There are serious questions as to whether the new data protection agreement between the European Union and the United States will be approved by the European Commission in June or will have to be delayed based of a recent opinion by a panel of data protection authorities, leaving 4,500 U.S. companies in legal limbo regarding cross-border data transfers.
On April 13, the Article 29 Working Party (WP29), an independent advisory group set up by the European Parliament and the Council of 24 October 1995, acknowledged “significant improvements brought by the Privacy Shield compared to the Safe Harbor decision,” singling out the inclusion of key definitions and mechanisms set up to ensure the oversight of the Privacy Shield. But the WP29 also noted an “overall lack of clarity” in the pact, citing the difficulty of finding principles and guarantees expressed in the adequacy decision and its annexes, and voiced “strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.” And because the Privacy Shield must be consistent with the EU data protection legal framework, The WP29 said a review of the agreement’s text will be required once the new General Data Protection Regulation (GDPR) goes into effect in 2018, to ensure it adheres to the higher level of data protection required under GDPR.
The WP29’s most worrisome objection to the agreement centers on the U.S. government’s ongoing surveillance and mass data collection. Edward Snowden’s revelations in 2013 convinced European authorities that the Safe Harbor protocol that had been relied on since 2000 to protect the privacy of EU citizens’ personal information, when transmitted to the United States, was no longer working.
“I suspect this is one of those things that fuels the fire as to a legal challenge to the Privacy Shield,” says Aaron Tantleff, a partner and intellectual property lawyer with Foley & Lardner. While there is a slim possibility that the European Commission and U.S. Commerce Department could renegotiate the Privacy Shield to address WP29 concerns, “there’s also a lot of pressure to finalize something soon, not only from U.S. organizations but also from European organizations. This is transatlantic commerce, so it impacts not only U.S. organizations but U.S. citizens in terms of how they may get access to certain goods and service in light of this concern.”
“There are lots of organizations that have put into place privacy and security programs and sometimes they’re static. But now companies will have to have people appointed in this role, and under GDPR you’re going to have to have a data protection officer.”
Aaron Tantleff, Partner, Foley & Lardner
Julie Brill, co-director of HoganLovells’s data privacy and cyber-security practice and, until April 2016, a member of the Federal Trade Commission (FTC), is more sanguine. After having analyzed the Privacy Shield, her firms finds, “it does provide an essentially equivalent level of protection to that provided by key data protection principles outlined in European law,” she says. “The European Commission will probably finalize the adequacy decision. They may do it after more discussion with the Department of Commerce, but it will likely occur before the end of June.”
The USA FREEDOM Act, which was signed into law in June 2015, significantly modifies U.S. surveillance and other national security authorities, prohibiting bulk collection of any records, telephone metadata-related to calls between individuals in the United States and outside the United States, but presumably not to the satisfaction of the WP29.
The WP29 also noted concerns about the Privacy Shield’s commercial aspects, such as that the adequacy decision and the annexes either don’t reflect some key data protection principles outlined in European law or inadequately substitute other ideas. Additional concerns center on the lack of explicit mention of the data retention principle, lack of specific wording on protection against automated individual decisions based on automatic data processing, and new redress mechanisms that may be too complex for individual European citizens to make use of, especially in a different language.
“The opinions of the WP29 are non-binding, but given the number of ‘clarifications’ it requested and the seriousness of the other concerns raised, I think it will be impossible for the European Commission to ignore these and just adopt the Shield as it stands now,” says Lokke Moerel, senior of counsel at Morrison & Foerster in Berlin and professor of global ICT law at Tilburg University. “Indeed, the WP29 has indicated that the national [Data Protection Authorities] will challenge the Shield in their respective courts if the Shield will be adopted by the Commission in unaltered form.” A new round of negotiations between the European Union and United States seems unavoidable, she adds.
Given its concerns about the U.S. government’s use of the fight against terrorism to justify continuing to collect data in this way, the WP29 said it would look to the forthcoming rulings of the Court of Justice of the European Union (CJEU) in cases related to such collection methods.
Moerel doesn’t believe the Privacy Shield must wait to be finalized until after the CJEU rules on the legality of U.S. surveillance practices. The WP29’s position that massive and indiscriminate surveillance of individuals can never be considered proportionate and strictly necessary in a democratic society doesn’t align, she says, with Article 8 of the European Convention on Human Rights, which “provides that an interference with the right to privacy is only allowed if it ‘is in accordance with the law and is necessary in a democratic society in the interests of national security.’” The ECHR has admitted that increasing terrorist threats affecting democratic societies justify undertaking secret surveillance measures to effectively counter these threats, while requiring its systems to provide adequate safeguards against possible abuses, she adds.
Assuming that the Privacy Shield is approved in June, once a company registers for it, “that’s not the end of the game,” says Tantleff, who expects the GDPR, which the EU Council and Parliament both adopted in April, to change things once it goes into effect in 2018. Because certain obligations under the Privacy Shield are inconsistent with those under GDPR, “compliance with European data protection regulations is going to be a moving target for the next few years.”
One key implication of that is that companies will need to dedicate more resources to ensuring compliance with the new data privacy regime, he explains. “There are lots of organizations that have put into place privacy and security programs and sometimes they’re static. But now companies will have to have people appointed in this role, and under GDPR you’re going to have to have a data protection officer,” making sure policies and procedures are reviewed at least annually and adjusting them as is appropriate.
How companies get consent from their customers regarding collection and use of personal information is one example of practices that will be subject to regular review, says Steven Millendorf, an associate and intellectual property lawyer at Foley & Lardner. “GDPR in particular is a huge amount of work for both U.S. and European companies. I think there will be an expectation that U.S. companies are going to have to think on their feet a little more than they’ve ever had to do before.”
It’s also clear under GDPR that boards and C-suites will be liable and have obligations regarding compliance with data protection laws, Tantleff says. They need to be aware of this and dedicating resources toward it.
Below are some concerns expressed by the WP29 concering the EU-U.S. Privacy Shield.
... the Working Party has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield.
As a preliminary remark, the WP29 regrets that the Privacy Shield is constituted by a various set of documents and that therefore, the principles and guarantees afforded by the Privacy Shield are set out in both the adequacy decision and in its annexes making the information both difficult to find, and at times, inconsistent. This contributes to an overall lack of clarity.
Then, the Working Party recalls that the Privacy Shield adopted on the basis of Directive 95/46/EC needs to be consistent with the EU data protection legal framework, both in scope and terminology. In this regard, a review of the text of the Privacy Shield will have to take place after the entry into application of the General Data Protection Regulation in the course of 2018, in order to ensure the higher level of data protection offered by the Regulation is followed in the Privacy Shield.
Concerning the commercial aspects, the WP29 first of all considers that some key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions. In particular, the application of the purpose limitation principle to the data processing is unclear. The Working Party is also concerned that the data retention principle is not expressly mentioned and cannot be clearly construed from the current wording of the text.
Furthermore, there is no specific wording on the protection that should be afforded against automated individual decisions based solely on automated processing. Because the Privacy Shield will also be used to transfer data outside the US, the WP29 insists that onward transfers from a Privacy Shield entity to third country recipients should provide the same level of protection on all aspects of the Shield (including national security) and should not lead to lower or circumvent EU data protection principles.
Besides, although the Working Party notes the additional recourses made available to individuals to exercise their rights, it is concerned that the new redress mechanism in practice may prove to be too complex, difficult to use for EU individuals, especially in a different language, and therefore ineffective. Further clarification of the various recourse procedures are therefore needed; in particular, where they are willing, national EU data protection authorities could be considered as a natural contact point for the EU individuals in the various procedures, having the option to act on their behalf.
Source: Statement of the Article 29 Working Party on the Opinion of the EU-U.S. Privacy Shield
Choosing among the Privacy Shield, binding corporate rules, or standard contractual clauses will be a major decision for companies, Tantleff says. Binding corporate rules are more complex than standard contractual clauses, while the Privacy Shield subjects a company to numerous obligations it may not be subject to under either alternative, including direct oversight by the Commerce Department and FTC.
If a company registers for the Privacy Shield, the Department of Commerce has the right on its own initiative to start investigating whether the company is in compliance with the agreement’s principles or not, explains Moerel. Unlike under BCRs, “they don’t have to wait for a complaint. If you’re not within compliance, Commerce can withdraw your certification and can also inform the FTC, and the FTC will follow up those complaints with priority.”
One consideration is that BCRs and SCCs are likely going to change under GDPR, says Millendorf. He expects that two years from now companies will either have to tweak or wholesale modify their contractual clauses. Once guidelines for SCCs have changed, he wonders whether there will be a way to tack an amendment onto one that’s already been executed or whether the company will be told by the data protection authority to trash an existing SCC and enter into a completely new one. An amendment would make it much easier for businesses.
Another factor is the time frame required to put a binding corporate rule in place and get it approved by the Data Protection Authority—a year or up to 18 months, depending on the source. “Merck recently managed to pull it off very quickly because they had started this process and started talking with the local data protection authorities very early on,” Millendorf says. What made it easier for Merck is that it already had BCRs in place under the Asia-Pacific Economic Cooperation (APEC) agreement, and those privacy rules had more structure so modifying them to be applicable in Europe gave them a head start.
One advantage of BCRs is that they provide a global platform for exchanging information within a multinational corporation like Merck as opposed to a patchwork, and that unified set of rules on how to handle information makes it easier to establish such rules when the company contracts for services with a third party, Tantleff says.
Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more