— Eduardo Ustaran (@EUstaran) February 2, 2016
The EU Commission and the U.S. have agreed on a new framework for transatlantic data flows, igniting a flurry of #SafeHarbor tweets, many skeptical and some incredulous, and prompting every law firm that’s ever looked at a data protection case to send out a client alert. But the alerts were fairly vague for memos intended to advise clients on how to stay legally compliant. That’s because the announcement itself, that a framework had indeed been agreed upon, was without a formal text to accompany it.
Those who opposed Safe Harbor because of U.S. law enforcement access to EU citizens data under U.S. surveillance policy remained unimpressed with the new "EU-U.S. Privacy Shield," largely, while those who'd hoped for Safe Harbor's continued viability say they're impressed both sides of the table were able to come to agreement and the new framework promises to be more viable and robust than its predecessor.
This new Privacy Shield aims to comply with the requirements the Court of European Justice outlined when it declared Safe Harbor invalid in October 2015. It specifically provides mechanisms for greater oversight and enforcement by the U.S. Department of Commerce and the Federal Trade Commission. It places more stringent obligations on U.S. companies to protect EU citizens’ personal data, and it provides an opportunity for EU citizens to complain via a new ombudsperson, who will sit within the U.S. State Department. Negotiators of the deal have promised vigilance and immediate action should the framework reveal flaws.
U.S. Department of Commerce Secretary Penny Pritzker said during a press call she’s confident Commerce has met the requirements of the Court of European Justice’s ruling in the Schrems case, as well as the various issues that have arisen regarding Safe Harbor.
A senior Commerce official said the agreement demonstrates the government’s commitment to the framework and will be, indeed, legally binding. “It’s the same model that was followed when [Safe Harbor] was put in place, and that lasted 15 years,” the official said.
But that’s exactly what has some worried.
Green MEP Jan Philipp Albrecht said in an initial reaction statement the new framework “amounts to little more than a reheated serving of the pre-existing Safe Harbor decision." In a separate interview, he told The Privacy Advisor the framework provides “not any benefit for EU persons,” for three reasons.
First, the U.S. administration’s assurance that there would be no indiscriminate surveillance of EU citizens based on Presidential Policy Directive 28 means nothing, because that assurance had already been made prior to this new framework.
“The court in Luxembourg knew about that clarification,” he said.
Second, the FTC’s assurance that there will be annual reviews of the new framework is, again, nothing new and “doesn’t give any legal change to the situation of EU persons,” Albrecht said. “It just gives better oversight of the enforcement that is already in place under Safe Harbor. We already have an annual review with the FTC doing that every year.”
Third, the complaint mechanisms are meaningless. The Luxembourg court clearly said in invalidating Safe Harbor that redress opportunities for EU citizens must be given in a legally binding way
“The problem is, in U.S. law, this is limited to U.S. citizens and residents,” Albrecht said. “Especially with the foreign surveillance framework, there is no way to get any legally binding redress.”
Sure, the framework calls for an ombudsman. But Albrecht said the ombudsman will “only be there to be another messenger” and “there’s no legal change” provided.
Albrecht isn’t alone in his assertion that nothing much has changed. Austrian activist Max Schrems, who’s best known for taking down Safe Harbor 1.0, Tweeted a picture of a pig wearing lipstick – referencing the old phrase, “you can put lipstick on a pig, but at the end of the day, it’s still a pig.” Schrems also took issue with the fact that there still isn’t an actual text to react to, which Albrecht acknowledged also, and objected to the legality of the deal being cemented via an "exchange of letters."
— Max Schrems (@maxschrems) February 2, 2016
Albrecht said maybe the text will surprise him and include a game-changing enforcement provision. But he doesn’t see that happening, because the FTC only has a mandate under U.S. law.
“There is no other way to do litigation or enforcement,” he said. “I can be proved wrong if the text shows there’s a legally binding arbitration panel which takes real measures and enforcement that goes beyond the FTC mandate. This would be good. But under the line, the legal situation stays just as it is.”
Michael Whitener, an attorney at VLP Law, wondered whether those interested in using the Privacy Shield as a transfer mechanism will be allowed to “self-certify” as was permitted under Safe Harbor, to the ire of the European Commission.
“The EU Commission’s announcement indicates that U.S. companies ‘will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.’ But isn’t that exactly what they committed to under the previous Safe Harbor principles?” Whitener asked.
But Brian Hengesbaugh, who negotiated Safe Harbor 1.0 in the late '90s when he was at the Department of Commerce, was thrilled to see a framework announced. He feels differently than Albrecht and Schrems. In fact, he’s on the opposite end of the spectrum. He says both sides of the Atlantic should be encouraged and congratulated, and he says this deal feels different from Safe Harbor. In 2000, the primary concern was with commercial privacy issues. It was pre-9/11 and pre-PATRIOT Act. So while there were certainly concerns from the EU about data transfers to the U.S., details on how national security would apply to the deal didn’t take center stage.
“This one is different in that it takes all those rules that were developed and adds a number of big dimensions and process and procedures and more oversight,” Hengesbaugh said. “And you even heard a bit of a hint that there’s more in terms of onward transfer requirements, even a little bit more in terms of the substance on the commercial side.”
Hengesbaugh adds, however, that he wonders how the more robust framework might play against alternative data transfer mechanisms.
“When the EU Court of Justice opinion was written, it cast a shadow on all kinds of mechanisms,” he said. “It cast a doubt on model clauses and BCRs, which still have that threat of access by U.S. government and national security agencies. So I wonder if going forward, the irony might be that the EU/U.S Privacy Shield actually provides better protection and more certainty than other mechanisms.”
Article 29 Working Party Chair Isabelle Falque-Pierriotin expressed similar thoughts about BCRs and SCCs being affected by Shield's framework.
Abhishek Agarwal is chief privacy officer for Baxter Healthcare, a global company headquartered in Chicago, Illinois. He thinks the framework is a good start, but the key issue will be enforcement. His company saw the writing on the wall long before the CJEU invalidated Safe Harbor and put its resources behind model clauses as a transfer mechanism. He says his company will watch developments on the Privacy Shield closely, but he puts his company in line with myriad others who were wary of relying on Safe Harbor and so did the necessary grunt work before Safe Harbor actually met its demise.
“Frankly, global organizations are always prepared for such risk in terms of compliance, because when you launch a product in a marketplace these days, most organizations are very particular about acknowledging and respecting EU citizens’ rights,” he said. “In general, I think organizations who have not thought through this in terms of only relying on Safe Harbor, they may have more work to do.”
It’s early yet to determine how industry will react to the framework itself, but The Computer & Communications Industry Association was quick to issue a statement welcoming the new agreement.
Its international policy director, Christian Borggreen, said the framework “will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on transatlantic data flows.”
It called on European data protection authorities to endorse the framework in the name of keeping commercial data transfer viable.
But Fieldfisher’s Phil Lee, CIPP/E, falls somewhere in the middle of Schrems and Albrecht on one side, and the more optimistic Hengesbaugh and the CCIA.
Lee says the big question here is, “is it enough?” And he doesn’t just mean legally.
“The real issue is whether it will achieve industry, regulatory and data subject acceptance. That’s far from guaranteed,” he says. “If the EU-U.S. Privacy Shield doesn’t achieve ‘market’ acceptance on transatlantic deals, then it’s effectively useless. That would be a real shame.”
Lee said the European Commission and the Department of Commerce are going to have to win over some hearts and minds. But he suspects there are going to be challenges to the framework itself by civil liberties groups and even some data protection authorities.
So what happens next?
European Commission Vice-President Andrus Ansip and Commissioner Věra Jourová will prepare an “adequacy draft” to be shown to the Article 29 Working Party and member states. Expect a draft in roughly three weeks.
Hengesbaugh said he anticipates the process going “relatively smoothly” given that the constituencies have “firmly in mind both the protection of privacy and data protection as well as the health of the digital economy.”
The senior Commerce official said Commerce will hold a series of briefings on the new framework and a grace period will allow leeway for organizations to implement changes.
For now, Albrecht and his peers are hoping there’s a change before this deal is formalized.
“Of course we welcome that there are steps taken to get a new framework done,” he said. “But … this is not the improvement which would be needed to bring this framework in line with EU law.”
If you want to comment on this post, you need to login.