Draft Privacy Shield Text Emerges to Industry Applause, Civil Society Criticism
Documents detailing Privacy Shield, safe harbor's successor agreement for trans-Atlantic personal data flows, emerged Monday from the European Commission. EU data protection authorities (DPAs) in the Article 29 Data Protection Working Party will now analyze the text "with great attention" before finalizing a draft opinion to be approved at an April 12-13 plenary meeting, the WP said Monday. U.S. bulk data collection is likely to remain a key concern for DPAs, said Hogan Lovells (London) privacy attorney Eduardo Ustaran. Max Schrems, whose challenge in the European Court of Justice (ECJ) led to the abolition of safe harbor, predicted further lawsuits. Industry groups welcomed the text; privacy and consumer rights advocates bashed it.
The package includes a communication to the European Parliament and Council, a draft "adequacy decision" and annexes containing various letters between the EC and U.S. government agencies. All documents are available here. The agreement, announced early in February, won cheers from industry but skepticism from privacy advocates and others (see 1602020040). The WP said Feb. 3 it couldn't judge whether Privacy Shield would be legally binding or relieve all the concerns of the EU high court Schrems decision until it reviewed the text (see 1602030001).
Unlike safe harbor, Privacy Shield covers commitments in the commercial sector, and also "significantly, and for the first time in EU-U.S. relations," commitments in the area of access to personal data by public authorities, including for national security purposes, the EC communication said.
Companies will have to accept strong conditions on how they process personal data and guarantee individual rights, including stricter liability provisions for those businesses that transfer EU data to third parties outside the framework, whether in the U.S. or elsewhere, the EC said. The Department of Commerce (DOC) committed to "regular and rigorous monitoring of how companies comply with their commitment and to weed out 'free-riders'" that falsely claim adherence to the scheme, it said. Noncompliant companies will face severe FTC penalties, it said.
Privacy Shield also, for the first time, sets clear limits, safeguards and oversight on U.S. government access to Europeans' personal data, the EC said. An ombudsperson for EU data subjects, independent from national security agencies, will follow up complaints and inquiries by Europeans on national security access. The arrangement also ensures effective protection of privacy rights through redress possibilities, including free alternative dispute resolution bodies, the EC said. Individuals will be able to take their complaints to their "home" DPAs, which can then refer them to the DOC and FTC for investigation and resolution, it said. If a case can't be resolved through any of those avenues, a Privacy Shield panel will be empowered to make enforceable decisions again U.S. companies, and DPAs will be able to help people prepare their cases, it said.
The agreement includes an annual joint review that will allow the EC to monitor how Privacy Shield is working, the EC said. The EC and DOC will handle the review, which will involve DPAs, U.S. national security authorities and the ombudsperson, it said. "In this way, the U.S. will be held accountable to its commitments." The review won't be a "formalistic exercise without consequences," and where companies or public authorities are violating their commitments, the EC will take steps to suspend Privacy Shield, it said.
The agreement "is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic," said Secretary of Commerce Penny Pritzker. She said she hopes the agreement moves quickly through the European approval process. That process includes review by a committee of representatives of EU countries and the WP before the EC makes a final decision, the EC said. The U.S. will simultaneously prepare to put in place the new system, including monitoring and ombudsperson mechanisms, it said. It urged companies to start getting into position to join Privacy Shield as soon as the EC decision is final.
FTC Chairwoman Edith Ramirez said in a Monday statement the new framework is “an important legal mechanism” that will benefit both consumers and businesses on both sides of the Atlantic. “Strong law enforcement and increased cooperation will be critical to the new framework’s success, and the FTC will play a significant role in enforcing commercial privacy promises under the framework,” she said. Last week, Ramirez sent a nine-page letter to EU Justice Commissioner Vera Jourová, explaining the FTC’s history of privacy enforcement and the approach it will take with Privacy Shield.
Industry reaction to the text was generally positive. From the point of view of multinationals, the "good news" is that the privacy principles involved are "largely aligned with the types of privacy practices you will find in most global compliance programmes," Ustaran emailed us after an initial look at the documents. The U.S. seems to be bending over backward to tell the EU "that they get it and that their practices are in line" with the ECJ requirements for a lawful intrusion of privacy, he said: The EC is "obviously trying just as hard" to meet the court's criteria "in a way that is convincing to even the most skeptical regulators." DPAs will likely continue to struggle with bulk data collection, Ustaran said.
Privacy Shield "will provide strong privacy safeguards, legal certainty for companies and enhances transatlantic trust," said the Computer & Communications Industry Association International Policy Director Christian Borggreen. Legal certainty for data transfers to the U.S. will especially benefit small and mid-sized enterprises, said European Internet Services Providers' Association President Oliver Süme. Software & Information Industry Association Senior Vice President-Public Policy Mark MacCarthy urged EU leaders to "move quickly to fully consider and approve the agreement." TechNet and the Information Technology Industry Council said they would review the text in detail.
Schrems, digital rights activists and consumer and privacy advocates slammed the deal. The ECJ wanted the EC and U.S. to "go an extra kilometer" but Privacy Shield is "an aggregation of a couple extra inches," said Schrems in a statement. There are some minor improvements, but the deal is far from what the EU court envisioned for an adequacy decision, he said. The main problem is that in one letter (Annex 6), the U.S. government guaranteed it will collect bulk data for only six specific purposes, Schrems wrote. But the ECJ made it clear that any form of generalized access to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for privacy. "This made it clear that no purpose can justify bulk collection -- let alone bulk usage," he said. "There will be a number of people that will challenge this decision if it ever comes out this way -- and I may very well be one of them."
Privacy Shield offers only "cosmetic changes" to safe harbor, said Member of the European Parliament Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany. There's no U.S. data protection equivalent to that under EU law primarily because the U.S. has no general data protection rules for consumers, he said in a statement. Privacy Shield should be limited to two years, and a new agreement negotiated once the new EU general data protection rules come into force, Albrecht wrote.
"We remain highly skeptical that the Privacy Shield can guarantee an adequate level of data protection for EU citizens," said European Consumer Organisation Senior Legal Officer David Martin. Despite limited improvement, the agreement doesn't "change the fact that the U.S. and the EU data privacy regimes are too far apart," he said. The long-term solution is for the U.S. to adopt a comprehensive privacy and data protection system that matches Europe's, he said. The documents confirm that "no meaningful reforms have been made and that none are planned," said European Digital Rights. Safe harbor involved self-certification and illegal, bulk data collection by U.S. agencies, and after two years of negotiation, so does Privacy Shield, said EDRi Executive Director Joe McNamee.