Without guidance, U.S. companies in limbo after Privacy Shield scrapped

For European regulators, the EU-U.S. Privacy Shield died July 16, killed by a European court decision. The legal protections that provided 5,300 American companies with safe access to EU citizens’ data—without fear of legal reprisals under EU privacy law—died with it. The body in charge of enforcing EU data regulations, the European Data Protection Board (EDPB), later clarified the Court of Justice of the European Union (CJEU) ruling that it provided “no grace period.”

The Privacy Shield, set up in 2016 to protect the personal data of Europeans when it is transferred across the Atlantic for commercial use, was voided because the court ruled U.S. surveillance laws clash with EU privacy laws.

What’s really happening from the American side of the pond is a kick-the-can-down-the-road mentality. The “America First” Trump administration has its eyes on bigger trade victories than fixing the Privacy Shield and will likely punt any solution to, ahem, a second term.

Despite the ruling, the Privacy Shield is apparently still alive and well in the United States—with all of the regulatory and enforcement apparatus that accompanies it.

On the same day the CJEU handed down its decision, the U.S. Department of Commerce asserted it “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List,” the Department said in a press release.

In an Aug. 5 statement, Federal Trade Commission Chairman Joe Simons backed the Commerce Department’s stance in testimony before the Senate Committee on Commerce, Science, and Transportation.

“We will continue to hold companies accountable for their privacy commitments, including promises made under the Privacy Shield,” Simons told the Committee.

From a purely pragmatic standpoint, that doesn’t make sense. Businesses applied to the Privacy Shield program for the legal protections it provided. Those protections have disappeared.

Why would U.S. regulators like the FTC tell companies they should keep their Privacy Shield statements up-to-date, honor the EU-U.S. Privacy Shield Principles and Supplemental Principles, and complete a timely annual recertification with the Commerce Department?

Sure, it makes sense to comply with the spirit of the Privacy Shield principles. But do companies really need to keep filing the paperwork?

Theoretically, if companies don’t comply with the Privacy Shield rules, they could still face potential lawsuits from the FTC, which “has taken law enforcement action against dozens of companies that made false or deceptive representations about Privacy Shield participation,” the regulator noted a few weeks before the CJEU decision.

Even more crazy is that any business seeking to withdraw from the Privacy Shield List still has to notify the Commerce Department, complete a questionnaire, pay $200, then decide whether to “return, delete, or continue to apply the Privacy Shield Principles to the personal information that it received while participating in the Privacy Shield.” Without a valid Privacy Shield agreement to withdraw from, the process of withdrawing from the Commerce Department’s Privacy Shield List might best be described as Kafkaesque. Or soul-crushing. Or just plain crazy.

What’s really happening from the American side of the pond is a kick-the-can-down-the-road mentality. The “America First” Trump administration has its eyes on bigger trade victories than fixing the Privacy Shield and will likely punt any solution to, ahem, a second term. If Democrat Joe Biden becomes president, where do you think fixing the Privacy Shield will fall on his presidential to-do list?

“We really need a political solution,” said Miriam Wugmeister, co-chair of law firm Morrison & Foerster’s Global Privacy and Data Security Group. “It is unreasonable to put this burden onto companies.”

Companies are left to sort out solutions on their own, such as standard contractual clauses (SCCs), which businesses have relied on for nearly 20 years to facilitate data transfers. The EU’s General Data Protection Regulation has yet to provide updated language for SCCs.

“Companies would love to have a checklist: ‘Do these five things and you won’t get in trouble,’” said K Royal, associate general counsel at privacy compliance vendor TrustArc. “But no such checklist exists.”

The U.S. Chamber of Commerce encouraged the European Union and United States to “swiftly negotiate a new framework to support those companies that rely on Privacy Shield for transatlantic data flows.” Any such solution would be Privacy Shield 2.0.

The Commerce Department announced this week it has entered into discussions with its EU counterpart “to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.” That ought to happen quickly, right? Six months to hammer out definitions, another six to haggle over them.

Wugmeister predicts there won’t be another Privacy Shield, and that companies will have to rely on new guidance from the EDPB on updated wording for SCCs.

Meanwhile, the Electronic Frontier Foundation, a nonprofit privacy advocacy group, proposed the long-term solution would be for Congress to overhaul the Foreign Intelligence Surveillance Act (FISA). “Fix U.S. mass surveillance, or undermine one of the United States’ major industries,” the EFF said.

This Congress? Overhaul FISA? Not likely. They can’t even agree whether to pay unemployed people an extra $600, $400, or $200 per month during a pandemic.