The EU-U.S. Privacy Shield

By Tyler Seling

Last October the world as we knew it changed dramatically – at least for international companies storing and transferring data overseas. With the rapid advancement of the internet and computer technologies in the 1990s, countries began enacting privacy laws that sought to protect end-users’ (or citizens generally) data. Some of the strictest laws were enacted in the European Union, which prohibited the transfer of data to countries that did not adhere to the rules.[1] However, the United States and Europe worked out an agreement known as the “Safe Harbor” agreement to help “streamline [sic] the tedious process U.S. companies had to go through in order to comply with European regulations.”[2]

The Safe Harbor Falls

In 2000, the European Union and the United States entered into the Safe Harbor agreement to simplify the process of adhering to regulations enacted to protect consumers and end-users. Companies that were heavily involved in information technology and data were the biggest benefactors of this agreement. It permitted companies like Facebook, Google, and Twitter to transfer and store data sent from overseas on their domestic servers.[3]

However, in the aftermath of Edward Snowden’s leaking documents identifying the U.S. government’s operations (particularly that of the National Security Agency) of digital espionage and the invasion privacy rights of foreign citizens, a young Austrian law student sought to challenge the status quo.[4] Maximillian Schrems challenged Ireland’s Data Protection Commissioner for allowing Facebook Ireland (a subsidiary of Facebook Inc.) to store and transfer data to the United States.[5] After filing a complaint directly to the Commissioner, who determined it was unfounded and refused to investigate, Schrems pursued the matter before the European Court of Justice (CJEU).[6]

While the High Court found that there were legitimate counter-terrorism purposes for the U.S. government’s surveillance and interception of personal data, the evidence disbursed by Edward Snowden exemplified “a significant over-reach on the part of the NSA and similar agencies.”[7] The Court went on to explain that “[u]nder section 11(2)(a) of the Data Protection Act, the Commissioner was [sic] required to determine the question of the adequacy of protection in the third country ‘in accordance’ with a Community finding made by the Commission pursuant to Article 25(6) of Directive 95/46,”[8] but that because the Commission had found the United States’ protection adequate under the Safe Harbor, the Commissioner would be right to dismiss the complaint by Mr. Schrems.[9] However, the Court identified that Mr. Schrems was not looking to actually challenge the Commissioner or his decision, but rather the validity of the Safe Harbor as a whole.[10] As a result, the CJEU ultimately held that the Safe Harbor privacy principles and related agreement were invalid.[11]

 The In-between

After this decision in October 2015, the world changed. Global companies began trying to find alternative ways to meet the European Union regulations on the storage and transfer of personal data. Some options included requesting consent from the user, moving storage servers the E.U. to avoid the transfer altogether, or making the server security systems and protocols satisfy the E.U. directive by conforming to the model rules.[12] Even with these options, companies were urging the U.S. and the E.U. to come to some new form of an agreement.

The Privacy Shield

The Privacy Shield was initially announced in February 2016 to be a more thorough replacement for the Safe Harbor. It was adopted by College of Commissioners following a positive vote of E.U. member states on July 8.[13] It contains three key parts: (1) strong obligations by companies handling E.U. Citizens’ data, (2) safeguards and transparency obligations for U.S. government agency access, and (3) new remedies for complaint resolution for E.U. citizens.[14] For the commercial sector (being only American companies) the obligations include greater transparency, oversight mechanisms to ensure the companies follow the rules, sanctions or even exclusion of companies that do not apply, and tightened condition for onward transfers.[15] Companies will be required to “self-certify” with the Department of Commerce and publicly commit to complying with the Privacy Shield’s requirements.[16] These requirements include informing individuals about how data will be processed (e.g. stored, transferred, shared, etc.), maintaining adequate securities and data integrity, and ensuring third party accountability for service providers who control/maintain databases or data centers.[17]

The U.S. government has its own safeguards and transparency obligations it has to satisfy, including written assurance that any access of personal data by public (i.e. governmental) entities will be subject to clear limitations and oversight, affirmation of an absence of indiscriminate or mass surveillance of personal data coming from Europe, reports of approximate number of access requests made by the government to private companies, and redressability through a newly created ombudsperson mechanism to help settle complaints for individuals.[18] The remedies that become available under the Privacy Shield include direct requests to companies to reply on how personal data has been used or transferred within 45 days of a complaint, free alternative dispute resolution, the Data Protection Authority (DPA) will work with the U.S. Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve unsettled complaints by E.U. citizens, and a “last-resort” arbitration panel to ensure an enforceable decision.[19]

The Future

With the agreement in effect as of July 12, companies were able to start certifying their compliance as of August 1.[20] Since that date, numerous companies have already self-certified, companies such as ExamSoft Worldwide, MicroSoft, and Salesforce; however, there are numerous big names still missing, such as Facebook, Google, and Amazon.[21] While the agreement looks promising from the front, it seems there are still numerous questions to answer – mainly, what good do assurances actually offer as a means of protection for end users, what level of inter-agency cooperation will exist and will it impact national security, or how will enforcement actually play out against U.S. companies. Further, it does not have overwhelming support from both sides of the debate, as some consumer protection groups and businesses feel the agreement does not actually solves problems created from the Safe Harbor.[22] It would not be surprising if the Privacy Shield is ultimately struck down by the CJEU, possibly prompting U.S. lawmakers to consider implementing an actual data protection policy that matches the one in force in Europe.

* * * * *

[1] Ivana Kottasova, Europe’s Big Data Bombsell: What You Need to Know, CNN Money (Oct. 6, 2015, 2:41pm) http://money.cnn.com/2015/10/06/news/companies/safe-harbor-data-privacy-europe/.

[2] Id.

[3] Id.

[4] Id.

[5]Maximillian Schrems v. Data Protection Commissioner, Case C-362/14 (Oct. 6 2015), http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d5edc657f9af10474c94cdee0821b70451.e34KaxiLc3eQc40LaxqMbN4Pa3mMe0?text=&docid=169195&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=74674.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Kottasova, supra note 1.

[13] European Commission, EU-U.S. Privacy Shield: Frequently Asked Questions, (July 12, 2016) http://europa.eu/rapid/press-release_MEMO-16-2462_en.htm.

[14] Information Technology Industry Council, After Safe Harbor: EU-US Privacy Shield, (Feb. 4, 2016), http://www.itic.org/safeharbor.

[15] European Commission, EU-U.S. Privacy Shield Fact Sheet, (July 2016), http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-us_privacy_shield_en.pdf.

[16] U.S. Department of Commerce, Fact Sheet: Overview of the EU-U.S. Privacy Shield Framework for Interest Participants, (July 12, 2016), https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/fact_sheet-_eu-us_privacy_shield_7-16_sc_cmts.pdf.

[17] Id.

[18] Supra note 14.

[19] Id.

[20] Amar Toor, EU-US Privacy Shield Agreement Goes into Effect: Tech Companies Welcome New Data Transfer Agreement, but Activists Say it Doesn’t Do Enough, The Verge (July 12, 2016, 5:03am), http://www.theverge.com/2016/7/12/12158214/eu-us-privacy-shield-data-transfer-privacy.

[21] International Trade Administration, Privacy Shield List, Privacy Shield Framework, (last visited 8/25/2016) https://www.privacyshield.gov/list.

[22] Toor, supra note 20.

MSU ILR