Out With the Safe Harbor and in With the Privacy Shield?
- In February, the European Commission and the United States announced an agreement on the EU-U.S. Privacy Shield, a replacement for the struck-down Safe Harbor Agreement
- The Safe Harbor had been the framework that many companies relied on to legally transfer the personal information of EU citizens back to the United States
- The much-anticipated agreement is supposed to address EU data protection concerns; however, a final agreement is not a done deal
On February 2, 2016, the European Commission and the United States announced an agreement on the EU-U.S. Privacy Shield, a replacement for the struck-down Safe Harbor Agreement that will allow transatlantic data flows of personal information. In striking down the Safe Harbor, the Schrems decision had an impact on all companies relying on the program to legally transfer personal data, such as payroll and HR information, across the Atlantic.
With the absence of an agreement creating serious obstacles in a global economy, government negotiators were left scrambling to find a new solution before EU data protection authorities (DPAs) began enforcement actions against companies still relying on the defunct Safe Harbor. The much-anticipated agreement is supposed to address EU data protection concerns and assure the EU that the U.S. does not indiscriminately spy on EU citizens, a particular challenge when the EU and U.S. have vastly different views of privacy.
What’s in the Agreement?
Under the Privacy Shield, companies will be required to self-certify that they are committed to the principles of the agreement. The February 29 adequacy decision goes into more detail; however, the key elements of the Privacy Shield include:
- Strong commitments to properly handle data. U.S. companies will be required to commit to “robust obligations on how personal data are processed and individual rights are guaranteed.” This will include greater transparency and tighter conditions for data transfers. The Department of Commerce will monitor adherence and the Federal Trade Commission will act as enforcer. Companies transferring human resources data will have to abide by European DPAs’ decisions.
- Safeguards on U.S. government access to data. The U.S. government told the EU in writing that government access to these data will be subject to limitations, safeguards, and oversight. The Department of Commerce and European Commission will conduct annual joint reviews of the agreement, including issues relating to national security access.
- Protection of EU citizens’ rights. The agreement provides several redress options for EU citizens who believe their personal data have been misused and DPAs will be able to refer citizen complaints to the Federal Trade Commission. Under the agreement, individuals will be able to submit a complaint to a company, which will have 45 days to respond. Individuals will also be able to refer their complaint to their home country DPA. The agreement provides free alternative dispute resolution as well as arbitration as a last resort. The agreement establishes an ombudsman, housed within the U.S. State Department, to handle complaints relating to the possible access of data by national intelligence authorities.
Although the adequacy decision was just released, the European College of Commissioners must still formally approve the program after consulting with the EU’s privacy watchdog group, the Article 29 Working Party (WP29) made up of member country DPAs. The WP29 plans to complete its assessment of the Privacy Shield during its March plenary meeting and provide a final position on the agreement in April.
But WP29 discussions will not be limited to the legality of the Privacy Shield. The group will also consider whether alternate transfer mechanisms, including model clauses and binding corporate rules, are legally permissible.
FTC Commissioner Julie Brill has warned that the Privacy Shield will not be usable for some time, leaving companies that relied on the now-illegal Safe Harbor wondering what actions to take. DPAs are able to handle privacy-related claims on a case-by-case basis and countries have begun announcing their post-Schrems approaches to data transfers. Some, including France and Spain, have sent warnings to companies but it appears that Germany is preparing to bring its first actions against “large international companies” still relying on the Safe Harbor framework.
The goal of the agreement was to address the privacy concerns outlined in Schrems; however, a final agreement is not a done deal. The DPAs still need to review and approve the agreement and doubt remains as to whether the agreement will go far enough to protect privacy rights, with a member of the European Parliament calling the agreement a “sellout of the fundamental EU rights to data protection.” Further complicating matters is the fact that some privacy and consumer groups have already indicated that legal challenges will be coming once the agreement goes into effect, as the Privacy Shield is seen by some as providing few changes to the Safe Harbor.
Penny Pritzker, the U.S. secretary of commerce, has said that these privacy-related disputes could “put at risk the thriving transatlantic digital economy.” Legal uncertainty surrounding the fate of the Privacy Shield, however, could leave some companies hesitant to use it even if approved this spring. What is clear at this point is that companies may no longer rely on the Safe Harbor as a means to transfer data to the United States. Stay tuned in the coming weeks and months.
The full Issues in Brief archive can be found here.