On February 2, 2016, the EU Commission and U.S. Department of Justice announced the framework of a deal to allow transatlantic data transfers between the EU and U.S. without running afoul of Europe’s strict data protection directives. It was appropriate that the announcement came on Groundhog Day, because we have been here before.
Fifteen years ago, the so called “safe harbor” agreement that was reached appeared to allow companies to transfer data between the EU and U.S. if certain safeguards were established and companies self-certified compliance. That system, while onerous, worked for a while until challenged by privacy groups and ultimately overturned last October by the European Court of Justice in Schrems v. Data Protection Commissioner (Case C-362/14).
Although Schrems was reported as surprising to many, the European Court of Justice had been down this road before, having declared invalid in 2014 a European Commission data retention directive. As we noted in a prior posting, that directive was part of a 2006 response to terrorist attacks in London and Madrid and had sought to harmonize EU member states’ retention of certain electronic data generated or processed by providers of electronic communications services or public communications networks.
The Schrems ruling has led to much corporate angst and has reinvigorated government activity, including the recent EU-U.S. meetings, although such discussions had been going on for some time and the European Commission, in reports from 2013, had outlined numerous concerns with the existing safe harbor system. What has emerged is essentially a new safe harbor framework–described as the EU-U.S. “Privacy Shield” agreement – which requires a number of changes to the old safe harbor arrangement, including: (1) the creation of an ombudsman to handle privacy and spying complaints from EU citizens; (2) written commitments by the U.S. Office of the Director of National Intelligence that certain data will not be subject to mass surveillance; (3) annual government reviews to ensure the new arrangement is working; (4) enhanced regulatory penalties for companies that fail to comply with privacy safeguards; and (5) enhanced coordination between the EU and the Federal Trade Commission to address any identified problems. According to the U.S. Department of Commerce, the Privacy Shield represents a “renewed commitment to privacy by the U.S. and the EU” and “improve[s] transparency regarding personal data use” while strengthening “cooperation between the Federal Trade Commission and EU Data Protection Authorities” and resulting in a dedicated “special team with significant new resources to supervise compliance.”
In addition to this newly announced framework, it should be noted that the EU for some time has been working to create General Data Protection Regulations to strengthen data privacy enforcement and create common standards for data protection and a uniform set of EU data transfer rules governing a Digital Single Market. But such efforts require the EU Commission, the Council of Ministers, and the EU Parliament to create a single version of such regulations, which are not expected to come into force until at least 2018, thus making the Privacy Shield framework relevant at least for the time being.
Although the Privacy Shield announcement is viewed by many as a positive step, the problem is that more challenges from privacy groups and EU citizens are coming. The devil is always in the details, and any new obligations imposed by the Privacy Shield agreement will need to be balanced against their cost of implementation and the not insubstantial worry that the agreement itself may be relatively short-lived. In addition, self-certification with compliance will no longer be sufficient, and corporations will likely have to agree to subject themselves to regulatory enforcement not only by the FTC, but by EU regulatory authorities as well. For non-multinational companies in particular, this could create a substantial barrier to acceptance. Companies embracing the Privacy Shield agreement may also be subjecting themselves to other avenues of grievance, including private complaints by EU citizens.
In short, the Privacy Shield agreement, like the safe harbor agreement 15 years ago, is no panacea. There are simply fundamental differences between how the EU and the U.S. view and treat personal data – how it is tracked, maintained, shared, transferred, erased, and subject to surveillance based on security concerns – and those differences cannot be papered-over with press-releases, frameworks, or inter-governmental agreements that, at bottom, fail to address the hard choices that must be made and enormous burdens required for balancing privacy and security in the digital age. At best these safeguards are band-aids, and numerous privacy groups and individual citizens will continue to challenge them because at their heart they cannot really guarantee that an individual’s information is both secure and private. The EU and U.S. need to agree at a more fundamental level about how much of one’s privacy can and should be sacrificed in order for commerce to function, for security to be adequate, and for the world to be digitally connected. Until the EU and U.S. have a shared perspective about those questions, no framework will be safe.