesses in the U.S. in a manner that complies with EU standards.
- The U.S. Department of Commerce will monitor businesses that publish commitments, and failure to honor these commitments may lead to enforcement under U.S. law by the Federal Trade Commission. This appears similar to the old Safe Harbor regime, which came under criticism from EU Data Protection Authorities, which perceived inadequate enforcement by the Federal Trade Commission, a point of disagreement between the U.S. and the EU.
- Any U.S. businesses handling human resources personal data from the EU will, in addition, be expected to comply with decisions of European Data Protection Authorities in respect of that data. HR data was already treated differently under the old Safe Harbor regime, but a specific commitment by U.S. businesses to comply with decisions of EU Data Protection Authorities certainly goes further. If the new Privacy Shield provides robust enforceability mechanisms, that would provide some comfort to EU residents working for U.S. companies.
U.S. Government Access: safeguards and transparency
- The U.S. Government has given the EU written assurances that access by public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. In particular:
- The U.S. will not conduct mass or indiscriminate surveillance of personal data transferred from the EU to the U.S. under the Privacy Shield, and access will be only to the extent necessary for, and proportionate to, the requirements of national security. This is a dramatic commitment and goes to the heart of the major concerns raised by the European Court. If the detailed commitments echo the general sentiment, this should be reassuring not just for EU residents, but also for U.S. businesses that have their own concerns about such surveillance.
- The arrangement will be regularly monitored by an annual joint review, to include the issue of national security access and be carried out by the European Commission and the U.S. Department of Commerce (with U.S. national intelligence experts and European Data Protection Authorities invited). This appears to demonstrate a strong commitment on both sides of the Atlantic to collaborate, and for the European Court’s major concern to be addressed not only by stated U.S. governmental commitments, but also by openness about the process of complying with those commitments.
EU Citizens' Rights: redress possibilities
- Under the new Privacy Shield, any EU resident who is concerned that their personal data has been misused will have several redress possibilities. This will be valuable to EU residents in theory, but only if these possibilities do not present significant practical challenges (e.g., a consumer having a theoretical right to sue a U.S. business but the costs involved being prohibitively high).
- There will be set deadlines for U.S. businesses to reply to complaints. This could be a powerful tool to encourage businesses to act on (or at least respond to) complaints. It will be interesting to see what the sanctions are for non-compliance but, in any event, a business may be keen to avoid the bad publicity associated with being known as one that does not respond to individuals' complaints, despite the obligation. Public relations concerns have often been viewed as more significant than the potential monetary penalties of non-compliance with privacy laws.
- Complaints about possible access by national intelligence authorities will be handled by a newly-created Ombudsperson. This must also be intended to address the European Court's core concerns. Its effectiveness will depend on factors such as how impactful (and impartial) it is. The Department of Commerce has already highlighted that there will be "for the first time, a specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield. As a part of this process, the U.S. is making the commitment to respond to appropriate requests regarding these matters, consistent with our national security obligations"
- EU Data Protection Authorities will be able to refer complaints to the U.S. Department of Commerce and the Federal Trade Commission. Much like the Federal Trade Commission's enforcement of Safe Harbor compliance, the effectiveness of this regime will come down to the extent to which, in practice, the Department of Commerce and the Federal Trade Commission make enforcement action in response to complaints referred by the European Data Protection Authorities a priority. The Department of Commerce has indicated that its commitment would include "dedicating a special team with significant new resources to supervise compliance with the Privacy Shield"
- U.S. businesses will commit to participating in arbitration as a matter of last resort and this will be available to EU residents for free. This sounds very appealing for EU residents, but it is challenging to imagine how it would work in practice, in terms of, for example, questions around the location of the arbitration, and the resources and time a business might be expected to commit to resolving such proceedings. Perhaps a procedure similar to the streamlined arbitrations for domain name disputes under the Uniform Dispute Resolution Policies of most Internet registrars could be developed.
We are still looking at several weeks at the very least for the new Privacy Shield itself to be formalized. On the EU side, the European Commission's adequacy decision is expected to be drafted in the coming weeks, and, assuming the finer details can be agreed, adopted soon after in consultation with the Article 29 Working Party and representatives of the EU Member States. The Working Party has called on the European Commission to provide it with the final documents for the Privacy Shield by the end of February 2016. Given that it will take some time for the Working Party to complete its assessment, it is unlikely that the Privacy Shield will be implemented before late March 2016 at the earliest. While in the U.S., preparations are expected to begin in order to put in place the new Privacy Shield, monitoring mechanisms and new Ombudsperson.
Concluding thoughts and wider context
However large a movement this "in principle" agreement is towards formalization of a new framework, there is no doubt that it is a positive step towards some kind of transatlantic compromise and accord on an issue which has been of great concern to many international businesses, especially over the last few months. Of course the timing and practicality of the Privacy Shield itself is the all-important next step.
As it did following the European Court ruling regarding Safe Harbor, the Working Party has again referenced its ongoing analysis of the robustness of other mechanisms used to transfer data from the EU to the U.S. such as Standard Contractual Clauses and Binding Corporate Rules, and it is clear that it continues to recognize the potential impact of the European Court's reasoning on those other mechanisms.Having set out its four "essential guarantees for intelligence activities", which the Working Party stresses "should be respected whenever personal data is transferred from the EU to the U.S.", it promises to "analyse to what extent this new arrangement will provide legal certainty for the other transfer tools". With this in mind, the new Privacy Shield, and the underlying regimes supporting it, become all the more crucial to resolving the ongoing debate and uncertainty surrounding transatlantic data flows.
As for litigation, whether the new Privacy Shield will quickly lead to new legal challenges remains to be seen.Data Protection Authorities in individual EU Member States certainly are still entirely free to investigate the extent to which data transfers, pursuant to schemes such as Safe Harbor or the Privacy Shield, actually comply with applicable data privacy laws. This, as the Schrems decision made clear, is the case regardless of any EU Commission decision declaring such schemes to provide adequate protection, so the door remains open for further litigation on this issue, even once the new Privacy Shield is in place.
Therefore, while news of the Privacy Shield is promising, multi-national businesses should continue to monitor these developments closely.