For decades, overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union has been a compliance priority for organisations operating internationally. Global data flows are part of the fabric of modern communications and everyday commercial and social interactions. This is especially true of the transatlantic relations between the European Union and the United States. However, countries such as the US that approach the regulation of personal data privacy from a different perspective than countries in Europe face a tough challenge when trying to demonstrate an adequate level of protection according to the European standard.
Safe Harbor
In order to bridge the different legal approaches and considering the large volume of data transfers carried out between the EU and the United States, the US Department of Commerce (DoC) and the European Commission developed the Safe Harbor mechanism as a self-regulatory framework that would allow organisations to satisfy the requirements of EU data protection law in respect of transatlantic data transfers. In 2000, following extensive negotiations, the Commission issued a decision stating that the Safe Harbor Privacy Principles provided adequate protection for personal data transferred from the EU. This decision enabled EU personal data to be transferred to US-based companies that agreed to abide by the Safe Harbor Privacy Principles.
However, since its adoption, the Safe Harbor framework was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the adequacy standards of the EU Data Protection Directive, its self-certification nature and the non-European style of its provisions attracted much criticism over the years. Perceived weaknesses included that participants did not perform required annual compliance checks and the lack of active enforcement by the Federal Trade Commission compared to other domestic cases. These factors led some EU data protection authorities to question the validity of the Safe Harbor framework as an adequacy mechanism.
The Schrems decision
In 2014, the validity of Safe Harbor was fatally questioned by Austrian law student Maximillian Schrems, who lodged a complaint with the Irish Data Protection Commissioner requesting the termination of any transfers of personal data by Facebook Ireland to the United States. Mr Schrems claimed that Facebook Ireland – the data controller for Facebook’s European users’ data – could no longer rely on the Safe Harbor framework to legitimise the transfers of his data to the US because of the wide access that US intelligence agencies had to such data as revealed by Snowden.
The complaint was then escalated to the Irish High Court, which in turn referred the matter for decision by the Court of Justice of the European Union (“CJEU”) the highest judicial authority on the interpretation of EU law. On 6 October 2015, the CJEU issued its judgment and declared the Safe Harbor adequacy decision invalid. This ruling increased the pressure on the European Commission to agree a more robust alternative mechanism for transfers of data from the EU to the US.
My article in the November Newsletter, “Life after Safe Harbor – an action plan” proposed a series of steps companies should take that had previously relied on Safe Harbor.
The Privacy Shield
Even before the Schrems decision by the CJEU, the European Commission had identified a number of weaknesses in the Safe Harbor framework and decided to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.
The European Commission stressed that the EU and US were strategic partners and that reliable transatlantic data flows were critical to commerce, law enforcement and national security on both sides of the Atlantic. However, it also recognised that the Snowden revelations had damaged the EU’s trust in this partnership, and that this trust needed to be rebuilt.
The European Commission began discussions with US authorities aimed at updating the Safe Harbor framework in January 2014. The original aim was to identify remedies by the summer of 2014 and to implement them as soon as possible afterwards. The European Commission had provided thirteen specific recommendations aimed at addressing the Safe Harbor’s weaknesses and ensuring that the framework remained an effective mechanism for facilitating commercial transatlantic data flows. These recommendations focused on four broad priorities, namely: transparency, redress, enforcement and access to data by US authorities.
On 29 February 2016, and after more than two years of negotiations with the DoC, the European Commission released its much-awaited draft decision on the adequacy of the new EU–US Privacy Shield framework, accompanied by information on how the framework will work in practice. The Privacy Shield framework’s documentation is significantly more detailed than that associated with its predecessor, imposing more specific and exacting measures on organisations wishing to join the framework.
Crucially, the Privacy Shield framework also includes additional checks and balances designed to make sure that the privacy rights of EU individuals can be exercised when their data is being processed in the United States, as well as various official letters from US government officials providing assurances regarding the legal limitations affecting access to personal data by US government agencies.
The level of data protection
The Privacy Shield framework differs significantly from Safe Harbor. It describes the rules governing access to data and therefore the extent of interference into fundamental EU rights and explains the safeguards to ensure effective protection of data against possible abuse and unlawful access. The Privacy Shield Principles (Annex 2) should be read in conjunction with the assurances concerning limitations and safeguards under US law, so that it can be concluded that it is not the case that the fundamental rights of large numbers of individuals are likely to be infringed simply because their personal data is transferred under the Privacy Shield.
The considerable changes that have taken place in US domestic law since the Snowden revelations in June 2013 about surveillance practices underline the approach that the interferences with fundamental rights are necessary, proportionate and only as strictly necessary to attain the objectives of national security, law enforcement and the public interest. In particular, the introduction of legislative amendments and other transparency requirements demonstrate the substantial political effort by the US government to strengthen privacy protections for all individuals. Furthermore, there is greater emphasis on targeted and tailored access by US agencies to data and, in particular, data collected in bulk can only be used for six specific national security purposes.
Therefore, while certain aspects of the Privacy Shield framework would benefit from greater clarity, precision and accessibility, it is possible to argue that these potential weaknesses do not affect the overall effect of the Privacy Shield framework and the level of privacy and data protection that it affords.
In reality the true level of data protection afforded by the Privacy Shield framework will only be demonstrated by its functioning and the practices of its participants.
The European Commission’s response
Following the European Commission’s announcement, the Article 29 Working Party issued a preliminary statement on 3 February 2016 (before the relevant documentation had been publicly disclosed) welcoming the conclusion of the negotiations between the EU and the US on the introduction of the Privacy Shield. However, on 13 April 2016, the Working Party published an Opinion setting out their detailed analysis of the framework. In this Opinion, the Working Party sets out its concerns on the commercial aspects of the Privacy Shield and the ability for US public authorities to access data transferred under the Privacy Shield.
In particular, the Working Party considers that the Privacy Shield does not include certain key data protection principles from EU law. The Working Party also expresses concern about the protection for onward data transfers and that the redress mechanism for individuals could prove too complex.
Finally the Working Party notes that the documentation does not exclude massive and indiscriminate collection of personal data originating from the EU by US intelligence agencies and that the new Ombudsperson mechanism is not sufficiently independent or powerful. The Opinion concludes by urging the European Commission to resolve these concerns and improve the Privacy Shield.
Therefore, the ball is now in the European Commission’s court. It remains to be seen whether and to what extent the Privacy Shield’s negotiating parties will be able to address the Article 29 Working Party’s concerns.
Eduardo Ustaran is a partner in the Privacy and Information Management practice of Hogan Lovells and an internationally recognised expert in privacy and data protection law. Email eduardo.ustaran@hoganlovells.com. Twitter @EUstaran.
Image: By Nicolas Raymond on Flickr.