The United States has traditionally taken a libertarian approach to data privacy: “what is not forbidden is permitted.” Outside sensitive sectors such as health (HIPAA) and finance (GLBA), the United States was historically content to let the market police itself. The European approach, perhaps reflecting the trauma of 20th century totalitarian surveillance, is different. E.U. nations have comprehensive data protection laws enforced by dedicated data protection authorities (DPAs). Thus, the EU permits data collection, but regulates it much more tightly than the United States, which is content with its piece-meal approach.
The United States and the EU reconciled these two divergent philosophies by a bilateral protocol known as Safe Harbor. Companies certified under Safe Harbor would be deemed to comply with EU data regulations as well. The arrangement worked well until 2015, when the European Court of Justice handed down the Schrems decision, holding that that Safe Harbor did not adequately safeguard personal data and therefore violated the EU’s Data Protection Directive.
Schrems left American and EU negotiators scrambling to develop an alternative framework. The negotiators agreed on a new framework dubbed “Privacy Shield” in February 2016. The European Commission approved Privacy Shield in July 2016. The Commission’s decision meant that American companies adhering to the Privacy Shield protocol complied with EU law requiring that data transfer be limited to countries with “adequate” data protection.
The “adequacy” determination immediately attracted critics who contended that Privacy Shield was not sufficiently robust to protect EU citizen data. The continued viability of the Privacy Shield regime has thus always been precarious. Three recent developments have highlighted this precariousness.
First, Irish and French groups have challenged the “adequacy” determination. The challenges are grounded in different rationales, but all are premised on a common theme: that personal data transferred to the United States is not subject to appropriate safeguards. Specifically, the challengers complain that Privacy Shield’s redress mechanisms are neither adequate nor sufficiently independent of government interference.
Second, German Data Protection Authorities (DPAs) have stepped up audits of data controllers who have transferred data outside the European Union. While the audits are not supposed to be punitive – they are intended to raise awareness ahead of the General Data Protection Regulation (GDPR), they have revealed significant compliance shortfalls. The audits indicate that awareness and compliance both remain low. In particular, companies utilizing external vendors may unwittingly export data: cloud computing is a common pitfall.
Third, supervening developments in the United States such as the Yahoo! affair and the election of a new Administration have prompted hand wringing in Brussels. But the EU data protection schemes contain provisions for national security and law enforcement reasons. The United Kingdom has just enacted the Investigatory Powers Act 2016 (nicknamed the Snoopers' Charter). A number of other EU states have similar legislation.
The Investigatory Powers Act requires Internet Service Providers to maintain certain records of user activities. A number of agencies are entitled to access these records without a warrant. In addition to military, intelligence, and law enforcement entities, agencies entitled to access to these include unexpected names. These range from the Gambling Commission to Food Standards Scotland to the Northern Ireland Health and Social Care Regional Business Services Organisation. Given the EU’s own laws and the high profile Investigatory Powers Act, the United States is unlikely to offer any further concessions to assuage Privacy Shield critics.
So what is the bottom line? The good news is that notwithstanding legal challenges and sensational news stories, Privacy Shield continues to hold. That is important to the 1700 companies who are seeking or have obtained the Privacy Shield certification. The bad news is that Privacy Shield was intended to facilitate U.S-E.U. trade by adding a layer of predictability and certainty to trans-Atlantic data transfers. As a consequences of political, legal, and technological developments, that promise has not been realized. And with the EU General Data Protection Regulation due to come into force in May 2018, the clock has about run out for any further adjustment.