REUTERS | Stephen Hird

EU/US Privacy Shield: a feast for crows

On 12 July 2016, the European Commission adopted an adequacy decision approving the Privacy Shield framework for EU-US personal data transfers in a commercial context.

In principle, this clears the way for cross-border data transfers to US self-certified companies to take place from 1 August 2016, within a framework based on an enhanced version of Safe Harbor that was invalidated in October 2015 following the ECJ decision in the Schrems case.

The version of the Privacy Shield framework that has been adopted has been modified since the draft version published in February in response to concerns raised by the Article 29 Working Party (WP29) (the group of European data protection authorities, which includes the UK’s Information Commissioner) and others as to whether the proposed arrangement met the adequacy requirements set out in Schrems.

Vera Jourová, Commissioner for Justice, Consumers and Gender Equality, has stated that the Privacy Shield brings “stronger data protection standards that are better enforced, safeguards on government access and easier redress for individuals in case of complaints”. The European Commission heralds the Privacy Shield launch by claiming that it transforms the system from a self-regulating one into an oversight system. EU citizens are to benefit from greater transparency as to how their transferred data is used and from easier and cheaper redress options, in comparison to the previous Safe Harbor regime. US companies that decide to participate in the new regime will face more compliance obligations.

The Privacy Shield has been welcomed by organisations such as Google, Microsoft, Rackspace, Digital Europe (which represents the tech industry) and the International Chamber of Commerce, for restoring legal certainty and facilitating data flow in the digital economy.

Others have criticised it. Jan Albrecht, MEP and Vice Chair of the LIBE committee says that it ignores the reservations voiced by bodies such as the WP29, and believes it will ultimately be challenged before the ECJ. Other privacy commentators have labelled it a “privacy sham” (European Digital Rights) and “the product of pressure by the US and the IT industry” (Max Schrems).

In any event, one ought perhaps to put more faith in deeds than words: Google, Microsoft and Rackspace have all invested in European data centres in the last 3 years.

The Privacy Shield documentation points to US policy measures and legislation introduced since the Snowden revelation that support the framework, for example, a Presidential policy directive limiting the exceptional use of bulk collection of data to six national security purposes (counter threats from espionage, terrorism, weapons of mass destruction, threats to cyber security or the Armed Forces, or transnational criminal threats). Some feel that these are broad purposes that may not substantially restrict US intelligence surveillance practices and query whether “bulk” data collection is any different in practice from “mass surveillance”.

Commenting before the adequacy decision on a leaked version of the Privacy Shield, Privacy International conceded that it contained some improvements but said that the standards “still fall below what is expected to protect the rights of individuals”. Privacy International described the Privacy Shield as “an opaque document” that provides “no meaningful legal protections” and concluded:

“Given the flawed premises – trying to fix data protection deficit in the US by means of the Obama Administration’s assurances as opposed to meaningful legislative reform – it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections.”

Since the Safe Harbor was invalidated, businesses have had to review their data sharing arrangements with the US and apply additional measures, such as standard contractual clauses or binding corporate rules, to ensure they provide adequate protection to lawfully transfer data to and from the US (see Practice note, Cross-border transfers of personal data). US third parties collecting and processing EU data have had to consider whether to sign standard contractual clauses or look at costly or impracticable alternatives, such as European data centres or obtaining consent.

WP29 and the ICO both publicly affirmed that organisations could continue to use measures such as standard contractual clauses, although the ICO acknowledged that they were also potentially vulnerable to judicial challenge and a declaration of invalidity at least to the extent that they are used to authorise transfers of personal data to the US.

It came as no surprise when Max Schrems challenged the validity of the standard contractual clauses and the Irish Data Protection Commissioner referred questions about their validity to the ECJ in May 2016.

So, where does all this leave businesses?

Some criticism of the Privacy Shield was probably inevitable. However, the depth of the criticism and the likelihood of future challenge before the ECJ will mean that businesses are likely to treat the new framework with some caution. It seems unlikely that businesses that have put in place standard contractual clauses or other alternative measures will suddenly look to drop them in favour of the Privacy Shield, unless there are strong commercial drivers. It will be interesting to see how many companies in the US self-certify with the US Department of Commerce.

EU data controllers may possibly look again at other alternatives, such as consent and necessity. However, these derogations are fraught with their own complications and uncertainties: consent can be withdrawn at any time and may be invalid if not given freely anyway; necessity is also very difficult to establish. On balance, those investments in European data centres look like a sound bet.

This is by no means the end of the story: EU/US negotiations on the Privacy Shield are likely to continue around any changes necessary to take into account the new General Data Protection Regulation, which applies from 25 May 2018. And of course, for businesses in the UK, the outcome of the EU Referendum adds a further layer of complication and uncertainty.

Sara Catley

Leave a Reply

Your email address will not be published. Required fields are marked *