On first reading, the EU Commission’s press release promotes the “EU-US Privacy Shield” as the solution to the recent Safe Harbor debacle, bringing legal certainty to individuals and to businesses. Indeed the business community in Ireland and /in Europe and technology industry have welcomed the Commission–brokered framework, saying that it will save Irish jobs and remove the threat that hangs over transatlantic trade centred on US multinationals here and Irish companies who have outsourced data related services to US corporates.
However on closer inspection, whilst Privacy Shield represents an interesting and potentially far-reaching contribution to the debate, it’s clear that many questions, not least of all the implementation, legal ramifications and enforceability of the framework remain unanswered.
In October 2015, the European Court of Justice (ECJ) ruled that the existing Safe Harbor framework was invalid, finding decisively in favour of the privacy rights of Europeans.
Safe Harbor was a framework for data protection compliance developed by the US Department of Commerce in coordination with the European Commission. US privacy requirements are significantly different from EU data protection legislation and the Safe Harbor framework was developed in order to bridge the gap between both jurisdictions. Safe Harbor allowed US organisations to self-certify that they were in compliance with the European privacy standards and effectively facilitated the large scale transfer of personal data to the US under a self-endorsed claim of compliance with the EU’s Data Protection Directive.
The implication of the ECJ’s ruling meant that the routine transfer of personal data to the US was in fact non-compliant with EU data protection legislation and therefore many European business were breaking the law if they continued to transfer data under the old framework.
The subsequent uncertainty around legal methods for transferring data out of Europe has seen the EU Commission broker the Privacy Shield framework in an attempt to return certainty to normal business operations.
Enabling business and protecting the right to privacy
Privacy Shield purports that data transfers will be facilitated, managed and monitored and that the EU has written assurances from the US supporting that claim. The Commission proposes that the new framework will establish the following controls to protect privacy rights of EU data subjects:
- 1. Strong obligations on companies handling Europeans' personal data and robust enforcement
U.S. companies will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. These commitments will be published and enforceable under US law by the US Federal Trade Commission. Companies handling HR related data from the EU will have to comply with the relevant EU data protection laws.
- 2. Clear safeguards and transparency obligations on U.S. government access:
Clear limitations and oversight mechanisms will be established for access to data by public authorities for law enforcement and national security. The Commission and the US Department of Commerce will carry out a joint annual review of such access, including national security access. The U.S has ruled out indiscriminate, mass surveillance on personal data transferred.
- 3. Effective protection of EU citizens' rights with several redress possibilities:
Privacy Shield will afford EU citizens a number of redress options. Companies will have to reply to citizens’ complaints or anyone who feels their personal data has been misused before a mandated deadline. European Data Protection authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission. A new Ombudsperson will be created to investigate complaints on access by national intelligence authorities.
Continuing uncertainty surrounding the transfer of data would be detrimental to commercial transatlantic trade, and its true magnitude could not be underestimated, representing an unacceptable level of risk to the EU and Irish economies. The severe pressure the Commission is under to produce a fix, is telling, with competing interests of business versus privacy. The EU-US Privacy Shield framework appears to give the message that, even with the blunt Safe Harbor legal opinion from Europe’s highest court, everything is under control.
Will it be enough to protect privacy?
So does the proposal provide any assurance to the individual whose data is at the centre of the ECJ’s decision? The answer is unclear. Whilst legitimate business interests are important and represent a sensible steering of the EU ship through choppy international waters, protecting commercial trade interests and international surveillance practices should not be pursued at the expense of eroding privacy rights.
The US Chamber of Commerce has welcomed the deal claiming that it assists in “eliminating uncertainty, and allowing businesses to plan effectively”. But the substance of what Privacy Shield will deliver remains unclear. Yes, there is a provisional agreement to put in place a tighter regime for managing personal data transfers out of Europe, but just how this will be play out remains to be seen. There is still some way to go to have legally enforceable data protection obligations within the US.
Amid growing mistrust and suspicion within Europe of US intelligence practices, the ECJ’s October decision reinstated the EU’s position at the forefront in the protection of the individual’s right to privacy. However, it remains to be seen whether the proposed Privacy Shield framework, while admittedly progress in the right direction, is truly the much-needed reform enabling trade, encouraging transatlantic commerce, protecting national security interests but reinforcing and defending the privacy rights of individuals.
This article first appeared in the Sunday Business Post and was written by Conor Hogan, Manager, IT Audit & Security, Mazars Ireland.