From Safe to Schrems to Shield - and Other Alliterations
Shifting Grounds in the EU Privacy Landscape

02/08/2016
Client Alert

In October 2015, the European Court of Justice abruptly invalidated Commission Decision 520/2000/EC on the adequacy of Safe Harbor (Case C-362/14, “Schrems”), mainly on grounds of (i) overly broad access by U.S. law enforcement authorities to EU citizens’ data and (ii) a lack of judicial redress for such citizens against the U.S. government.

This left more than 4,000 U.S. companies that had certified to Safe Harbor – but also countless European companies that depend on transatlantic data flows to operate their business – in a situation of total legal uncertainty. This had a particularly disruptive effect in the cloud industry (as most cloud providers servicing the EU market are U.S. based). On top of that, the Article 29 Working Party (“WP29”), the consortium of national EU data protection authorities (“DPAs”), issued a statement shortly after Schrems, urging U.S. and EU authorities to find a solution respectful of EU fundamental rights within a 3-month period, ending late January 2016, after which the DPAs would (i) convene to discuss the impact of the Schrems ruling on alternative cross-border data transfer mechanisms, such as the Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) and (ii) potentially begin enforcement.

Last week, in the midst of WP29 meetings that could have led to the invalidation of data transfers to the United States under the alternative data transfer mechanisms, the EU and U.S. authorities announced that they had reached an agreement on a revised Safe Harbor. The WP29 immediately reacted. This alert examines these developments and their implications in the near term.

1. The EU-U.S. Privacy Shield

Discussions between the EU and the United States to revise the Safe Harbor had been ongoing since 2013, in the wake of the NSA revelations. But the need for an agreement became imminent under the looming deadline of the WP29. On February 2, the EU Commission and the U.S. Department of Commerce announced that they had reached an agreement on a new transatlantic data transfer mechanism to replace the Safe Harbor, called the “EU-U.S. Privacy Shield”.

The actual contents of the agreement have not yet been made public. EU and U.S. authorities only provided verbal assurances as to what their commitments would be. Skeptics believe the announcement to be premature, aimed only at preventing the WP29 from declaring the invalidity of the alternative transfer mechanisms and buying time to iron out the details of an actual framework.

Nevertheless, the Privacy Shield seems on the face of it to address the two key concerns outlined by the Schrems decision:

  • Access by U.S. law enforcement authorities to EU citizens’ data
    The United States has given the EU written assurances that access to EU data by U.S. authorities will be subject to clear limitations, safeguards and oversight mechanisms. Any exceptions will have to be necessary and proportionate. The U.S. rules out indiscriminate mass surveillance of Europeans. An annual joint review will take place to verify and monitor the implementation of these commitments.
  • Lack of judicial redress for EU citizens against the U.S. Government
    Citizens will have several avenues, including the creation of a new Ombudsperson within the State Department to handle complaints about intelligence-related activities. EU citizens would go through their EU member state representative to raise concerns about such activities, and the ombudsman would provide a response to the member states.

The U.S. Department of Commerce reported that the new agreement will entail increased commitments from the Federal Trade Commission (“FTC”) to provide good, independent oversight of the accord. FTC Commissioner Brill pledged to robustly enforce the new deal and to cooperate more closely with European DPAs. Brill indicated that, even though the EU Commission’s Safe Harbor decision is no longer valid, companies certified to the Safe Harbor can still be held to the commitments they have made under the Safe Harbor principles. Also, according to Commerce Secretary Penny Pritzker, the Privacy Shield is not contingent on passage of the Judicial Redress Act - currently awaiting approval by Congress - as the agreement finds ways of providing European citizens means of judicial redress that are "not subject to congressional approval."

Timewise, the EU Commission estimated that a draft adequacy decision should be finalized within the next few weeks and the new framework would be in place within the next three months, i.e. by April.

2. Reaction of the WP29

In response to the announcement of the Privacy Shield, the WP29 has now deferred its assessment of the impact of the Schrems decision on the alternative data transfer mechanisms.

It has also requested to receive all documents relating to the Privacy Shield in order to analyze:

  • The contents and binding nature of the Privacy Shield, and whether it answers the wider concerns of Schrems; and
  • How it might impact the overall legal data protection framework of the United States, including regarding the alternative transfer mechanisms. Indeed, it is crucial for the continuity of such alternative mechanisms to determine whether the new commitments extend to transfers of data to the US in general -  including SCCs and BCRs - or just to those made under the Privacy Shield (see point 3.3 below).

Moreover, the WP29 concluded regarding intelligence activities that four guarantees must be observed:

  • There should be clear, precise and accessible rules for processing;
  • Any government access to data should be governed by the principles of necessity and proportionality and have legitimate objectives;
  • There should be independent oversight mechanisms; and
  • Individuals should have access to effective remedies. i.e., before an independent body.

The WP29 stressed that these guarantees should exist when data are transferred not only to the United States, but also to other countries outside the EU and within EU Member States themselves. Although the WP29 welcomed the announcement of the new agreement, it emphasized its concerns on the scope of intelligence activities and available remedies for individuals.

Timewise, the WP29:

  • Expects to receive a copy of the Privacy Shield by the end of February;
  • Will hold a plenary meeting at the end of March to conduct its assessment; and
  • Will seek to issue its conclusion by the end of April.

The WP29 did not grant a new grace period for organizations sending data to the United States. Any transfers based on the Safe Harbor are invalid. However, data transferred on the basis of BCRs or SCCs can still occur for the time being, but each DPA is free to act as it deems appropriate. Some DPAs have already initiated enforcement actions (e.g., by sending warning letters to companies) regarding ongoing transfers based on Safe Harbor, such as the Czech Republic, France, Germany, Luxembourg or Spain.

3. We may have a shield – but are we covered?

  • It is positive that governments are trying to resolve this situation. Companies did not have the power to resolve the criticisms outlined in Schrems and were caught between a rock and a hard place (i.e. keep operating their business, while complying with EU transfer restrictions and responding to U.S. governmental access requests).
  • The Privacy Shield appears to address some of the DPAs’ concerns, but it is impossible to assess whether it will satisfy Schrems criteria until the actual agreement is made public.  Based on official declarations, the mechanisms for judicial redress for EU citizens remain vague. For instance, funnelling all complaints from the EU to one ombudsman might create a bottleneck effect (contrary to EU principles on effective judicial redress). Also, although the U.S. administration has made efforts to enhance executive oversight of intelligence activities (e.g., Presidential Policy Directive 28), this might not suffice to appease skeptics in the EU (especially given upcoming elections which could overturn governmental controls).
  • Even if the Privacy Shield were in and of itself sufficient to fix the Safe Harbor, it is not certain it would extend to SCCs and BCRs. Indeed, it is unclear whether the EU and U.S. commitments apply only to the renewed certification scheme or extend to all data which are received in the United States. If not, SCCs and BCRs would remain at risk of being deemed invalid. This would for instance be a major issue for companies which simply cannot certify to safe harbor type schemes, e.g., because they do not fall under the jurisdiction of the Department of Commerce or FTC, such as financial institutions.
  • The debate on the invalidation of the SCCs and BCRs is still unresolved. EU DPAs do not have the power to strike down these transfer mechanisms as such (nor could they do so for the Safe Harbor). Article 28 of the Data Protection Directive and specific provisions in these transfer mechanisms only allow DPAs to investigate and suspend specific transfers on a case-by-case basis, by reference to specific criteria (e.g., where the law of the recipient country imposes requirements that go beyond what is necessary in a democratic society - see Articles 13 and 28(4) of the Data Protection Directive). In other words, DPAs cannot claim to invalidate legal transfer mechanisms (nor automatically block all individual transfers), but will need to scrutinize each transfer individually. For more information on this, please see the opinion of Professor Lokke Moerel which can be downloaded directly here: //media2.mofo.com/documents/160201opinionimpactoftheec.pdf (especially as of point 17 and following).
  • This debate goes beyond the United States:
    • The criticisms raised by Schrems could be applied to other regions of the world where strong governmental oversight applies and who are material commercial partners of the EU such as India, Brazil, Russia and China.
    • Europe should not end up creating a higher standard for outsiders than it applies to itself. For example, Snowden revelations did not only target the United States, but also EU countries’ programs (e.g., Tempora).

4. What’s next

There seem to be converging deadlines in April 2016, i.e. for the WP29 to render its final decision on the Privacy Shield and the validity of transfer mechanisms such as BCRs and SCCs, and for the EU and the United States to produce a written Privacy Shield agreement. Until then, companies will have to continue to live with the overarching uncertainty around data transfers from the EU. There does not seem to be any official grace period around enforcement, meaning that DPAs could actively start launching proceedings as of now. However, SCCs and BCRs remain valid alternatives for now and should be considered by companies which perform large scale transfers of data.

In the upcoming weeks, stakeholders will likely continue to advocate for the EU and the United States to set up robust commitments which apply to all data transferred to the United States, to ensure that all transfer mechanisms be valid under EU law. Both sides will need to reflect on how to position themselves on the international scene, in order to uphold their standards, while remaining competitive and being able to efficiently tackle global challenges and threats.

Contact Us
Contact our world-class privacy and data security lawyers.


Follow us on Twitter @MoFoPrivacy.


Cyber Crime Firm of the Year
Cyber Crime Firm of the Year

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.