Rafi Azim-Khan is head of data privacy for Europe at Pillsbury Law. This article, co-authored by Steven Farmer, counsel at Pillsbury Law, explores what the new EU-US Privacy Shield means for tech companies both here and on the other side of the pond.
The European Commission and the US Department of Commerce have now reached an accord on a new transatlantic data transfer protocol. Nicknamed the EU-US Privacy Shield, the framework replaces the 15-year-old Safe Harbor, which was invalidated by the European Court of Justice (CJEU) last year.
Though the announcement has been met with an initial sigh of relief from those in the tech sector who had been relying on the now-defunct Safe Harbor for transferring data from the European Union, is it really the silver bullet some think it might be?
Although the text of the new framework is not yet available, certain reported key features of the Privacy Shield include the following:
- In comparison to Safe Harbor, the Privacy Shield would seek to impose stronger obligations on US companies to protect the personal data of EU citizens, and require stronger monitoring and enforcement to be carried out by the US Department of Commerce and Federal Trade Commission. Both government agencies have agreed to cooperate with the European Data Protection Authorities regarding data privacy complaints, and have agreed to impose stronger monitoring and enforcement upon US companies, though it remains to be seen, of course, how such monitoring and enforcement activities would take shape.
- US companies wishing to rely upon the Privacy Shield would have to register their commitment to do so with the US Department of Commerce, similar to the Safe Harbor.
- The US has provided the EU with written assurances that its government will not commit indiscriminate mass surveillance of data transferred pursuant to the Privacy Shield, and that government access to EU citizens’ data for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.
- The Privacy Shield will impose a “necessary and proportionate” requirement for when the US government can surveil EU citizens’ data that would otherwise be protected under the Privacy Shield.
- The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating US companies to third parties (or processed by those companies’ agents).
- A privacy ombudsman office will be created within the United States (presumably at the Department of Commerce), to whom EU citizens can direct data privacy complaints. As a last resort, the Privacy Shield would offer EU citizens a no-cost, binding arbitration mechanism.
- The Privacy Shield would be subject to an annual joint review that would also consider issues of national security access.
An open door
While the adoption of a new EU-US data transfer protocol is arguably preferable to the gaping hole that the invalidated Safe Harbor left in place, the announcement leaves the door open on several important issues that may undermine its efficacy.
Without the full framework available, it is possible that the “necessary and proportionate” threshold for surveilling EU citizen data may not be carefully defined, which could re-establish a vague legal standard. This means the standard could be subject to political whims on both sides of the ocean and it is possible US companies that comply with the Privacy Shield will need to live under the uncertainty of shifting governmental policies and interpretations.
Additionally, if the annual joint EU-US review of the framework allows for it to be dismantled or substantially changed each year, then this could also diminish the certainty that US companies would seek to achieve by complying with the Privacy Shield. This raises the question—will the Privacy Shield offer a more valuable solution to those currently available to US importers of data? Perhaps not.
Although the US Department of Commerce is expressing optimism over the Privacy Shield framework, Jan Philipp Albrecht, the European Parliament Member responsible for steering the new EU General Data Protection Regulation, has been one of the first out of the blocks in publicly criticizing the Privacy Shield, calling it little more than a “reheated serving of Safe Harbor” and suggesting it would likely not withstand further European Court of Justice scrutiny. Albrecht is not alone in his sceptical view and there has been significant criticism from other quarters in the EU.
With these types of uncertainties potentially on the table, it is argued that other options for transatlantic data transfers – namely model contract clauses and binding corporate rules – remain safer alternatives for tech companies than opting into the Shield.
The details will no doubt become clearer in the coming weeks, but in any event, companies would be best advised to consider all their options rather than placing too much faith for the moment in the Privacy Shield.