Data transfers between the United States and the European Union have grown increasingly complex. Multinational companies require certain levels of information sharing among locations in different locations as part of their day-to-day operations. In addition, data created on one side of the Atlantic may be relevant to a lawsuit or investigation on the other side. However, data regarding European citizens is subject to a higher level of privacy consideration than data related to United States citizens, and as such, transfers of data from the EU to the US can be problematic. Recent changes in the law and the end of the Safe Harbor at the hands of the European Court of Justice have created a need for a new mechanism for US companies to verify that their data is going to be used appropriately in the eyes of European Data Protection organizations. To that end, the US and EU have been working on a “Privacy Shield,” which has not yet been finalized or implemented, but a decision by the Article 31 committee’s national representatives is expected as early as this week.
The Article 29 Data Protection Working Party released an opinion on April 13, 2016 that highlighted a series of perceived shortcomings.
Background of the Safe Harbor and its Demise
Personally Identifiable Information (“PII”) is a particularly thorny set of data. PII encompasses many different types of information that could be used to identify a specific person, including names and addresses, identification information like drivers’ license numbers, and email addresses. These data types are subject to increased protection from disclosure and efforts must be made to safeguard them. The United States and the European Union view PII as protectable, but the two protect it in very different contexts. The United States follows a “sectoral” privacy model. There is no fundamental right to privacy beyond the penumbral right articulated in Roe v. Wade. Privacy of specific types of data in the U.S. is governed through legislation, regulation, and corporate entities’ self-regulation by.
The European Union, by contrast, follows a comprehensive privacy model that treats privacy rights across all sectors and grants extensive protection to the personal data of its citizens. The EU privacy directive, Directive 95/46/EC, governs data privacy in Europe.
In the Internet age, when data can pass over borders effortlessly and seamlessly, this causes conflict. Transferring data from the E.U. to the U.S. is technically easy but can cause significant legal issues, as the E.U. has strict requirements about how protected data could be transmitted to ensure it would not lose its protection abroad.
In the year 2000, the two sides created a Safe Harbor framework for transferring data. This framework provided organizations the ability to self-certify that they were following agreed-upon methods of data transfer between EU and US organizations that ensured a level of protection with which the EU regulators were comfortable.
On October 6, 2015, however, the European Court of Justice declared that the Safe Harbor was invalid and since that time, data transfer between the EU and the US has been a cause of worry for transferring organizations. One of the privacy concerns voiced by the European Court of Justice is whether their citizens privacy was respected by foreign governments. In light of this concern, the European Court of Justice struck down the Safe Harbor in the case of Max Schrems vs. Irish Data Protection Commissioner (Case C-362/14). Mr. Schrems, an Austrian citizen and Facebook user, challenged the Safe Harbor on the theory that Facebook did not offer adequate privacy protections for European citizens. The ECJ agreed and struck down the Safe Harbor, in particular because Edward Snowden’s leaks made clear that the NSA might be spying on any transmitted data, regardless of efforts of self-certifying parties.
The US-EU Privacy Shield
In striking down the Safe Harbor provisions, Schrems has wreaked havoc on the ability of US companies to gather and hold data from European citizens.
The Privacy Shield enshrines seven principles related to both Data Subjects and Recourse. The principles are:
The Privacy Shield has a built in Verification process. As the Privacy Shield is self-certifying, an organization must either self-assess following the procedure laid out in the text, or use a third party compliance organization to certify the Principles are firmly in place.
While the final details of the Privacy Shield are still being worked out, there are still a few working mechanisms which organizations can use to ensure data can flow freely across the Atlantic. The first, Model Contract Clauses, are standard contractual clauses defined by the EU and the Article 29 working party for the purpose of meeting the adequacy standards in the directive.
The second, Binding Corporate Rules, are legally binding internal corporate privacy rules for transferring PI within an organization, whether a corporation, organization, or group of companies. There are 85 organizations which have had their Binding Corporate Rules approved by a Data Protection Agency.
Current Status of the Privacy Shield
The Article 29 working party has expressed significant concerns, as linked above. Meanwhile, the first post Safe Harbor fines have been levied. Three companies - Adobe, Punica, and Unilever – were fined by the Hamburg Data Commissioner. This should be cause for concern for anyone doing business or storing data in Europe. Until the Privacy Shield is ratified or a different mechanism is established, Model Contract Clauses are the only viable method of assuring that transfer of EU citizen data is compliant. The final draft of the Privacy Shield is expected in the summer of 2016. The negotiations are ongoing.