European and American officials have recently launched the second annual review of the EU-US Privacy Shield. In a joint press release dated 19 October, the governments together reaffirmed “the need for strong privacy enforcement to protect our citizens and ensure trust in the digital economy.” However, the detailed review comes only weeks after the European Parliament urged the European Commission to suspend the agreement amidst security and privacy concerns.
Background and purpose
Designed by the United States Department of Commerce and the European Commission, the Privacy Shield is one of several mechanisms in which personal data can be sent and shared between entities in the EU and the United States. The Privacy Shield framework thereby protects the fundamental digital rights of individuals who are in European Union, whilst encouraging transatlantic commerce.
This is particularly important given that the United States has no single, comprehensive law regulating the collection, use and security of personal data. Rather, the US uses a patchwork system of federal and state laws, together with industry best practice. At present, the United States as a collective jurisdiction fails to meet the data protection requirements established by EU lawmakers.
As such, should a corporate entity or organisations wish to receive European personal data, it must bring itself in line with EU regulatory standards, known as being “protected under” the Privacy Shield. To qualify, companies must self-certify annually that they meet the requirements set out by EU law. This includes taking measures such as displaying privacy policy on their website, replying promptly to any complaints, providing transparency about how personal data is used, and ensuring stronger protection of personal data.
Today, more than 3,000 American organisations are authorised to receive transfers of personal data from the EU to the US, including Facebook, Google, Microsoft, Twitter, Amazon, Boeing, and Starbucks. A full list of Privacy Shield participants can be found on the privacyshield.gov website.
Complaints and non-compliance?
Although the Privacy Shield imposes stronger obligations than its ancestor, the now-obsolete “Safe Harbor”, European lawmakers have argued that “the arrangement does not provide the adequate level of protection required by Union data protection law and the EU Charter as interpreted by the European Court of Justice.”
In its motion to reconsider the adequacy of the Privacy Shield, the EU Parliament stated that “unless the US is fully compliant by 1 September 2018” the EU Commission would be called upon to “suspend the Privacy Shield until the US authorities comply with its terms.”The American ambassador to the EU, Gordon Sondland, responded to the criticisms, explaining:“There is no non-compliance. We are fully compliant. As we’ve told the Europeans, we really don’t want to discuss this any further.”
Věra Jourová, a Czech politician and lawyer who serves as the European Commissioner for Justice, Consumers and Gender Equality, expressed a different view: “We have a list of things which needs to be done on the American side” regarding the upcoming review of the international data transfer deal. “And when we see them done, we can say we can continue.”
The list from the Parliament and the First Annual Joint Review (WP29/255) concerns institutional, commercial, and national security aspects of data privacy, including:
- American surveillance powers and use of personal data for national security purposes and mass surveillance. In particular, the EU is unhappy with America’s re-authorisation of 702 Foreign Intelligence Surveillance Act (FISA), which authorises government collection of foreign intelligence from non-Americans located outside the United States
- Lack of auditing or other forms of effective regulatory oversight to ensure whether certified companies actually comply with the Privacy Shield provisions
- Lack of guidance and information made available for companies
- Facebook and the Cambridge Analytica scandal, given that 2.7 million EU citizens were among those whose data was improperly used. The EU Parliament stated it is “seriously concerned about the change in the terms of service” for Facebook
- Persisting weaknesses regarding the respect of fundamental rights of European data subjects, including lack of effective remedies in US law for EU citizens whose personal data is transferred to the United States
- The Clarifying Overseas Use of Data (“CLOUD”) Act signed into law in March 2018 allows US law enforcement authorities to compel production of communications data, even if they are stored outside the United States
- Uncertain outcomes regarding pending litigation currently before European courts, including Schrems II and La Quadrature du Net and Others v Commission.
What happens if the Privacy Shield is suspended?
In the event that the Privacy Shield is suspended, entities transferring European personal data to the United States will need to consider implementing alternative compliant transfer mechanisms, which could include the use of Binding Corporate Rules, Model Clauses, or establishing European subsidiaries. To ensure that the American data importer implements an efficient and compliant arrangement, such alternatives would need to be assessed on a case-by-case basis involving careful review of data flows, and the controller and processors involved.
Regardless of the method used to transfer data, American companies must ensure that they receive, store, or otherwise use European personal data only where lawfully permitted to do so. The joint statement noted above concluded by saying that the “U.S. and EU officials will continue to work closely together to ensure the framework functions as intended, including on commercial and national-security related matters.” The European Commission is currently analysing information gathered from its American counterparts, and will publish its conclusions in a report before the end of the year.
Could U.S organisations be caught by the GDPR?
Furthermore, it is important to note that the European Union’s General Data Protection Regulation (“GDPR”), which came into force in May 2018, extended the territorial scope of European data protection laws. The GDPR applies to all organisations which offer goods or services to individuals who are in European Union, or when monitoring their behaviour – regardless of where the organisation is itself located. This means that U.S based entities should not only assess if they can still rely on the U.S privacy shield to carry to cover EU personal data transfers, but also consider if they are caught by the extra-territorial remit of the GDPR.
As stated above, a suitable legal privacy compliance strategy would help such organisations to identify the issues and implement suitable legal solutions. If you have any questions regarding data privacy or commercial technology, please contact Jose Saras.