With European regulators continuing to debate the current proposal for the EU-U.S. Privacy Shield, the fate of the new trans-Atlantic data framework is becoming murkier by the day. Rapprochement may still be a possibility, but over the past week, we have seen parties on both sides preparing for an extended fight. The Privacy Shield is one of the most significant issues in global cybersecurity today.
Here we take a deeper dive into the current version of the Privacy Shield and offer a look at the issues dominating the current discussion and developments to watch for in the coming weeks.
EU-U.S. Privacy Shield
On February 29, 2016, following months of intense negotiations, the European Commission unveiled the current proposal for the new EU-U.S. Privacy Shield. The Privacy Shield—which would replace the EU-U.S. Safe Harbor agreement that was invalidated by the Court of Justice of the European Union in 2015—is designed to provide companies with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.
Although the Privacy Shield borrows many general principles from the Safe Harbor, it differs in a number of ways. The most significant differences include new obligations on participating companies and new redress mechanisms.
The Privacy Shield proposes a system for U.S.-based companies to certify compliance with the EU’s data security and conflict resolution procedures. To join the Privacy Shield, a company can self-certify to the Department of Commerce that it agrees to comply with the requirements of the Privacy Shield. Although joining is voluntary, once a company makes the public commitment to comply with the Privacy Shield’s requirements, the commitment would become enforceable under U.S. law. A participating company is required to include in its privacy policy a declaration of the organization’s commitment to comply with the principles of the Privacy Shield.
The Privacy Shield would create new redress mechanisms for individuals who believe their data has been unlawfully processed. Individuals have the option to bring complaints directly to the participating company, which would have 45 days to respond and resolve the complaint.
Individuals also could register complaints directly with the EU data protection authorities (“DPAs”). The DPAs would, in turn, cooperate with the U.S. Department of Commerce, which has committed to receive, review, and facilitate resolution of complaints and respond within 90 days. Companies are obligated to respond promptly to inquiries and requests for information by the Department of Commerce.
Participating companies also must: (1) establish procedures for the investigation and resolution of complaints at no cost to the individual; and (2) commit to binding arbitration to address any complaint that has not been resolved by other redress procedures. Under certain circumstances, individuals also could seek redress from the Privacy Shield Panel, an arbitration panel that can ensure an enforceable decision is entered.
The Privacy Shield would set in place safeguards and transparency obligations on U.S. governmental agencies. In particular, the Department of Commerce would be obligated to (2) verify that a self-certifying company has provided all required information and registered with the identified independent recourse mechanism; (2) police companies if their self-certifications lapse or voluntarily withdraw from the Privacy Shield; and (3) conduct periodic compliance reviews and assessments of the program.
If a company leaves the Privacy Shield Framework, it would be required to provide an annual certification of its commitment to apply the Privacy Shield’s data protection principles to information received under the Framework, if it chooses to store such data. Separately, the Privacy Shield provides that a departing company may provide “adequate” protection for the information by other authorized means.
The Ongoing Debate Over the Privacy Shield’s Adequacy
The Privacy Shield proposal has not been warmly received by everyone. As we briefly reported here, earlier this month the Article 29 Working Party—a coalition of representative from twenty-eight DPAs of EU member states—issued an opinion that vociferously challenged the adequacy of the proposed Privacy Shield.
Although the Working Party recognized that the Privacy Shield contains significant improvements over the Safe Harbor agreement, it requested many changes. In particular, the Working Party expressed concern that the Privacy Shield would not provide sufficient safeguards for EU citizens’ data or protections against bulk data collection practices by U.S. intelligence agencies. The Working Party also argued that, in cases where data is transferred to a recipient in a third country, there should be an obligation to assess whether the third country’s national legislation mandates a sufficient level of data security.
Given the intricate procedures that were hashed out during the Privacy Shield negotiations, it is not surprising that U.S. authorities have balked at the Working Party’s critiques. Last week, the U.S. Undersecretary of Commerce for International Trade indicated that the United States is reluctant to re-open negotiations on the Privacy Shield. Although acknowledging the importance of the Working Party’s perspective, the U.S. indicated it not inclined to upset the “delicate balance that was achieved” through the Privacy Shield negotiations.
What are the Next Steps?
The protracted debate only furthers the uncertainty facing thousands of companies that transfer data across the Atlantic. And, unfortunately, it appears that this uncertainly will continue for the foreseeable future.
In the next several weeks, a group of EU member state representatives will issue its own opinion on the Privacy Shield. It is not yet clear whether these member state representatives are more sympathetic to the Privacy Shield or whether they will back the criticisms voiced by the Working Party. Additionally, the EU Commission is expected to issue its own decision on the adequacy of the Privacy Shield this summer.
We will continue to monitor and report on future developments.
