Monday’s release by the U.S. Department of Commerce outlining further details on the EU-U.S. Privacy Shield seems to have both overwhelmed and, in some cases, displeased those who’d been clamoring for more on the initially vague agreement announcement. And those seeking to be certified under the framework found themselves with a lot of reading: The package the DoC released runs 132 pages.
And that in itself is a bit of a problem.
“It’s really a massive piece of legislation,” said Cedric Burton, CIPP/E, of Wilson Sonsini Goodrich & Rosati. “The buzz in Brussels is that most people are still trying to digest a very long document, and it’s a complex set of documents. It’s not consistent and not well organized. So just figuring out what applies and under what circumstances is a fait de complete.”
In general, though, most agree it's essential that there be a mechanism, and, as the saying goes, "perfect is the enemy of good."
Check out the details here for a thorough look, but here’s a quick, high-level summary of the Privacy Shield’s provisions:
- Companies will self-certify to the Shield
- An Ombudsman, under U.S. Secretary of State, will handle inquiries on U.S. surveillance
- Shield contains principles with seven distinct categories including notice, choice, accountability for onward transfer, purpose limitation, recourse, enforcement and liability among others.
- An arbitral model aims to allow individuals redress not resolved by the Shield’s mechanisms
- An annual privacy summit with NGOs and stakeholders to discuss developments, followed by a public report by European Commission
“The idea that Europe was going to get everything it wanted was utopic,” said Kim Smouter.
Will the Shield make it?
“I think there’s still a real question as to whether it’s really going to get approved on the EU side,” said Wiley Rein’s Kirk Nahra, CIPP/US. But if he had to guess, it likely will because there’s a need for a data transfer mechanism in order for commercial transactions–vital to both economies–to continue. And besides, realistically, what else is the U.S. going to concede to?
“Do the EU politicians think at this point they can get a better deal out of the U.S. government?” Nahra asked rhetorically. “That’s a game of playing chicken. Their choice is either agree or not, and then you’ve got all those commercial problems which I don’t think is in their interest either.”
Kim Smouter, government affairs manager at Brussels-based Esomar, a global market, opinion and social research firm, said just the fact that something is on the table–an agreement from both the EU and U.S.–is “a huge relief.” He agrees with Nahra that the U.S. authorities have made a lot of accommodations based on EU concerns.
“The idea that Europe was going to get everything it wanted was utopic,” he said.
That said, there are quite a few voices out there who aren’t shy about their disapproval with the new agreement. As we reported Monday, Green MEP Jan Phillip Albrecht has called it merely a “cosmetic change” from Safe Harbor, and EDRi said the recently released text indicate “no meaningful reforms.”
“It’s now a question of how much more the extreme voices get to control things,” Nahra said, wondering whether the Article 29 Working Party and the Article 31 Working Party–whose opinions will now be sought on the agreement–will share that critical sentiment.
“It’s time to shift the data flows issue on a larger scale, maybe that of international treaties,” Panetta said.
Burton said, though, criticism from industry groups like EDRi and privacy advocates like Albrecht is to be expected.
“Everyone is doing their job,” he said. “The truth must be somewhere in between.”
Bird & Bird’s Ruth Boardman agreed. She said while the Shield addresses a lot of the long-standing criticisms of Safe Harbor, “the skeleton of Safe Harbor is still very visible under the new clothing. This will certainly mean that those critical of Safe Harbor will be critical of the Shield.”
Burton, however, doesn’t expect the early criticism to thwart the Shield’s eventual vitality. Because, as Nahra noted, there has to be some kind of mechanism in place for data transfers. Period. Everyone wants that. And there are a lot of small- to medium-size organizations who can’t afford data transfer mechanisms like BCRs or model contracts and relied on Safe Harbor–and now will rely on the Shield–to operate. Even if the Shield isn’t perfection, if it allows them to transfer data overseas, in the end, they’ll take workable over perfect, Burton said.
“I think we’re hopeful that that voice of economic reason will win out,” he said. “It’s taken quite a lot of time for, in particular, small companies to be aware of what was happening, and I think a lot of them are finding it really difficult to find solutions. The faster a solution comes through, the better it is. There’s a lot to be lost by having nothing.”
What does the Shield mean for data transfers in general?
Some say this whole back and forth between the EU and U.S. over how to ensure data privacy and protection is indicative of a larger problem.
Rocco Panetta of NCTM in Rome thinks the differences between U.S. and EU legal regimes is the crucial issue here. He says recent events like the FBI’s call on Apple to unlock its iPhone for terrorism-related evidence gathering illustrate the Privacy Shield as a data transfer mechanism is a small fix for a bigger problem.
“It’s time to shift the data flows issue on a larger scale, maybe that of international treaties,” Panetta said. The rights and guarantees the Shield aims to provide—opt outs, rights of access and cancellation, “should become an ordinary way to process data worldwide, and not only in occasion of international data transfers.”
But there’s some question about whether disparate transfer mechanisms are still viable in a global economy where data transfers are inevitable and necessary.
Nahra anticipates the implementation of the Shield to have a ripple effect.
“I think if it does get approved, it’s going to likely extend some of the principles to the other data transfer properties, model clauses etc.," he said. "I suspect they’ll try and incorporate some of those ideas into those provisions.”
In some ways though, Nahra said, this whole thing misses the mark. The Schrems case, which ultimately led to the invalidation of Safe Harbor, focused on U.S. law enforcement’s access to EU citizens’ data. But that really didn’t apply to most of the companies certified under Safe Harbor. Take a retail clothing company, for example. The U.S. government did not care about the data that company was transferring. It had no interest in surveilling the data.
So while the new agreement may place more burdens on each company using the Privacy Shield, the companies weren’t really the problem.
“The problem that came out of the Schrems decision is not that the companies were doing anything wrong,” he said. “That’s why I think the whole debate has been odd,” he said, adding that the focus of attention should be whether it’s now harder for the U.S. government to access the data.
For now, industry, advocates and government will wait to hear the opinions of the Article 29 and Article 31 Working Parties, and then the EU College of Commissioners will make an adequacy decision. Early summer is the projected deadline.
But it’s anyone’s guess as to whether that will happen.
“I think that timing is a bit optimistic,” said Chris Kuner of Wilson Sonsini Goodrich & Rosati. “I don’t think it’ll be turned down by EU member states but I think a number of them are going to want to look at it in detail, and there’s so much to digest that I think it’ll go on longer than that.”
Burton says while a summer deadline is plausible, the Shield coming into force doesn’t mean transatlantic trust. Service providers in the U.S. face an uphill battle. Especially from French and German business customers, who’ve arguably been the most incredulous over revelations on U.S. surveillance practices.
“The large European clients that use service providers will be very skeptical about the Privacy Shield in the short term,” he said. “Even if we get a decision in the summertime, it’s going to take some time to restore trust and make sure this is a workable mechanism.”
Top image courtesy of European Commission.
If you want to comment on this post, you need to login.