You are hereHome › Privacy Shield or Fig Leaf?
Privacy Shield or Fig Leaf?
A deal has now been done on Safe Harbo(u)r - EU/US Privacy Shield.
Below we summarise some of the key points from the press conference and give some initial analysis. Note that there is no agreed text of the agreement available, and no detail on any enabling instruments. In many respects this should be seen as a holding position pending the final final actual agreement.
On the question of Mass Surveillance
- US has provided letters from the Office of Director of National Intelligence confirming they do not conduct indiscriminate mass surveillance.
- US Government has conducted reform of mass surveillance practices and legislation.
- Under the new arrangement a Special Ombudsperson will be created in State Dept to follow up on queries from EU Data Protection Authorities regarding surveillance activities.
- There will be Redress mechanisms for EU citizens (we assume via the Judicial Redress Act in the US - but that has had amendemnts added that may weaken its effectiveness in this context).
- The operation of this governance structure and the enforceability of the letters are a precondition of the adequacy agreeement.
This appears to introduce potentially significant increase in transparency and safe guards for EU citizens. The EU Commission makes it a precondition of the adequacy agreement that the undertakings given in this context are upheld. However, it remains to be seen how independent or effective this ombudsman will be and what "teeth" they will have.
However, the hesitancy of the EU Commission to pull the plug on the old Safe Harbo(u)r itself until the CJEU did it for them raises a question of how effective or dissuasive that precondition would be in practice - would the Commission ever pull the plug on Privacy Shield if it was not getting answers, and what legal weight should be attached to "letters of comfort" ? The European Parliament was unimpressed and many remain unconvinced.
On the Commercial side:
- Annual reviews of the Framework, including national surveillance exemptions have been agreed between EU Commission and US Dept of Commerce.
- EU citizens will be able to avail of low cost dispute resolution mechanisms. The alternative dispute mechanism will be via the EU Data Protection Authorities referring cases to the FTC, with deadlines for resolution being applied, with arbitration being the final recourse.
- Strong obligations on companies, with regular reviews by the Dept of Commerce, with effective supervision mechanisms and sanctions/removal from list.
- US companies will be required to commit to robust obligations on how data is processed and individual rights guaranteed.
- Onward transfers will be restricted under the new Safe Harbo(u)r/Privacy Shield.
- No indication (yet) on whether US companies currently registered with Safe Harbor will need to re-register or will be "grandfathered" in (with a presumption that their controls and governance are up to scratch...)
On the Governance Side
- There will be an annual review and on-going monitoring of the scheme involving both EU and US participants. There will also be participation of the relevant intelligence communities as part of that review.
- DPAs have a stronger role it appears in being the "go to" regulators for EU-based data subjects to initiate complaints re: US-based data controllers/processors under this agreement.
- There is an increased emphasis on compliance and enforcement by the FTC.
- First annual review is expected to be in 2017
- Safe Harbor remains dead. Any transfers under it remain unlawful.
- The EU Commission MUST issue a formal finding of adequacy for transfers to the US under this scheme, which means the moving parts need to be put in place.
- Article 29 Working Party will need to issue guidance in relation to the new scheme and the acceptability of other transfer mechanisms. The new framework remains open to challenge by Data Protection Authorities under Directive 95/46/EC and the Schrems case made the independence of DPAs abundantly clear.
- EU Commission will need draft new adequacy decisions, with the US side having to do similar over the coming weeks. This Comitology process in the EU can involve member state input and can result in matters being referred to the Council of Ministers.
- There will be 3 month period before the new Agreement comes into effect. It remains to be seen what the position of A29WP Data Protection Authorities will be on enforcement of cross border data transfers under the old Safe Harbor during this period.
- There is still potential for challenges to the CJEU - the agreement may not reach the full requirements of the Schrems ruling and individual DPAs or individual data subjects may seek to challenge the agreement..
- Guidelines and guidance for EU citizens seeking to avail of the complaints and redress mechanisms remain to be defined.
- US companies will need to get their heads around the fact that this new agreement doesn't appear to be grounded on the old Fair Information Processing Principles, but instead requires them to commit to "obligations" around the processing of data and the protection of individual fundamental rights. This seems to be more directly linked to the principles outlined in Article 7 and 8 of the EU Charter of Fundamental Rights. This makes sense as it brings Privacy Shield into line with the undertakings in Model Clauses regarding EU data protection laws and standards. It also reflects the extra territorial push of the GDPR. But this means that US firms need to sharpen up their knowledge of EU Data Protection obligations and fundamental rights. If, in practice, this is not the benchmark applied to these "obligations", effectively bringing US companies into line with EU Data Protection standards in a mechanism that is enforceable by the FTC, then the CJEU will almost certainly listen warmly to any challenge to the adequacy decision.
There is a political agreement on a replacement for Safe Harbo(u)r, which at least has been rebranded to something that is spelled the same on both sides of the Atlantic.
The emergence of a "continous improvement" governance approach is to be welcomed. Likewise, the formalisation of the process by which EU resident inviduals can commence complaints against US organisations would appear to strengthen governance and accountability, particularly with the addition of defined timescales for response and a final arbitration mechanism. Also, the annual review mechanism effectively means that organisations relying on Privacy Shield for data transfers to the US will need to carry the risk of it being suspended at any time if Commission finds fault with the implementation of the adequacy decision framework, or if a challenge to the adequacy decision of the Commission is made to the CJEU by an individual or a DPA. This is particularly true if the oversight mechanisms for Government surveillance practices fail to operate as described, or if the threshold for the obligations and undertakings of commercial entities is not adequately aligned with Article 8 of the Charter of Fundamental Rights.
Finally, for there to be a framework that can be relied upon, there needs to be a formal adequacy finding. That finding is open to challenge. This replacement for Safe Harbor will be challenged and is not a "done deal".
Perhaps that fragility is its strength... will Mutually Assured Data Destruction be the mechanism to keep both sides honest in this framework? And is MADD really the basis for commercial certainty and the protection of personal data privacy?