EU Countries Green Light Data Transfer Privacy Shield

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

July 8 — The European Commission July 12 will finalize the European Union-U.S. Privacy Shield data transfer agreement, after a regulatory committee of EU countries July 8 cleared the arrangement.

Thousands of companies in the U.S. and EU have been holding their breathes for the approval of the mechanism to allow easier transfer of personal data to the U.S. But they may not be able to safely exhale yet, as the exact text of the document approved by the Article 31 committee wasn't released by the commission. The commission declined to disclose the latest version of the Privacy Shield text to Bloomberg BNA and said it would be issued when the decision is finalized July 12.

The Privacy Shield is a replacement for the invalidated U.S.-EU Safe Harbor program that was relied on by over 4,400 U.S. companies and tens of thousands of EU companies to legally transfer data to the U.S. Edward Snowden's disclosures about the scope of surveillance by the U.S. National Security Agency prompted EU concerns that the privacy of data transferred to the U.S. wouldn't be protected.

Although the Privacy Shield has made it past its penultimate step in the approval process, it was unclear to what extent the text approved by the Art. 31 committee has changed since the commission published it in draft form Feb. 29 .

The Feb. 29 version of Privacy Shield was amended, with further privacy guarantees from the U.S. authorities, after it was criticized by the Article 29 Working Party of EU privacy officials, the European Data Protection Supervisor and the European Parliament (15 PVLR 825, 4/18/16).

The Privacy Shield was approved by the Art. 31 panel “to nobody's surprise,” Peter Van Dyck, a senior associate with Allen & Overy LLP in Brussels told Bloomberg BNA. It is likely that “nothing fundamental has changed” in the text of the Privacy Shield approved by the committee as compared to the Feb. 29 version, he said.

If there haven't been some changes, it may leave the Privacy Shield open to legal challenge and there is a “good chance Privacy Shield doesn't withstand the test,” Van Dyck said.

Vera Jourová, the European Commissioner for Justice, Consumers and Gender Equality, and U.S. Commerce Secretary Penny Pritzker will sign the final agreement after it receives commission approval.

Pragmatic Choice

Van Dyck said the Art. 31 approval of Privacy Shield is a “pragmatic decision” because companies faced great uncertainty in the wake of the invalidation of Safe Harbor and wanted to be able to easily and lawfully transfer personal data to the U.S.

Privacy Shield will be a self-certification framework under which companies agree to abide by EU-equivalent data protection safeguards when transferring the data of EU citizens to the U.S.

When the European Court of Justice—the EU's top court— (14 PVLR 1825, 10/12/15) invalidated the predecessor Safe Harbor in October 2015, it said the program didn't offer sufficient redress opportunities for privacy violations or safeguards against government surveillance of data.

The Privacy Shield arrangement is backed up by an amended U.S. Privacy Act with a redress provision for EU citizens and enforcement mechanisms that allow EU citizens to seek rectification of alleged privacy infringements in the U.S. (15 PVLR 445, 2/29/16). The Privacy Shield also allows individuals to refer any complaints about undue surveillance of data by U.S. authorities to an ombudsman established in the U.S. State Department.

But if Privacy Shield is challenged in the courts on a similar basis to the challenge against Safe Harbor, it may mean “some level of uncertainty” about how long Privacy Shield will last, Van Dyck said.

Stronger U.S. Privacy Assurances

The commission said in a July 8 statement that the Privacy Shield is “fundamentally different from the old Safe Harbor,” because it “imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.”

The U.S. had given the EU “written assurance that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms, and has ruled out indiscriminate mass surveillance of European citizens' data,” the commission said.

DIGITALEUROPE, an association of information technology and consumer electronics companies, said in a July 8 statement that concerns raised about the commission's Feb. 29 draft Privacy Shield decision had been addressed, and Privacy Shield now “offers greater clarity on data retention, strengthened obligations for onward transfers of data to third countries,” and “assurances on bulk collection” of data by authorities.

DIGITALEUROPE Director General John Higgins said that companies were “ready to implement the new framework and meet the compliance challenge that the strengthened provisions demand.”

Further Review

The Art. 29 Party said July 1 that it would “conduct a coordinated analysis” of Privacy Shield after it is adopted by the commission.

Van Dyck said that the Art. 29 Working Party's view on the approved Privacy Shield may influence the likelihood of a future court challenge against it, with a court challenge more likely if the privacy officials are “as critical as they were in the past.”

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.