Opinion: The triumph of Privacy Shield
The new data transfer pact between the US and European Union known as Privacy Shield opens the door to a new era of safe and secure digital commerce for Europeans.
For the second time in less than a month, Europe stands on the threshold of history. As many Europeans are still trying to wrap their heads around the idea of a union without Britain, the European Commission has been moving toward ratification of a landmark data-protection agreement with the US.
The agreement, known as Privacy Shield, will provide European citizens with unprecedented protections for their personal and commercial data. It will also make Europe a vital hub in the global flow of digital information.
On Tuesday, European Commissioner for Justice Věra Jourová and Secretary of Commerce Penny Pritzker signed the Privacy Shield agreement, marking its final approval and opening the door on a new era of safe, secure digital commerce for European citizens and businesses.
But immediately following this historic step, Privacy Shield is certain to face legal challenges, leaving the courts to decide its fate. These decisions will have a monumental impact on the future of Europe, and on the European Union’s place in the global economic hierarchy.
The EU and US have an opportunity to embrace our shared belief in free market economic principles and, more essentially, the democratic process. To quote President Obama, "What binds us together is greater than what drives us apart."
I believe that the Privacy Shield agreement captures these common values, and that’s why I support its ratification and implementation. I do not take lightly notions of privacy. In the sometimes-pitched battle between the machinery of the free market and consumers’ rights, I have staked my career on defending the latter.
Back in 2000, the Department of Commerce and the European Commission finalized a privacy framework called Safe Harbor. It was designed to protect the rights of European citizens as their data traveled across the Atlantic. American companies that adhered to Safe Harbor were allowed to collect and use data about European consumers and employees, and store the data on US servers.
By October of last year, some 4,500 U.S. companies, large and small, were relying on Safe Harbor to handle the data of tens of thousands of European and American employees and to do business with millions of European
Then, in October, the Court of Justice of the EU invalidated Safe Harbor, holding that it didn’t provide Europeans with the levels of protection to which they were entitled as EU citizens.
But while the Court of Justice’s decision in Schrems v. Data Protection Commissioner sounded the death knell for Safe Harbor, negotiations on an updated data security framework between the US and the EU had already begun, two years before Schrems, after Edward Snowden revealed that US intelligence agencies had been collecting personal consumer data held by American companies.
The Schrems decision certainly added urgency to these negotiations, but the writing had been on the wall since Snowden: European policy makers and privacy advocates believed that Safe Harbor’s protections were no longer adequate.
Privacy Shield is the result of the negotiations that began in 2014, a new framework designed to replace and improve upon Safe Harbor. It is the framework that Europeans deserve today. Privacy Shield strengthens consumer protections with regard to both government and commercial access to data.
In doing so, it addressees the European Court of Justice’s two major concerns about Safe Harbor. First, it outlines the fortifications to existing safeguards against government access to personal data for the purposes of national security surveillance. Second, it provides clear, inexpensive avenues of redress for individuals concerned that their data is being used improperly. These provisions are designed to meet the court’s demands that the protections governing any transfer of Europeans’ data out of the EU be “essentially equivalent” to those found in European law.
To understand Privacy Shield, and why its protections are adequate, it is important to understand the requirements that businesses and government agencies face under the current regime of American privacy law. It’s true that the US has no single law like the baseline data protections found in most EU member states. But taken as a whole, US laws and regulations do provide a layered assemblage of strong consumer safeguards.
Indeed, US law was clearly the inspiration for many of the guiding principles that informed the drafting of the European General Data Protection Regulation, including an emphasis on data security and breach
notifications, a focus on heightened protections for children’s data, and a prioritization of deidentification of sensitive data.
Where government collection of personal data is concerned, the idea of a fundamental, constitutional right to privacy is a cornerstone of American law, deeply woven into our social and legal fabrics. Recently the right to privacy has been extended through the courts to include new technologies and new forms of communication. The Judicial Redress Act, the USA Freedom Act and President Obama’s Policy Directive 28, all adopted in the wake of the Snowden revelations, honor and strengthen this tradition by providing new limitations on the way data is collected and used by US intelligence services.
The Judicial Redress Act, which explicitly extends the protections of the Privacy Act to foreign citizens, is particularly noteworthy in this discussion.
Other individual statutes protect information about children, finances, medical data, and student data, as well as information used to make decisions about consumers’ credit, insurance, employment and housing. At the state level, approximately 60 privacy laws were passed last year alone. The Attorneys General of each of the 50 states, as well as a legion of federal agencies – led by the Federal Trade Commission – each have broad imperatives to enforce these laws and bring to account those whose actions do harm to consumers.
Privacy Shield clarifies this amalgam of restrictions already governing data flows in the US. With respect to government surveillance, the Office of the Director of National Intelligence and the Department of Justice have provided letters describing the limitations on government access to data for intelligence and law enforcement purposes. These letters are significant on two levels. First, they lay out the US government’s binding commitments to apply the same protections to European citizen data that it applies to its own citizens’ data.
These commitments include the government’s fortification of citizens’ protections in the USA Freedom Act and the US Foreign Intelligence Surveillance Act, and the improvements in the operation of the Foreign Intelligence Surveillance Court. Second, these letters demonstrate that the US, and in particular the intelligence and law enforcement communities, take the European Court of Justice’s concerns seriously.
Of course, such assurances are only as good as one’s capacity to enforce them. To that end, Privacy Shield mandates the creation and appointment of an ombudsperson, within the State Department, who will operate independently of the national security agencies and be available exclusively to Europeans.
Any European citizen with concerns about US surveillance of his or her data may file a complaint to the ombudsperson, who will in turn verify that any surveillance measure has been implemented in accordance with law, and correct any anomalies or violations of the citizen’s rights. It is worth noting that the ombudsperson bears a striking resemblance to the National Oversight Commission — France’s own solution to the balancing of
individual rights and national security.
On the commercial side, Privacy Shield significantly enhances protections that had been built into Safe Harbor. For instance, Privacy Shield requires data controllers to obtain consent from Europeans before they share data with third parties, including affirmative, express consent to share sensitive data such as health information. Privacy Shield also compels data controllers to allow Europeans to access, correct, or delete their transferred data. Crucially, data controllers will have to require their business partners who receive information about Europeans to live up to these principles, as well.
Finally, a raft of new procedural safeguards will make it easier – and a lot less expensive – for European consumers to pursue justice when they have been wronged by a participating company. For instance, US companies that sign onto Privacy Shield must agree to provide independent recourse mechanisms at no cost to the complainant. Should this measure fail, individuals can then take the company to binding arbitration — once again at no cost to the individual – or to court.
Since Privacy Shield’s debut, in draft form, three months ago, a number of stakeholders in Europe have analyzed and critiqued it. Most significantly, Europe’s data protection watchdogs, collectively known as the Article 29 Working Party, welcomed Privacy Shield’s “significant improvements,” while suggesting some clarifications and expressing other continuing concerns.
The negotiating parties have spent the past three months enhancing Privacy Shield to address the Article 29 Working Party’s concerns. The resulting improvements include added restrictions on the ability of Privacy Shield companies to retain data about EU citizens, and a clearer articulation of the extent of the ombudsperson’s independence.
As I have traveled across Europe over the past months, I have heard various stakeholders voice an additional concern. They point out that, because Privacy Shield does not have the status of a treaty, a new US administration could water down Privacy Shield’s protections.
They are correct that Privacy Shield is not a treaty. The commitments of its signatories, however, are binding – on the part of both the US government and companies that voluntarily sign up. It is hard to conceive of a US administration that would not eagerly embrace Privacy Shield and work hard to implement its highest levels of protection. But if such an anomaly occurs, there is a failsafe.
The new framework requires Europeans and Americans to consult at least annually on the framework’s operation. And if the European Commission believes that the US is violating its commitments, it is empowered to suspend Privacy Shield.
Privacy Shield is not perfect — no large-scale regulatory framework is, especially not on the first pass. But perfection is not what the moment calls for. Instead, we should view Privacy Shield as a living framework. As I noted, the US Department of Commerce and EU Commission will engage in ongoing consultations about its effectiveness, and about whether the parties are living up to their commitments. The European Data Protection Authorities and the FTC will also hold continual discussions about enforcement issues under the framework.
The ultimate test of Privacy Shield’s effectiveness will be how well it works in practice in the months and years to come. As for today, I am confident in saying that the protections provided to European citizens under Privacy Shield are “essentially equivalent” to those they enjoy on their own soil.
The final decision about Privacy Shield’s adequacy will be made by the European Court of Justice. I am hopeful that the court will provide itself with the means to appreciate the full spectrum of protections built into Privacy Shield as they adjudicate the near-certain challenges to come.
Julie Brill is a partner at the Washington law firm Hogan Lovells and is a former Commissioner of Federal Trade Commission. Follow her on Twitter @JulieSBrill.