Opinion: Why Privacy Shield isn't impenetrable
The new arrangement between European and US negotiators to replace Safe Harbor and ensure that data continues flowing across the Atlantic may not be strong enough to withstand likely legal challenges from privacy watchdogs.
After intense talks to find a replacement for the data transfer deal known as Safe Harbor, negotiators on both sides of the Atlantic have announced the so-called "Privacy Shield" agreement to safeguard Europeans' privacy rights.
But this shield, meant to ensure continuity of transatlantic data traffic after a European Court invalidated Safe Harbor, still leaves US businesses with substantial uncertainty regarding the legal status of information flows that form the backbone of the global digital economy.
The uncertainty stems both from the transatlantic deal's origins (as a fragile mechanism for bridging fundamental differences between US and EU views of privacy) and concerns that European privacy watchdogs will likely challenge the agreement for not doing enough to protect Europeans' information from the prying eyes of US intelligence services.
The origins of Safe Harbor date back to 1995 when the EU adopted a comprehensive data privacy law. That law, which took effect in 1998, essentially banned the export of EU citizens' personal data to non-EU countries that failed to ensure an "adequate" level of privacy protection. Since Europeans view privacy as a fundamental human right, they quickly expressed concern that US privacy protections were not adequate.
Unlike the comprehensive data privacy protections in Europe, the US takes a sectoral approach to privacy in which a patchwork of sector-specific privacy laws governs collection and use of certain sensitive data. For example, the Gramm-Leach-Bliley Act governs financial privacy; the Health Insurance Portability and Accountability Act governs medical privacy; the Children’s Online Privacy Protection Act governs children’s privacy; and the Video Privacy Protection Act governs the privacy of video rental records.
To address European concerns, the US Department of Commerce and the European Commission negotiated Safe Harbor. US companies who self-certified their adherence to specific requirements (i.e., the Safe Harbor principles) were deemed to provide an adequate level of protection for personal data and could receive transatlantic data flows. Today, approximately 4,400 companies hold a Safe Harbor certification.
But then came Edward Snowden. After he revealed the existence of several classified US surveillance programs that intercepted Internet communications, European politicians argued that the Safe Harbor agreement was being violated and called for the European Commission to review Safe Harbor.
Tensions over Safe Harbor came to a head in October when the European Court of Justice (ECJ) invalidated the safe harbor framework. The ruling came in the Max Schrems v. Data Protection Commissioner of Ireland case. An Austrian student and privacy advocate, Mr. Schrems argued that Safe Harbor no longer provided an adequate level of privacy protection due to US intelligence agencies’ ability to access personal data (as described in the leaks from Mr. Snowden).
The court agreed. Though, ironically, in considering whether the level of protection US companies offer is "essentially equivalent" to that guaranteed in Europe, the ECJ failed to address Snowden’s revelations that many EU member states’ intelligence agencies engage in mass surveillance of their own citizens.
As a result of the ECJ ruling, European data regulators threatened action against US companies unless a new and more robust privacy agreement replaced Safe Harbor. And so, the Privacy Shield was born.
The Privacy Shield deal has several components designed to address the shortcomings of Safe Harbor. First, US companies importing personal data of EU citizens will need to commit to data processing obligations to be enforced by the US Federal Trade Commission. Second, and most importantly, the agreement addresses US surveillance to assuage the ECJ’s concerns articulated in the Schrems case.
The US reportedly has assured the EU in writing that access to personal information for law enforcement and national security purposes will occur only when "necessary and proportionate;" that law enforcement and intelligence agencies will receive only limited and controlled access to data; and that "the US has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement.”
Finally, European citizens will have rights to redress for misuse of their data. European privacy watchdogs will be able to refer complaints to the Department of Commerce and FTC, and a new ombudsman will be appointed to address complaints related to intelligence authorities' access to personal information.
Also, in an attempt to appease European concerns about lack of judicial redress, Congress is considering legislation that would give foreigners the same rights as Americans to sue if their personal information is unlawfully disclosed by federal agencies in pursuit of law enforcement.
While the Privacy Shield announcement is a welcome development in the data privacy saga, US companies whose businesses rely on transatlantic data flows are not out of the woods yet.
First, Privacy Shield is by no means final. It appears to be a stop-gap measure intended to buy time for negotiators. While the US and EU have announced their agreement to the new framework, no text has yet been released. The devil is in the details, and given the fragility of the deal, there is no assurance that the deal will not fall apart as negotiators attempt to put pen to paper.
Moreover, even assuming that the agreement holds, it may take weeks or even months to finalize the agreement, and additional time for the framework to be vetted through European and national officials in order to become legally binding. National data protection authorities in Europe already have cautioned that, in the absence of greater detail, they cannot draw conclusions about the legality of the proposed Privacy Shield.
Second, it is inevitable that the Privacy Shield will be challenged in European courts, and companies will be back to square one if the new data transfer framework is unable to withstand ECJ scrutiny. The arrangement already has been criticized – by Schrems, Snowden, and pro-privacy members of the EU Parliament – for failing to comply with the requirements set forth by the ECJ. Even if they are wrong and the Privacy Shield can withstand a legal challenge, the mere existence of legal challenges to the new framework undermines the legal certainty that businesses engaged in transatlantic data transfers so desperately seek.
So what are companies to do?
Many companies had already turned to alternative data transfer mechanisms even before the Shrems decision, and this trend has only accelerated in the months since the ECJ decision invalidating Safe Harbor in October. And that may be the best option for companies concerned about compliance with EU data protection rules in a post-Schrems environment. At least until the new Privacy Shield takes effect.
While it is difficult to assess the new privacy shield in the absence of a written framework, what appeared to be a welcome development in the short-term may in the long-term be a source of great legal uncertainty; quite the opposite of what businesses had hoped when they pressed negotiators for a quick replacement for the safe harbor framework.
Melanie Teplinsky teaches information privacy law at the American University Washington College of Law as an adjunct professor. She started her career in cybersecurity in 1991 as an analyst at the National Security Agency.