On February 2, 2016, the European Commission and the U.S. Department of Commerce reached an accord on a new transatlantic data transfer protocol. Nicknamed the EU-U.S. Privacy Shield, the framework would replace the 15-year-old Safe Harbor, which was invalidated by the European Court of Justice on October 6, 2015.1 Clocking in at the thirteenth hour (two days after the European Commission’s internal January 31st deadline), the announcement may elicit an initial sigh of relief from executives of the several thousand U.S. companies that had relied upon the now-defunct Safe Harbor. But is it the silver bullet some think it might be?
Although the text of the new framework is not yet available, certain reported key features of the Privacy Shield include the following:
- Compared to its predecessor, the Privacy Shield would seek to impose stronger obligations on U.S. companies to protect the personal data of EU citizens, and require stronger monitoring and enforcement to be carried out by the U. S. Department of Commerce and Federal Trade Commission. Both government agencies have agreed to cooperate with the European Data Protection Authorities regarding data privacy complaints, and have agreed to impose stronger monitoring and enforcement upon U.S. companies. (It remains to be seen, of course, how such monitoring and enforcement activities would take shape).
- U.S. companies wishing to rely upon the Privacy Shield would have to register their commitment to do so with the U.S. Department of Commerce, similar to the Safe Harbor.
- The U.S. has provided the EU with written assurances that its government will not commit indiscriminate mass surveillance of data transferred pursuant to the Privacy Shield, and that government access to EU citizens’ data for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.
- The Privacy Shield will impose a “necessary and proportionate” requirement for when the U.S. government can surveil EU citizens’ data that would otherwise be protected under the Privacy Shield.
- The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating U.S. companies to third parties (or processed by those companies’ agents).
- A privacy ombudsman office will be created within the United States (presumably at the Department of Commerce), to whom EU citizens can direct data privacy complaints. As a last resort, the Privacy Shield would offer EU citizens a no-cost, binding arbitration mechanism.
- The Privacy Shield would be subject to an annual joint review that would also consider issues of national security access.2
While the adoption of a new EU-U.S. data transfer protocol is arguably preferable to the gaping hole that the invalidated Safe Harbor left in place, the announcement leaves the door open on several important issues that may undermine its efficacy.
Without the text of the framework available, it is possible that the “necessary and proportionate” threshold for surveilling EU citizen data may not be carefully defined, which could reestablish a vague legal standard. As such, this standard could be subject to political whims on both sides of the ocean, and it is possible that U.S. companies that comply with the Privacy Shield will need to live under the uncertainty of shifting governmental policies and interpretations.
Additionally, if the annual joint EU-U.S. review of the framework allows for it to be dismantled or substantially changed each year, then this could also diminish the certainty that U.S. companies would seek to achieve by complying with the Privacy Shield. This raises the question—will the Privacy Shield offer a more valuable solution to those currently available to U.S. importers of data? Perhaps not.
Although the U.S. Department of Commerce is expressing optimism over the Privacy Shield framework, Jan Philipp Albrecht, the European Parliament Member responsible for steering the new EU General Data Protection Regulation, has been one of the first out of the blocks in publically criticizing the Privacy Shield, calling it little more than a “reheated serving of Safe Harbor” and suggesting it would likely not withstand further European Court of Justice scrutiny. Albrecht is not alone in his skeptical view and there has been significant criticism from other quarters in the EU.
With these types of uncertainties potentially on the table, it is argued that model contract clauses and binding corporate rules (two other options U.S. companies presently have for transatlantic data transfers) may remain safer alternatives to opting into the new framework.
We will be monitoring and analyzing next steps closely, as the EU and United States move closer towards a binding agreement. In any event, U.S. companies would be best advised to consider all their options rather than placing too much faith for the moment in the Privacy Shield.