News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How sturdy is the Privacy Shield? Related reading: Commission, Commerce announce new EU-US data transfer agreement

rss_feed

The EU Commission and the U.S. have agreed on a new framework for transatlantic data flows, igniting a flurry of #SafeHarbor tweets, many skeptical and some incredulous, and prompting every law firm that’s ever looked at a data protection case to send out a client alert. But the alerts were fairly vague for memos intended to advise clients on how to stay legally compliant. That’s because the announcement itself, that a framework had indeed been agreed upon, was without a formal text to accompany it.

Those who opposed Safe Harbor because of U.S. law enforcement access to EU citizens data under U.S. surveillance policy remained unimpressed with the new "EU-U.S. Privacy Shield," largely, while those who'd hoped for Safe Harbor's continued viability say they're impressed both sides of the table were able to come to agreement and the new framework promises to be more viable and robust than its predecessor. 

This new Privacy Shield aims to comply with the requirements the Court of European Justice outlined when it declared Safe Harbor invalid in October 2015. It specifically provides mechanisms for greater oversight and enforcement by the U.S. Department of Commerce and the Federal Trade Commission. It places more stringent obligations on U.S. companies to protect EU citizens’ personal data, and it provides an opportunity for EU citizens to complain via a new ombudsperson, who will sit within the U.S. State Department. Negotiators of the deal have promised vigilance and immediate action should the framework reveal flaws.

U.S. Department of Commerce Secretary Penny Pritzker said during a press call she’s confident Commerce has met the requirements of the Court of European Justice’s ruling in the Schrems case, as well as the various issues that have arisen regarding Safe Harbor.

A senior Commerce official said the agreement demonstrates the government’s commitment to the framework and will be, indeed, legally binding. “It’s the same model that was followed when [Safe Harbor] was put in place, and that lasted 15 years,” the official said.

But that’s exactly what has some worried. 

Green MEP Jan Philipp Albrecht said in an initial reaction statement the new framework “amounts to little more than a reheated serving of the pre-existing Safe Harbor decision." In a separate interview, he told The Privacy Advisor the framework provides “not any benefit for EU persons,” for three reasons.

First, the U.S. administration’s assurance that there would be no indiscriminate surveillance of EU citizens based on Presidential Policy Directive 28 means nothing, because that assurance had already been made prior to this new framework.

“The court in Luxembourg knew about that clarification,” he said.

Second, the FTC’s assurance that there will be annual reviews of the new framework is, again, nothing new and “doesn’t give any legal change to the situation of EU persons,” Albrecht said. “It just gives better oversight of the enforcement that is already in place under Safe Harbor. We already have an annual review with the FTC doing that every year.”

Third, the complaint mechanisms are meaningless. The Luxembourg court clearly said in invalidating Safe Harbor that redress opportunities for EU citizens must be given in a legally binding way 

“The problem is, in U.S. law, this is limited to U.S. citizens and residents,” Albrecht said. “Especially with the foreign surveillance framework, there is no way to get any legally binding redress.”

Sure, the framework calls for an ombudsman. But Albrecht said the ombudsman will “only be there to be another messenger” and “there’s no legal change” provided.  

Albrecht isn’t alone in his assertion that nothing much has changed. Austrian activist Max Schrems, who’s best known for taking down Safe Harbor 1.0, Tweeted a picture of a pig wearing lipstick – referencing the old phrase, “you can put lipstick on a pig, but at the end of the day, it’s still a pig.” Schrems also took issue with the fact that there still isn’t an actual text to react to, which Albrecht acknowledged also, and objected to the legality of the deal being cemented via an "exchange of letters."

Albrecht said maybe the text will surprise him and include a game-changing enforcement provision. But he doesn’t see that happening, because the FTC only has a mandate under U.S. law.

“There is no other way to do litigation or enforcement,” he said. “I can be proved wrong if the text shows there’s a legally binding arbitration panel which takes real measures and enforcement that goes beyond the FTC mandate. This would be good. But under the line, the legal situation stays just as it is.”   

Michael Whitener, an attorney at VLP Law, wondered whether those interested in using the Privacy Shield as a transfer mechanism will be allowed to “self-certify” as was permitted under Safe Harbor, to the ire of the European Commission.

“The EU Commission’s announcement indicates that U.S. companies ‘will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.’ But isn’t that exactly what they committed to under the previous Safe Harbor principles?” Whitener asked.

But Brian Hengesbaugh, who negotiated Safe Harbor 1.0 in the late '90s when he was at the Department of Commerce, was thrilled to see a framework announced. He feels differently than Albrecht and Schrems. In fact, he’s on the opposite end of the spectrum. He says both sides of the Atlantic should be encouraged and congratulated, and he says this deal feels different from Safe Harbor. In 2000, the primary concern was with commercial privacy issues. It was pre-9/11 and pre-PATRIOT Act. So while there were certainly concerns from the EU about data transfers to the U.S., details on how national security would apply to the deal didn’t take center stage.

“This one is different in that it takes all those rules that were developed and adds a number of big dimensions and process and procedures and more oversight,” Hengesbaugh said. “And you even heard a bit of a hint that there’s more in terms of onward transfer requirements, even a little bit more in terms of the substance on the commercial side.”

Hengesbaugh adds, however, that he wonders how the more robust framework might play against alternative data transfer mechanisms.

“When the EU Court of Justice opinion was written, it cast a shadow on all kinds of mechanisms,” he said. “It cast a doubt on model clauses and BCRs, which still have that threat of access by U.S. government and national security agencies. So I wonder if going forward, the irony might be that the EU/U.S Privacy Shield actually provides better protection and more certainty than other mechanisms.” 

Article 29 Working Party Chair Isabelle Falque-Pierriotin expressed similar thoughts about BCRs and SCCs being affected by Shield's framework. 

Abhishek Agarwal is chief privacy officer for Baxter Healthcare, a global company headquartered in Chicago, Illinois. He thinks the framework is a good start, but the key issue will be enforcement. His company saw the writing on the wall long before the CJEU invalidated Safe Harbor and put its resources behind model clauses as a transfer mechanism. He says his company will watch developments on the Privacy Shield closely, but he puts his company in line with myriad others who were wary of relying on Safe Harbor and so did the necessary grunt work before Safe Harbor actually met its demise.

“Frankly, global organizations are always prepared for such risk in terms of compliance, because when you launch a product in a marketplace these days, most organizations are very particular about acknowledging and respecting EU citizens’ rights,” he said. “In general, I think organizations who have not thought through this in terms of only relying on Safe Harbor, they may have more work to do.”

It’s early yet to determine how industry will react to the framework itself, but The Computer & Communications Industry Association was quick to issue a statement welcoming the new agreement.

Its international policy director, Christian Borggreen, said the framework “will provide strong privacy safeguards for consumers and legal certainty for the thousands of companies that depend on transatlantic data flows.”

It called on European data protection authorities to endorse the framework in the name of keeping commercial data transfer viable.

But Fieldfisher’s Phil Lee, CIPP/E, falls somewhere in the middle of Schrems and Albrecht on one side, and the more optimistic Hengesbaugh and the CCIA.

Lee says the big question here is, “is it enough?” And he doesn’t just mean legally.

“The real issue is whether it will achieve industry, regulatory and data subject acceptance. That’s far from guaranteed,” he says. “If the EU-U.S. Privacy Shield doesn’t achieve ‘market’ acceptance on transatlantic deals, then it’s effectively useless. That would be a real shame.”

Lee said the European Commission and the Department of Commerce are going to have to win over some hearts and minds. But he suspects there are going to be challenges to the framework itself by civil liberties groups and even some data protection authorities.

So what happens next?  

European Commission Vice-President Andrus Ansip and Commissioner Věra Jourová will prepare an “adequacy draft” to be shown to the Article 29 Working Party and member states. Expect a draft in roughly three weeks.

Hengesbaugh said he anticipates the process going “relatively smoothly” given that the constituencies have “firmly in mind both the protection of privacy and data protection as well as the health of the digital economy.”

The senior Commerce official said Commerce will hold a series of briefings on the new framework and a grace period will allow leeway for organizations to implement changes.

For now, Albrecht and his peers are hoping there’s a change before this deal is formalized.

“Of course we welcome that there are steps taken to get a new framework done,” he said. “But … this is not the improvement which would be needed to bring this framework in line with EU law.”

Author
Headshot Angelique Carson Nonmember Contributor
Tags
Europe
U.S.
Enforcement
FTC
Privacy Law
Privacy Operations Management
Surveillance
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
A new Safe Harbor? Yes, it's possible
In Schrems, the Court of Justice of the EU (CJEU) found the Safe Harbor agreement, which enabled the transfer of personal data from the EU to the U.S., to be invalid. The EU Commission is trying to reach a new agreement with the U.S. government by this month’s end, although the incoming Dutch presid...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Enforcement
FTC
Privacy Law
Privacy Operations Management
Surveillance
Transborder Data Flow
Recent Comments