Update on EU-US Privacy Shield

More than $260 billion in digital services trade is already conducted across the Atlantic Ocean annually, but there is significant potential for this figure to grow, resulting in a stronger economy and job creation. The Privacy Shield opens a new era in data privacy that will deliver concrete and practical results for our citizens and businesses.”

– Commissioner Jourová, European Commission, 2 February 2016

Implementation of the Privacy Shield is underway, with over 240 US companies on the Privacy Shield List at last count. More widespread adoption of this new framework is likely to follow.

Quick recap

But let’s take a step back – for those who are not familiar with the Privacy Shield, here is a quick recap of the recent history of the regulation of transatlantic data flows:

  1. On 26 July 2000, the European Commission adopted the EU-US “Safe Harbour Adequacy Decision”, which became the principal regulation governing whether and how personal data could be transferred from within the EU to US companies.
  2. After more than 15 years of operation, on 6 October 2015, the Court of Justice of the European Union (CJEU) ruled the Safe Harbour invalid on the ground that it did not provide adequate protection for the personal data of Europeans in a number of respects. We detailed this decision and its implications in our article of 19 October 2015.
  3. The invalidation of the Safe Harbour led to a legal vacuum in relation to transatlantic data flows. More than 5000 US companies which relied on Safe Harbour were suddenly left in significant uncertainty. On 2 February 2016, a political agreement between the European Commission and the US was reached to establish a new framework – the Privacy Shield. We detailed the implications and potential effects of the Privacy Shield in our article of 12 February 2016.
  4. On 8 July 2016, the Privacy Shield was officially approved and, on 1 August 2016, the FTC began certifying US corporations for EU-US data flows.

Certification and the Privacy Shield List

The EU Data Protection Directive prohibits EU companies from transferring personal data outside the EU unless the recipients of that data can provide an “adequate” level of protection for that data. Under the Privacy Shield, those US corporations included in the Privacy Shield list will be deemed to satisfy this requirement. According to the US Federal Trade Commission (FTC), the first applications for certification under the Privacy Shield came from Microsoft and Workday, which is not surprising given their involvement in cloud-based technologies.

More surprising is that two of the largest public cloud service providers (AWS and Google) have yet to make an application, and social media giant Facebook is in the same boat.

Model clauses

One explanation might be that these companies and others are choosing to rely on “model clauses”. These are standard clauses determined by the European Commission to offer sufficient privacy safeguards to allow transfer of data outside the EU, and many companies have been relying on this approach following the Safe Harbour being invalidated.

However, model clauses are also susceptible to key criticisms made of the Safe Harbour approach –arguably, they do not offer sufficient protection against US mass surveillance, nor do they offer redress should such surveillance occur. It is questionable whether a contractual arrangement can adequately uphold European ideals of privacy in light of the surveillance uncovered by the Edward Snowden revelations. Indeed, the Irish Data Protection Commissioner announced in late May this year that it would seek a review the legal status of model clauses by the CJEU.

Additional obligations of the Privacy Shield

Compared to the Safe Harbour, the Privacy Shield strengthens the protection of personal data for those in the EU. These include:

  1. Heightened obligations to disclose the organisation’s data practices in a public privacy policy, including regarding its right to access personal data, which enforcement authority regulates the organisation’s compliance with the Privacy Shield, and the organisation’s liability if they on-forward data to third parties. Organisations must also make public any compliance or assessment reports submitted to the FTC, or such parts of it which relate to their compliance (or non-compliance) with the Privacy Shield.
  2. Ease of access to dispute resolution processes, with organisations required to respond to a complaint within 45 days of receipt of the complaint, at no cost to the complainant. Organisations must also, upon request, submit to binding arbitration. European Data Protection Agencies may refer complaints from individuals to the FTC, which must deal with such complaints within 90 days.
  3. Organisations must preserve the integrity of personal data by complying with the new data retention principles, as well as limit the processing of personal data for relevant purposes only. Organisations are also accountable for data transferred to third parties, with obligations to ensure that such third parties will provide the same of level of protection for personal data as the Privacy Shield.

Criticisms and Survivability of the Privacy Shield

Despite the additional obligations of the Privacy Shield, there remain ongoing concerns about its suitability (and indeed, whether it will survive in its current form). The opinion of the Article 29 Working Party on 12 July 2016 welcomed the improvements in the Privacy Shield, but also expressed a number of concerns, including:

  • the lack of clarity on how the principles apply to data processors; and
  • while there is a commitment that US intelligence agencies will not conduct mass and indiscriminate collection of personal data, the Working Party bemoaned a lack of concrete assurances that this will not occur.

However, the Working Party ultimately stated that the appropriate time to make such a decision will be during the Privacy Shield’s annual review.

Whether the Privacy Shield will even get that far however, is also uncertain, as both Max Schrems (the privacy advocate who brought the court action which triggered this chain of events) and the German Data Protection Authority have indicated an intention to challenge the Privacy Shield.

Further complications

So, there remains an air of uncertainty surrounding transatlantic data flows. This is exacerbated by Brexit, which, although not expected to take place until late 2017, adds an additional layer of complexity for data transfers to and from the UK.

The General Data Protection Regulation (GDPR) further complicates things. It was officially adopted on 27 April 2016 and will enter into application on 25 May 2018 after a transition period. The GDPR will apply to all companies outside of the EU which process personal data of EU residents, and will also impact the framework for data flows from the EU.

How does all this affect Australian entities?

Australia does not provide adequate protection for personal data for the purposes of the EU Data Protection Directive, meaning that data transfers from the EU into Australia currently require contractual protections, or informed consent of the individuals. The Privacy Shield places heightened obligations on US companies seeking to onward-transfer personal data, and this may also impact Australian business which use US-based service providers. Australian-based cloud service providers and entities with EU or US affiliates will also be interested in developments.

It is crucial for businesses involved in any way with the transfer of personal data from the EU to consider implications for them and to keep monitoring developments.