By: Paul L. Kendall, Accudata Systems
In October 2015, the European Court of Justice (ECJ) ruled that the transatlantic Safe Harbor agreement, which allowed American companies to use one standard for consumer privacy and data storage in both the US and Europe, was invalid. The ruling came because the information leaked by Edward Snowden showed European data stored by US companies was not safe from surveillance that would be illegal in Europe.
As a result, EU and US officials hurried to put together a replacement, and in July 2016, released the EU-US Privacy Shield. In principle, the goals of both agreements are identical: participating companies must treat data originating from the EU in accordance with EU law, regardless of its location. As with Safe Harbor, companies self-certify their compliance. The difference between the two resides in the safeguards that make sure companies and governments abide by the rules:
- The US Department of Commerce is now responsible for ensuring companies are meeting the higher data privacy requirements.
- Any individual whose data originates from the EU (not just Europeans) can complain if he or she feels his or her rights have been violated. Those complaints will be forwarded to the relevant US department and handled “expeditiously” and “at no cost to the individual.”
- The US has “ruled out indiscriminate mass surveillance on personal data transferred to the US,” and promised bulk collection would “only be used under specific preconditions and needs to be as targeted and focused as possible.”
- Complaints pertaining to data transferred on “national security grounds” (as defined in the Privacy Shield language) will be handled by an ombudsperson, who should work impartially and independently of all federal security agencies.
The tech industry was represented in the discussions surrounding Privacy Shield by DigitalEurope, a collective of companies and trade associations. The agreement was generally well received, with Microsoft stating in a blog post the decision “sets a new high standard for the protection of Europeans’ personal data.”
What has Changed?
From the outset, the EU-US Privacy Shield has had its critics. Two of these are especially noteworthy:
- Privacy International’s legal officer Tomaso Falchetta said Privacy Shield will be “a field day for law firms.” The key point of his argument is this: “Given the flawed premises — trying to fix data protection deficit in the U.S. by means of the Obama Administration’s assurances as opposed to meaningful legislative reform — it is not surprising that the new Privacy Shield, at least as it appears in the leaked version, remains full of holes and offers limited protections.”
- Max Schrems, an attorney and privacy activist whose complaint against Facebook’s data practices set in motion a chain of events that killed Safe Harbor, stated, “It’s the same as Safe Harbor with a couple of additions, and it’s going to fail like the one before…It’s better than Safe Harbor, obviously, but far from what the ECJ has asked for.”
During incoming US Secretary of Commerce Wilbur Ross’ hearing before the US Senate Committee in January 2017, he stated he will uphold the Privacy Shield agreement. However, he hinted that this might change in the future. “The agreements that exist obviously exist, but I think going forward there will be a tension between privacy on one hand and problems of localization and data and the implications that they have for the internet as we go forward,” Ross said.
Last month, the data protection authorities of the German states of Hessen and Bavaria released a statement regarding the EU-US Privacy Shield. The statement announces that both authorities have extensive information about the Privacy Shield on their websites, including a unified complaint form for data subjects.
Additionally, the European Commission is closely following discussions in Congress around whether to extend Section 702 of the Foreign Intelligence Surveillance Act (FISA), which authorizes government agencies’ bulk collection of Internet data, and is due to expire at the end of this year. A vote to extend FISA’s intelligence-gathering capabilities without provisions for EU citizens’ data in place will only add to critics’ arguments to scrap the Privacy Shield.
At the present time, the EU is standing by the decision made by the Implementing Commission, dated 12 July 2016, which indicates the current structure of the Privacy Shield and the accompanying Umbrella Agreement are sufficient to address these concerns. This does not mean, however, that the support will continue to be there upon completion of the annual review process that is currently underway.
Privacy Shield Review
The EU and US are currently conducting a joint annual review of the Privacy Shield, with a report planned for publication in September. Prior to the start of the review, the Article 29 Working Party (WP29), an advisory body made up of representatives from each EU member state, sent a letter to the European Commission detailing its concerns about the framework. The WP29 has described the review as “a fact-finding mission in order to collect the relevant information and necessary evidence to assess the robustness of the Privacy Shield.”
It is concerned with both the commercial elements and law enforcement/national security considerations of the framework; this includes recent developments in US law that might affect privacy, and the fact that a key ombudsperson role, created as part of the data transfer framework, has yet to be appointed. To complicate matters further, the US Congressional debate over reforming Section 702 of the FISA and its implications for how the data of non-US citizens can be treated by US national security agencies, is also a major point of concern for the WP29.
Two items are particularly of interest in this review:
- WP29 has questions concerning the existence of legal guarantees regarding automated decision-making or the existence of any guidance made available by the US Department of Commerce regarding the application of the Privacy Shield principles to organizations acting as agents/processors. Clarifications that will be sought also include the definition of human resources data.
- Regarding the law enforcement and national security part, WP29 has questions relating in particular to the latest developments of US law and jurisprudence in the field of privacy. The WP29 also seeks, inter alia, precise evidence to show that bulk collection, when it exists, is “as tailored as feasible,” limited and proportionate.
What Happens Next?
Given the current lack of a strategic, or even tactical, direction for US cybersecurity policy and the current state of relations between the US and the EU, the EU Commission will likely determine the US cannot adequately ensure the privacy of EU citizens’ data under the current EU-US Privacy Shield. If so, the Commission will almost certainly nullify the agreement and implement the requirements under the EU’s GDPR.
Companies affected by the EU-US Privacy Shield nullification will be expected to be compliant with GDPR on or before May 25, 2018 – the date the law goes into full force in the EU. There are varying degrees of concern about this; the extent to which a company was actually in compliance with the Privacy Shield will have some effect on its ability to be ready for the GDPR on the start date.
The new privacy directive requires companies clearly and unambiguously inform users, in plain language, what information about them is being collected and how it will be used, and get their consent to that use. “A lot of the language in this regulation has been sharpened in response to US companies walking very close to the line as far as complying with EU data protection regulations,” said Danny O’Brien, the International Director of the Electronic Frontier Foundation, a San Francisco-based cyber rights group.
GDPR compliance will be a serious challenge for many businesses. Organizations that may have thought themselves to be unregulated will find that they must become compliant by virtue of offering goods and services to EU residents, who will have significant legal recourse. For some large data aggregators, mandatory Data Protection Officers (DPOs) must be appointed, as they are already in some EU countries. Compliance will require addressing numerous considerations about security and privacy capabilities within the organization, including some significant (and potentially costly) regulatory and litigation risks for non-compliance.
The EU Commission is expanding and empowering the Data Protection Authorities (DPAs). DPAs’ regulatory enforcement powers are being extended, budgets expanded, and investigatory powers enhanced. DPAs are responsible for enforcing data protection laws at a national level, as well as providing guidance on the interpretation of those laws. Each DPA is appointed at a national level, through national legislation. Its jurisdiction and enforcement powers are largely restricted to the territory of its own Member State.
Privacy Impact Assessments, or PIAs, show that an organization has considered the risks associated with its particular personal data practices, and taken reasonable steps to control or mitigate them. GDPR mandates not only that PIAs be conducted, but also that all risk assurance activities, from PIAs to internal audit testing, become externally reportable and discoverable.
Finally, while GDPR shares statutory risk more evenly between controller and processor, this will also aggregate risk into cloud and managed service providers. Providers will need to require disclosure of all processing activities on their systems (colocation, cloud, etc.) that involve EU citizens’ data to be certain they are GDPR compliant as well.
GDPR is a fundamental paradigm shift in the privacy legislation field. As such, it will require US companies to address issues that heretofore they have been largely able to ignore. The current enforcement model allows the EU to pursue violations through the US Commerce Department. The current political environment does bring the continued ability to pursue judicial remedies through the Commerce Department into some doubt. For larger companies, however, especially those with significant physical or online presence in the EU, there remain a large number of remedies the EU Commission can impose to pursue convictions and judicial relief through the EU court system.
PriceWaterhouseCoopers (PwC) recently surveyed C-suite executives of American multinational companies about plans for GDPR. The survey results revealed the following:
- Over half of US multinationals say GDPR is their top data-protection priority
- Information security enhancement is a top GDPR initiative
- 77% plan to spend $1 million or more on GDPR
Finally, it is less than a year until the GDPR becomes enforceable. Non-compliance with GDPR is not being taken lightly by the EU Commission. Several of the DPAs have indicated they intend to begin issuing audit notices in late April 2018. One DPA officer was even overheard to say that they intend to begin issuing fines on May 26, 2018.
 “Overview of the EU-U.S. Privacy Shield Framework.” Fact Sheet, US Department of Commerce. https://www.commerce.gov/sites/commerce.gov/files/media/files/2016/eu-us_privacy_shield_fact_sheet.pdf. Retrieved 27 June 2017.
 “European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows.” European Commission – Press release, 12 July 2016. http://europa.eu/rapid/press-release_IP-16-2461_en.htm. Retrieved 27 June 2017.
 The group includes, among others, Apple, Dropbox, Google, Microsoft, Samsung, and Sony.
 “Microsoft signs up for Privacy Shield.” Microsoft EU Policy Blog. Posted 08 August 2017. https://blogs.microsoft.com/eupolicy/2016/08/01/microsoft-signs-up-for-privacy-shield/. Retrieved 27 June 2017.
 “Max Schrems warns Privacy Shield deal between U.S. and Europe will fail.” Digital Trends. 13 July 2016. https://www.digitaltrends.com/computing/privacy-shield-max-schrems/. Retrieved 27 June 2017.
 “Data-Sharing With EU Could Change Under New Commerce Secretary.” Morning Consult. https://morningconsult.com/2017/01/18/data-sharing-eu-change-new-commerce-secretary/. Retrieved 27 June 2017.
 Questions and Answers on the EU-US data protection “Umbrella agreement.” European Commission Press Release. 8 September 2015. http://http://europa.eu/rapid/press-release_MEMO-15-5612_en.htm. Retrieved 27 June 2017.
 “COMMISSION IMPLEMENTING DECISION of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.” Published 12 July 2016. http://ec.europa.eu/justice/data-protection/files/annexes_eu-us_privacy_shield_en.pdf. Retrieved 27 June 2017.
 “Privacy Shield Review: A Warning Shot?” SCL: The IT Law Community. https://www.scl.org/news/3940-privacy-shield-review-a-warning-shot. Retrieved 27 June 2017.
 “New EU privacy rule could cost U.S. firms billions.” Electronic Frontier Foundation. 14 December 2015. https://www.eff.org/mention/new-eu-privacy-rule-could-cost-us-firms-billions. Retrieved 27 June 2017
 Kinney, Steve. The Business Impacts of the General Data Protection Regulation: Part Two. International Association of Privacy Professionals. 24 March 2015. https://iapp.org/news/a/the-business-impacts-of-the-general-data-protection-regulation-2/. Retrieved 27 June 2017.
 D. Gabel, T. Hickman. “Chapter 14: Data Protection Authorities – Unlocking the EU General Data Protection Regulation.” White & Case, LLP. 22 July 2016. https://www.whitecase.com/publications/article/chapter-14-data-protection-authorities-unlocking-eu-general-data-protection. Retrieved 27 June 2017.
 Pulse Survey: US Companies ramping up General Data Protection Regulation (GDPR) budgets. PriceWaterhouseCoopers. https://www.pwc.com/us/en/increasing-it-effectiveness/publications/gdpr-readiness.html. Retrieved 27 June 2017.