News - Fresh Data Archive Article

Return to Current Newsletter
Return to Fresh Data Archive

Making Sense of the New EU-US Privacy Shield

Date: December, 2015 --

Making Sense of the New EU-US Privacy Shield

http://www.informationsecuritybuzz.com/wp-content/uploads/20160202-eu-us-privacy-shield.jpgThere was a premature sigh of relief when the EU Commission and the US Commerce delegation claimed they’d solved the crisis created by the European Court of Justice.  In October of last year the highest court in Europe declared Safe Harbor invalid on the grounds that the US government, as detailed most notoriously in the Snowden revelations, had the broad power and clandestine reach to, by various means, access and aggregate any data they deem fit without “adequate” consideration to privacy. This new arrangement is called “EU-US Privacy Shield”. It is claimed that this agreement will both protect the fundamental right of Europeans when their data is sent to the US and that it will reinstate the legal certainty for businesses “processing” EU data which was stripped away by the Court of Justice.

But it’s apparently not done yet, on either side of the Atlantic, and companies who need to create a structure to bring European data to this side of The Pond should not lose sight of the other option.

First, here is how the EU-US Privacy Shield differs from it forbearer Safe Harbour Agreement. 

US companies bringing in (or receiving) personal data from Europe must observe more robust processes and obligations on how data is processed, what recourse a concerned European data subject has and what other US and European agencies are involved.   

Procedures will be more stringent.  For example, under Safe Harbour, one established a privacy policy consistent with the principles laid out in the program and established procedures for aggrieved data subjects to follow.  These could be submission to European jurisdiction or providing arbitration relief here in the US.  The company filed a declaration online with the US Department of Commerce and made pubic commitments of one’s observations of good practices and responsiveness to breaches and concerns. This process has a certain rigor and is very straightforward. 

The Shield requires more robust obligations on how personal data is processed and individual rights are guaranteed.

There will be more oversight.  Under Safe Harbour one filed the form, published one’s commitments of recourse including what one was doing with the data, refiled the commitments periodically and, aside from being called to task for failing to renew the public commitment, there was no other government supervision.

Under the new EU-US Privacy Shield, the Department of Commerce will actually monitor that companies publish their commitments as required.  Surprisingly, this was not done under Safe Harbor.  It is claimed that this will make the commitments “more enforceable”, under US law by the US Federal Trade Commission. We think that this is no change. In any event, if the change is significant, it will take time to establish new procedures.   

What is new is that human resources data from Europe does gain new protected status in that companies handling human resources data from Europe must publicly commit to compliance with decisions by European Data Protection Authorities. One would think that any responsible US company would have been observing such practices regardless of where employee data was used.  But, this obviously was a deep concern of the European negotiators, and a submission to the jurisdiction and agreement to follow the requirements of the European DPAs in the USA is most unusual.    

Also new are safeguards and visibility requirements imposed on the US government.  The US has provided to the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms.  Such access would be undertaken only when necessary and access must be “proportionate”, which one supposes means proportionate to some measure of risk.  Internal procedures, policies and practices within US agencies will take time to establish.   

In addition, there will be regular monitoring of the functioning of the arrangement through an annual joint review, which will also include the issue of national security access.  This will be undertaken by the European Commission and the Department of Commerce will conduct the review together with national intelligence experts from both sides.  Agreement to this arrangement by the relevant agencies will have to be obtained before this becomes operational, which will take time.   

Also new is the creation of new redress possibilities as protections for EU citizens' rights when a citizen believes his/her data has been mishandled.  The US companies handling data will now have concrete deadlines established to reply to complaints.  Moreover, an EU person can now express their concerns through their Data Protection Authority who can in turn pass on concerns and complaints to the Department of Commerce and the Federal Trade Commission. We have no doubt that the FTC will treat any such complaints with the most profound gravity.  

In addition, when a European complaint is denied or rises to a certain level of complexity or gravity which merits the step, alternative dispute resolution can be insisted upon by the aggrieved and will be free of charge. And, which is most serious, and the source of much of the concern of the European Court of Justice, a new “Ombudsperson” will be established to decide on complaints concerning possible access by national intelligence authorities

Finally, a potential serious bump in the road, before this arrangement becomes operational the Article 29 Committee, which consists of the Data Protection Authorities of the 28 member countries of Europe, must themselves conclude that the agreement is adequate under their own data protections statutes.  The Committee will await receipt of the documents before they can begin this review. Article 29 will then hold a meeting to determine if the group accepts the agreement and adequacy. 

It would be natural for the Article 29 Committee to be extremely rugged in its review of the arrangement, having been publicly embarrassed by the EU Court of Justice’s decision.  With 28 different Data Protection Authorities picking at the agreement and pulling on the loose strings, a delay is almost guaranteed.

In short, the agreement has a lot of “to-do’s” on each side of the Atlantic before it becomes operational.  Consequently, it remains to be seen if it’s a better deal for businesses than the Standard Model Clauses or the Binding Corporate Rules, both of which are likely to also find themselves the subjects of their own review, and whether it will ever become operational.  If you have a deal to get done in the next few weeks, possibly months, you need to look seriously at those two alternatives, just be aware that the rules around their use may be subject to change in the very near future.

Data Services, Inc. is committed to ensuring compliance around the processing of all our client’s data and will continue to update our readers regarding any additional news on the international data privacy front.