After two years of negotiations, and several major obstacles, including the invalidation of the Safe Harbor by a European court, the U.S. Department of Commerce released details today of the EU-U.S. Privacy Shield. The 132-page “package” includes the Privacy Shield Principles and an Arbitral Model, as well as letters from the DOC, U.S. Federal Trade Commission, Department of Transportation, Office of the Director of National Intelligence, Department of State, and the Justice Department.
“On behalf of the United States, I am pleased to transmit herewith a package of EU-U.S. Privacy Shield materials that is the product of two years of productive discussions among our teams,” DOC Secretary Penny Pritzker wrote in a letter to Vera Jourová, the European Commissioner for Justice, Consumers, and Gender Equality. “This package, along with other material available to the Commission from public sources, provides a very strong basis for a new adequacy finding by the European Commission.”
Jourová tweeted:
The new #PrivacyShield will bring robust #EUDataP for Europeans' data in the U.S. Trust is key for transatlantic data transfer @AnsipEU
— Věra Jourová (@VeraJourova) February 29, 2016
Notably, companies must self-certify they agree to and will comply with the Privacy Shield Principles.
The package names U.S. Under Secretary of State Catherine Novelli as the point of contact for the Ombudsman mechanism, a role “through which authorities in the EU will be able to submit requests on behalf of EU individuals regarding U.S. signals intelligence practices,” wrote U.S. Secretary of State John Kerry. An Annex includes more details of how the Ombudsperson mechanism will work.
Critics have pointed out that an Ombudsperson should be independent from the government to be truly effective. Kerry, however, wrote, “Under Secretary Novelli is independent from the U.S. intelligence community, and reports directly to me.”
In a separate letter, Office of the Director of National Intelligence General Counsel Robert Litt outlines steps taken by the U.S. to reform signals intelligence, provide oversight mechanisms and transparency, “and the overall protections for privacy and civil liberties, in order to assist the European Commission in making a determination about the adequacy of those protections as they relate to the national security exception to the Privacy Shield principles.”
Litt also noted, in what Reuters reported was a last-minute change, that “without confirming or denying media reports alleging that the U.S. Intelligence Community collects data from transatlantic cables while it is being transmitted to the United States, were the U.S. Intelligence Community to collect data from transatlantic cables, it would do so subject to the limitations and safeguards set out herein, including the requirements” of President Obama’s Presidential Policy Directive 28.
The Department of Justice included a section on how law enforcement agencies may acquire commercial data during a criminal investigation, noting that U.S. corporations can challenge orders in court.
The package also features the full set of Privacy Shield Principles, which entails seven distinct categories: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability. There’s also a supplemental set of principles that includes provisions around sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.
Additionally, the package contains an Arbitral Model to address a final means for redress. “The purpose of this option,” the package states, “is to provide a prompt, independent, and fair mechanism, at the option of individuals, for resolution of claimed violations of the Principles not resolved by any of the other Privacy Shield mechanisms, if any.”
FTC Chairwoman Edith Ramirez and DOT Secretary Anthony Foxx also reaffirmed each agency’s commitment to four areas: referral prioritization; false and deceptive Privacy Shield claims; continuous monitoring; and engagement with European data protection authorities.
The DOC’s Pritzker, in a separate release, praised the new agreement, calling it a “tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic.”
But the Privacy Shield has many critics already.
The Greens in the European Parliament issued a statement calling it a “cosmetic change.” Green home affairs and data protection spokesman Jan Philipp Albrecht — who has also been instrumental in the region’s General Data Protection Regulation — said, “The new ‘Privacy Shield’ framework appears to amount to little more than a remarketed version of the pre-existing Safe Harbour decision.” Albrecht says the Commission should push for more improvements to protect the privacy of European citizens, and that since the GDPR is slated to come into force by 2018, “it is essential that ‘Privacy Shield’ is limited to two years and that a new framework is negotiated once the new EU rules on data protection come into force.”
Privacy advocate and lawyer Max Schrems — whose case against Facebook ultimately led to the invalidation of the Safe Harbor framework — also criticized the new agreement. Most notably, he stated that none of the new improvements “seems to address the core concerns and fundamental flaws of U.S. intelligence laws and the lack of privacy protections in U.S. law."
EDRi also did not pull any punches about their dislike of the agreement, arguing that the documents released today “confirm that no meaningful reforms have been made and that none are planned.”
Whether the Privacy Shield ends up going back to the European Court of Justice remains to be seen, but in the meantime, privacy pros are busy analyzing today’s package.
#PrivacyShield 1st impressions: (1) A lot of reading! #SafeHarbor's high level principles now a lot more specific https://t.co/ALl63m3rXy
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (2) It's still safe certification, albeit backed by verification mechanisms. https://t.co/VuWiB9bU1R
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (3) Privacy policies will need to get longer! More like GDPR level of disclosure. https://t.co/CumjzDozan
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (4) Subcontracting rules strict, but friendlier than model clauses. A big plus. https://t.co/oGHp2QM09x
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (5) Certifying org's have b/w 2 and 9 months to bring legacy subcontractors in line https://t.co/DGMnPsQHrS
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (6) Lots of redress mechanisms. But who but the educated will use them? https://t.co/4Q7zkDj52U
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (7) Right to data access restricted where "burden or expense" disproportionate...? https://t.co/iCeV667EVH
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
#PrivacyShield 1st impressions: (8) Overall, no great surprises. Does what it needs to, but is it enough for DPAs?https://t.co/zHP3GiydS6
— Phil Lee (@EUPrivacyLawyer) February 29, 2016
According to the Privacy Shield Principles, “The effective date of the Principles is the date of final approval of the European Commission’s adequacy determination.” The Commission also released a draft adequacy decision, a set of FAQs, a Communication to the European Parliament and the Council, and a Fact Sheet.
The draft adequacy decision now must be approved by comitology procedure, which involves insight from the Article 29 Working Party, a binding opinion from the EU Member State representatives, and a formal adoption of the adequacy decision by the EU College of Commissioners. According to a Covington & Burling post, the Commission aims for adoption by June or early summer.
Top image courtesy of the European Commission