The revelations by rogue NSA sysadmin Edward Snowden in 2013 caused indignant EU politicians to open a dialogue with the US government to update the data transfer regime to safeguard personal data. The Privacy Shield is the culmination of those discussions.
The US's hands-off approach has always differed from the EU's interventionist approach, particularly when it comes to personal data. According to a German lawyer I interviewed this is partially thought to stem from Cold War snooping by the former East German secret police and by neighbour-on-neighbour snooping. The counter-view in the US is for commerce to be as free from restraint as possible and this is thought to explain the lack of a federal law equivalent to the EU regime.
In some ways, protecting data is the big issue of the moment that is not going away and the new General Data Protection Regulation – due to apply from 2018 – is further evidence of that.
So what is the Privacy Shield then?
The new Privacy Shield is supposed to be the new way to enable data transfers from the European Economic area to the US. It seeks to address a number of the failures highlighted after Safe Harbour was ruled defunct in the Schrems vs Facebook case. In the case, the judge had considered that transfers under Safe Harbour were not safe as the US does not offer "an adequate level of protection" for personal data relating to European data subjects.
As for Privacy Shield, it has a number of facets:
- Strong obligations: The idea is that there will be greater transparency with stronger sanctions.
- Safeguards: There is written assurance from the US that there will be clear limitations, safeguards and oversight mechanisms over access to data by public authorities.
- Monitoring: there will be a joint review by the European Commission and the US Department of Commerce to monitor the functioning of the Privacy Shield and a report will be published.
- Redress: there will be several avenues of redress, including not just against the company direct but also with engagement by the US Department of Commerce and Federal Trade Commission to ensure complaints are investigated and resolved. A new Privacy Shield Panel can produce .
- Finally, there will be a data transfer regime that will allow individuals to be certain their data will be protected as well as assurances for EU companies to transfer data without worrying they will be penalised.
But wait – it’s not that simple. Looking behind the rhetoric reveals there is still some way to go.
Working Party criticism
The Article 29 Working Party is composed of representatives of the national EU data protection authorities, the European Data Protection Supervisor and the EU Commission. It is an important body providing input on data protection matters, and has published an opinion (PDF) in which it broadly welcomed the “significant improvements brought by the Privacy Shield compared to the Safe Harbour decision”. At the same time, it levelled a number of criticisms, observing that “some key data protection principles… are not reflected in the draft adequacy decision.”
Specifically, it is not satisfied that there is enough clarity around the principle that data should be used only for particular purposes. Nor is the data retention principle expressly mentioned or dealt with. And there is no specific wording on the protection against decisions derived from automated processing.
The Working Party's criticisms don’t end there - it is also concerned that the new redress mechanism might be too complex and it wants national EU data protection authorities to be considered as the natural point of contact for EU citizens wishing to complain. Nor is it happy with the level of detail from the US Office of the Director of National Intelligence regarding the prevention of “massive and indiscriminate collection of data” that were revealed by Snowden which triggered the collapse of Safe Harbour in the first place. It also wants to see proper independence for the new Ombudsman. Finally, it recognises that the Privacy Shield will have to be reviewed again in 2018 once the GDPR is in force.
Not surprisingly, the EU Commission is currently looking to revise the Privacy Shield to address these criticisms.
Article 31 Committee indecision
The Article 29 Working Party is not the only body involved, there is also the Article 31 committee, which has to give its blessing too. The Article 31 Committee, which like its counterpart was established by that article in the original EU Data Protection Directive, is comprised of representatives from the EU Member States to validate data transfer Adequacy Decisions.
During its recent meeting in May 2016, the Article 31 committee appears not to have reached consensus on the adoption of the Privacy Shield. The EU Commission is hopeful that agreement will be reached by the end of June but perhaps this will depend upon how quickly the Privacy Shield is modified to take into account the criticism by the Working Party.
This all seems like a mess. The Article 29 Working Party had previously notified the EU that its members, the national EU data protection authorities, would “take all necessary and appropriate actions, which may include coordinated enforcement actions”, if its January 31 deadline was not met for the introduction of the new Safe Harbour.
Despite its criticisms of Privacy Shield, though, it does not appear to have introduced a new deadline or encouraged its members to take action.
The world of data transfers remains in limbo, waiting for the EU Commission to sort itself out. And, ultimately the EU Court of Justice is likely to assess the new regime before too long with Schrems-style litigants bound to be ready to test the new rules.
In the meantime, of course, data transfers will continue. Therefore, to some extent, business is on its own in trying to work out what to do. I recommend data controllers and data processors continue to evaluate and implement appropriate measures to protect data during transfers.
Data controllers should make sure they have adequate safeguards in their contract terms with processors, even if that processor is a large US cloud company which trades on its own terms.
Remember, the data controller is primarily responsible under data protection legislation and will be the first one to be fined if there is a breach. If the standard terms don’t give you enough protection, look elsewhere.
Keeping data inside the UK or EEA seems a bit protectionist but it is ultimately better than getting hit by a large fine, especially with France and Germany rumoured to be looking to apply the new GDPR fines early of up to €20 million or four per cent of global revenue.
Consider using the EU model data protection clauses and, for large multi-national organisations, consider adopting Binding Corporate Rules. Obviously, these are permitted by the current legal framework and may change once Privacy Shield is finalised. But for now, it seems like the best option. ®