Privacy + Data Security
In October 2015, the European Court of Justice abruptly invalidated Commission Decision 520/2000/EC on the adequacy of Safe Harbor (Case C-362/14, “Schrems”), mainly on grounds of (i) overly broad access by U.S. law enforcement authorities to EU citizens’ data and (ii) a lack of judicial redress for such citizens against the U.S. government.
This left more than 4,000 U.S. companies that had certified to Safe Harbor – but also countless European companies that depend on transatlantic data flows to operate their business – in a situation of total legal uncertainty. This had a particularly disruptive effect in the cloud industry (as most cloud providers servicing the EU market are U.S. based). On top of that, the Article 29 Working Party (“WP29”), the consortium of national EU data protection authorities (“DPAs”), issued a statement shortly after Schrems, urging U.S. and EU authorities to find a solution respectful of EU fundamental rights within a 3-month period, ending late January 2016, after which the DPAs would (i) convene to discuss the impact of the Schrems ruling on alternative cross-border data transfer mechanisms, such as the Standard Contractual Clauses (“SCCs”) and Binding Corporate Rules (“BCRs”) and (ii) potentially begin enforcement.
Last week, in the midst of WP29 meetings that could have led to the invalidation of data transfers to the United States under the alternative data transfer mechanisms, the EU and U.S. authorities announced that they had reached an agreement on a revised Safe Harbor. The WP29 immediately reacted. This alert examines these developments and their implications in the near term.
1. The EU-U.S. Privacy Shield
Discussions between the EU and the United States to revise the Safe Harbor had been ongoing since 2013, in the wake of the NSA revelations. But the need for an agreement became imminent under the looming deadline of the WP29. On February 2, the EU Commission and the U.S. Department of Commerce announced that they had reached an agreement on a new transatlantic data transfer mechanism to replace the Safe Harbor, called the “EU-U.S. Privacy Shield”.
The actual contents of the agreement have not yet been made public. EU and U.S. authorities only provided verbal assurances as to what their commitments would be. Skeptics believe the announcement to be premature, aimed only at preventing the WP29 from declaring the invalidity of the alternative transfer mechanisms and buying time to iron out the details of an actual framework.
Nevertheless, the Privacy Shield seems on the face of it to address the two key concerns outlined by the Schrems decision:
The U.S. Department of Commerce reported that the new agreement will entail increased commitments from the Federal Trade Commission (“FTC”) to provide good, independent oversight of the accord. FTC Commissioner Brill pledged to robustly enforce the new deal and to cooperate more closely with European DPAs. Brill indicated that, even though the EU Commission’s Safe Harbor decision is no longer valid, companies certified to the Safe Harbor can still be held to the commitments they have made under the Safe Harbor principles. Also, according to Commerce Secretary Penny Pritzker, the Privacy Shield is not contingent on passage of the Judicial Redress Act - currently awaiting approval by Congress - as the agreement finds ways of providing European citizens means of judicial redress that are "not subject to congressional approval."
Timewise, the EU Commission estimated that a draft adequacy decision should be finalized within the next few weeks and the new framework would be in place within the next three months, i.e. by April.
2. Reaction of the WP29
In response to the announcement of the Privacy Shield, the WP29 has now deferred its assessment of the impact of the Schrems decision on the alternative data transfer mechanisms.
It has also requested to receive all documents relating to the Privacy Shield in order to analyze:
Moreover, the WP29 concluded regarding intelligence activities that four guarantees must be observed:
The WP29 stressed that these guarantees should exist when data are transferred not only to the United States, but also to other countries outside the EU and within EU Member States themselves. Although the WP29 welcomed the announcement of the new agreement, it emphasized its concerns on the scope of intelligence activities and available remedies for individuals.
Timewise, the WP29:
The WP29 did not grant a new grace period for organizations sending data to the United States. Any transfers based on the Safe Harbor are invalid. However, data transferred on the basis of BCRs or SCCs can still occur for the time being, but each DPA is free to act as it deems appropriate. Some DPAs have already initiated enforcement actions (e.g., by sending warning letters to companies) regarding ongoing transfers based on Safe Harbor, such as the Czech Republic, France, Germany, Luxembourg or Spain.
3. We may have a shield – but are we covered?
4. What’s next
There seem to be converging deadlines in April 2016, i.e. for the WP29 to render its final decision on the Privacy Shield and the validity of transfer mechanisms such as BCRs and SCCs, and for the EU and the United States to produce a written Privacy Shield agreement. Until then, companies will have to continue to live with the overarching uncertainty around data transfers from the EU. There does not seem to be any official grace period around enforcement, meaning that DPAs could actively start launching proceedings as of now. However, SCCs and BCRs remain valid alternatives for now and should be considered by companies which perform large scale transfers of data.
In the upcoming weeks, stakeholders will likely continue to advocate for the EU and the United States to set up robust commitments which apply to all data transferred to the United States, to ensure that all transfer mechanisms be valid under EU law. Both sides will need to reflect on how to position themselves on the international scene, in order to uphold their standards, while remaining competitive and being able to efficiently tackle global challenges and threats.
Contact our world-class privacy and data security lawyers.
Follow us on Twitter @MoFoPrivacy.
Cyber Crime Firm of the Year
©1996-2019 Morrison & Foerster LLP. All rights reserved.