July 1, 2016
Courts Make the Case for Information Governance
July 12, 2016

Update Imminent: The New US/EU Data Privacy Shield After the Demise of Safe Harbor

Data transfers between the United States and the European Union have grown increasingly complex. Multinational companies require certain levels of information sharing among locations in different locations as part of their day-to-day operations.  In addition, data created on one side of the Atlantic may be relevant to a lawsuit or investigation on the other side.  However, data regarding European citizens is subject to a higher level of privacy consideration than data related to United States citizens, and as such, transfers of data from the EU to the US can be problematic.  Recent changes in the law and the end of the Safe Harbor at the hands of the European Court of Justice have created a need for a new mechanism for US companies to verify that their data is going to be used appropriately in the eyes of European Data Protection organizations.  To that end, the US and EU have been working on a “Privacy Shield,” which has not yet been finalized or implemented, but a decision by the Article 31 committee’s national representatives is expected as early as this week.

The Article 29 Data Protection Working Party released an opinion on April 13, 2016 that highlighted a series of perceived shortcomings.

Background of the Safe Harbor and its Demise

Personally Identifiable Information (“PII”) is a particularly thorny set of data.  PII encompasses many different types of information that could be used to identify a specific person, including names and addresses, identification information like drivers’ license numbers, and email addresses.  These data types are subject to increased protection from disclosure and efforts must be made to safeguard them. The United States and the European Union view PII as protectable, but the two protect it in very different contexts. The United States follows a “sectoral” privacy model.  There is no fundamental right to privacy beyond the penumbral right articulated in Roe v. Wade.  Privacy of specific types of data in the U.S. is governed through legislation, regulation, and corporate entities’ self-regulation by.

The European Union, by contrast, follows a comprehensive privacy model that treats privacy rights across all sectors and grants extensive protection to the personal data of its citizens. The EU privacy directive, Directive 95/46/EC, governs data privacy in Europe.

In the Internet age, when data can pass over borders effortlessly and seamlessly, this causes conflict.  Transferring data from the E.U. to the U.S. is technically easy but can cause significant legal issues, as the E.U. has strict requirements about how protected data could be transmitted to ensure it would not lose its protection abroad.

In the year 2000, the two sides created a Safe Harbor framework for transferring data.  This framework provided organizations the ability to self-certify that they were following agreed-upon methods of data transfer between EU and US organizations that ensured a level of protection with which the EU regulators were comfortable.

On October 6, 2015, however, the European Court of Justice declared that the Safe Harbor was invalid and since that time, data transfer between the EU and the US has been a cause of worry for transferring organizations.  One of the privacy concerns voiced by the European Court of Justice is whether their citizens privacy was respected by foreign governments.  In light of this concern, the European Court of Justice struck down the Safe Harbor in the case of Max Schrems vs. Irish Data Protection Commissioner (Case C-362/14).  Mr. Schrems, an Austrian citizen and Facebook user, challenged the Safe Harbor on the theory that Facebook did not offer adequate privacy protections for European citizens.  The ECJ agreed and struck down the Safe Harbor, in particular because Edward Snowden’s leaks made clear that the NSA might be spying on any transmitted data, regardless of efforts of self-certifying parties.

The US-EU Privacy Shield

In striking down the Safe Harbor provisions, Schrems has wreaked havoc on the ability of US companies to gather and hold data from European citizens.

In response to this ruling, The Obama Administration and European Commission have drafted a new framework for privacy protection - the US-EU Privacy Shield.  The two sides agreed to this shield in principle in February of 2016, but the details have not yet been finalized nor has a target date for the agreement. The fundamental principal behind the agreement is that data transferred between the EU and the US must be done in a way that respects the privacy rights of EEU citizens who are the subject of the data or the “Data Subject.”  The Privacy Shield takes many of the Safe Harbor provisions and establishes a higher bar for them. Companies are still required to self-certify and to display their privacy policy on their corporate website.  The EU recently endorsed self-certification in the General Data Protection Regulation (“GDPR”).

The Privacy Shield enshrines seven principles related to both Data Subjects and Recourse.  The principles are:

  • Notice – The principles establish 13 categories that must be clearly and conspicuously explained to Data Subjects before any work is done on their data.
  • Choice – For most information, Data Subjects must have a clear and conspicuous way to opt out of any disclosure of their PII or its use for any purpose other than the originally intended one. For disclosure or processing of sensitive information such as healthcare records, information about ethnicity, political opinions, religious or philosophical beliefs, trade union membership or information related to the sex life of the Data Subject, the requirements shift to an Opt-In standard.
  • Accountability for onward transfer/vendor agreements - Organizations that are self-certified as within the Privacy Shield must build privacy protections for EU data subject data into their contracts with third parties who might use the data.  The data may only be used in was which the Data Subject has consented.
  • Security –Parties transmitting data must take “reasonable and appropriate” measures to secure the data.
  • Data integrity and purpose limitations – Processing of data should be limited to that which was either compatible with the original intent of the collection, or a subsequent authorized use. This principle also contains a provision that, “An organization must adhere to the Principles for as long as it retains such information.” This means that even if an organization is no longer a self-certified Privacy Shield organization, it is still required to abide by this principle.
  • Access – European privacy laws contemplate the ability of a Data Subject to review, amend, or delete their data to ensure it is complete and correct. This provision applies except where it is prohibitively expensive or another individual’s rights would be infringed.
  • Recourse, enforcement, and liability – Third Party dispute resolution bodies must be used to determine whether PII rights have been infringed within 45 days of bringing an action, unless an organization wishes to use a panel of Data Protection Authorities to do so. Enforcement and liability can include compensation of the Data Subject, publicizing an organization’s noncompliance, and revocation of the certification of the Privacy Shield certification.

The Privacy Shield has a built in Verification process.  As the Privacy Shield is self-certifying, an organization must either self-assess following the procedure laid out in the text, or use a third party compliance organization to certify the Principles are firmly in place.

While the final details of the Privacy Shield are still being worked out, there are still a few working mechanisms which organizations can use to ensure data can flow freely across the Atlantic.  The first, Model Contract Clauses, are standard contractual clauses defined by the EU and the Article 29 working party for the purpose of meeting the adequacy standards in the directive.

The second, Binding Corporate Rules, are legally binding internal corporate privacy rules for transferring PI within an organization, whether a corporation, organization, or group of companies.  There are 85 organizations which have had their Binding Corporate Rules approved by a Data Protection Agency.

Current Status of the Privacy Shield

The Article 29 working party has expressed significant concerns, as linked above.  Meanwhile, the first post Safe Harbor fines have been levied.  Three companies - Adobe, Punica, and Unilever – were fined by the Hamburg Data Commissioner.  This should be cause for concern for anyone doing business or storing data in Europe.  Until the Privacy Shield is ratified or a different mechanism is established, Model Contract Clauses are the only viable method of assuring that transfer of EU citizen data is compliant. The final draft of the Privacy Shield is expected in the summer of 2016. The negotiations are ongoing.

Jonathan Swerdloff
Jonathan Swerdloff
Jonathan Swerdloff is Director of Global Client Services and eDiscovery at Scott+Scott Attorneys at Law LLP. Prior to this role, he was an expert Consultant at Driven, Inc. Learn more about Driven's Consulting Services