By Dr. Thomas Jansen and Mari Martin
On July 12, 2016 the European Commission (EC) voted to adopt the final version of the EU-U.S. Privacy Shield.The Privacy Shield agreement replaces the previous agreement, Safe Harbor, which was struck down in October 2015 following revelations regarding U.S. mass surveillance.
According to EC Commissioner Jourova, the Privacy Shield, “is fundamentally different from the old ‘Safe Harbor’: It imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice. For the first time, the U.S. has given the EU written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms and has ruled out indiscriminate mass surveillance of European citizens’ data.”
Implementation of the Privacy Shield is critical to the flow of over $250 billion in international trade between the U.S. and EU. After Safe Harbor was struck down, organizations were forced to undertake more complex, time consuming and costly data transfer arrangements.
Thus, industry groups have largely embraced the Member States’ decision to adopt the Privacy Shield. The Digital Europe group, which represents tech firms such as Google and Apple, welcomed the decision. “Our members are ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand from companies,” said John Higgins, Digital Europe’s director general. TechUK, which represents 900 firms in the UK, applauded the Privacy Shield as “restoring a stable legal footing” to transatlantic data flows.
However, many expect an upcoming legal challenge to the Privacy Shield, based on the continued mass surveillance by the United States. As noted by Commissioner Jourova, the Privacy Shield is underpinned by written assurances from the U.S. will not conduct indiscriminate mass surveillance of European citizens’ data. European Data Protection Authorities (DPAs) may find these assurances insufficient. For example, European Parliament Member Jan Philipp Albrecht called it “highly dangerous” to rely on the vague promises made by the U.S. government. In its April 2016 Opinion, the Article 29 Working Party, a group of independent DPAs, strongly recommended strengthening the framework, citing concerns with loopholes through which the U.S. could continue bulk data collection. Kirsten Fiedler, managing director of European Digital Rights (EDRi), has called the Privacy Shield agreement ‘deeply flawed’.
Some in Europe are of the opinion that the Privacy Shield has not gone far enough in addressing the concerns expressed by the ECJ in its decision striking down Safe Harbor. According to Hamburg data protection officer Johannes Caspar, the Privacy Shield is not sufficient to produce an adequate level of data protection, especially as there are no legal guarantees against mass surveillance by U.S. authorities, only assurances. Likewise, Chairman of the Article 29 Working Party and French Data Protection Authority, the CNIL, Isabelle Falque-Pierrotin said she particularly regretted the absence of several principles such as the prohibition of automated decisions and lamented the fact that “US authorities have not provided sufficiently precise information to rule out a massive and indiscriminate surveillance of European citizens’ data.”
The EC presented a draft decision on the EU-U.S. Privacy Shield on February 29, 2016. In accordance with the Data Protection Directive (95/46/EC ), the Article 29 Working Party, a group of independent data protection authorities, issued an opinion on April 13, 2016. The European Parliament adopted a resolution in favor of the Privacy Shield on May 16, 2016. On July 8, 2016 EU member states voted to adopt the final version of the EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the EC.
As of now, the Privacy Shield is a valid legal basis for data transfer between the U.S. and EU. However, as explained above, the Privacy Shield may be valid only temporarily. A legal challenge appears imminent.
Importantly, the Privacy Shield, in addition to the strong possibility that its validity will soon be in question, only addresses data transfer between the U.S. and EU. The Privacy Shield is inapplicable to the data transfer involving jurisdictions other than the U.S. and EU Member States.
Thus, we continue to recommend data transfer agreements based on EU Standard Model Clauses as the best choice for data transfer outside of the EU/EEA and countries approved by the EC as providing an adequate level of data protection. In particular, any organization considering implementing Model Clause agreements for international data transfers outside the U.S. and EU Member States would be wise to include transfers involving the U.S. in the Model Clause agreement rather than relying on the Privacy Shield.