Privacy Shield Deal Leaves Data Protection Chiefs, Companies Scratching Their Heads
European data protection officials are largely in the dark about the EU-U.S. Privacy Shield, said Article 29 Data Protection Working Party (WP) Chairwoman Isabelle Falque-Pierrotin at a Wednesday media briefing. The new arrangement for the trans-Atlantic transfer of Europeans' personal data was announced Tuesday to cheers from industry and skepticism from privacy groups and others (see 1602020040). The WP hasn't seen the documents, so it can't analyze them to see if the new regime is legally binding and relieves all of the concerns raised by the European Court of Justice (ECJ) Schrems decision, Falque-Pierrotin said.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Until that analysis is complete, only companies that don't use binding corporate rules (BCRs) or model contract clauses and continue to rely on the now-illegal safe harbor agreement risk enforcement, Falque-Pierrotin said. The short-on-detail new plan also means headaches for organizations, lawyers told us.
The WP asked both parties in October to find an agreement before Jan. 31, and is satisfied that negotiators met that strict time schedule, said Falque-Pierrotin, who chairs French data protection authority Commission Nationale de l'Informatique et des Libertés. But the accord is "still words from the [European] Commission," she said. The legal aspects of the new arrangement are "still unclear for us," she said. The WP's assessment can't begin until it has the actual documents, which it urged the EC to provide by month's end, she said. If that happens, the WP will have an extraordinary plenary session in March aimed at arriving at final conclusions by mid- to late April, she said.
Since October, when the WP urged the EU and U.S. to solve the legal and technical problems caused by Schrems (see 1510160030), the WP has been assessing the robustness of BCRs and model contract clauses, Falque-Pierrotin said. It also looked at the current legal framework and practices of U.S. intelligence services and whether they allow any unjustified interference with Europeans' privacy rights, she said. The group consulted extensively with European and American experts, held hearings with representatives from the business sector, academia and civil society, and wrote to U.S. officials, she said.
Any agreement must contain four "essential guarantees," Falque-Pierrotin said. The transfer process must be based on clear, precise access rules, and any access to Europeans' personal data must be necessary and proportionate. There must be an independent oversight mechanism for the access, and effective remedies for misuse of people's data. These guarantees constitute a kind of European standard that must be applied to any transfer of personal data to the U.S. or even to other EU countries, she said. The WP recognizes U.S. efforts to improve data protection for people outside the U.S. but remained concerned about all four elements, particularly scope and remedies, she said: That was before Privacy Shield, which "changes the situation." Now, the WP needs to decide whether the new arrangements resolve any of those issues, she said. The WP also has concerns about scope, surveillance and remedies in connection with BCRs and model contractual clauses, she said.
Companies can continue to use BCRs and model clauses without risk of enforcement until the WP has completed its analysis and Privacy Shield has been finalized, Falque-Pierrotin said. Businesses relying on safe harbor and not using BCRs or model clauses could face enforcement from some data protection authorities, particularly where there have been complaints, she said. But many companies have already shifted from safe harbor to the other mechanisms, she noted.
“This extends the current uncertainty [for businesses] by at least two months, as it is unconfirmed whether model clauses and BCR provide adequate protection against government access to data," Hogan Lovells (London) data protection attorney Eduardo Ustaran told us. It's too early to say if national privacy regulators will support the Privacy Shield, said Linklaters (Brussels) data protection attorney Tanguy Van Overstraeten: They're independent from the EC, and if they don't buy the new arrangement, it will be "dead in the water.”
An even bigger concern is regulators' review of the other transfer mechanisms, said Linklaters (London) tech and telecom lawyer Richard Cumbley. If model contracts don't work, "this is no longer a question of moving from compliance model A to compliance model B," he said. "It will instead require companies to completely re-engineer their systems and processes."
There will be questions about when companies should recertify under the new program, how to handle the huge flow of 4,000-plus organizations that would resubmit their certifications, and what to do about certifications that have expired since safe harbor was scuttled in October, DLA Piper attorney Jim Halpert said at a Wednesday Bloomberg Law privacy and data security forum in Washington. There's some uncertainty about whether there will be enforcement in the interim, "but you're not out of the woods yet during this period before the Privacy Shield agreement is actually considered for ratification in Europe," he said. Businesses that now use standard contractual clauses need to keep them in place to remain compliant, he added.
Companies should think about two types of data post-Privacy Shield, said Jim Koenig, Paul Hastings cybersecurity and privacy lawyer. There are some indications human resources data will be treated differently, he said. Most companies use safe harbor for HR, but now data protection authorities in Europe could have rights they lacked before to investigate and enforce, he said. The second change is the increasing sharing of information for security purposes and the implications of using personal data that might be incorrect, he said.
Meanwhile, reaction to the announcement of Privacy Shield continued. It gives safe harbor "serious teeth," said Baker & McKenzie (London) data protection lawyer Dyann Heward-Mills. It's a "victory for business certainty and consumer trust," she emailed. But European Parliament Member Claude Moraes, of the Group of the Progressive Alliance of Socialists and Democrats and U.K., said the new agreement has "too much in common" with the previous safe harbor, may not be legally binding on either party, and doesn't involve any actual change to U.S. law.
The agreement "will require strict scrutiny," said European Consumer Organisation Director General Monique Goyens. So far, it's "highly uncertain" that the Privacy Shield responds to the requirements set out by the ECJ, she said. TechFreedom President Berin Szoka said the Privacy Shield is a tactic to delay review of U.S. spying.