Safe Harbor Resurrected as EU-U.S. Privacy Shield

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Feb. 2 — Thousands of company leaders breathed a sigh of relief Feb. 2 when European Union and U.S. negotiators announced they had agreed in principle on a deal to replace the invalidated U.S.-EU Safe Harbor framework and allow the continued transfer of personal data out of Europe to the U.S.

(Click image to enlarge.)

safe harbor chart

The new EU-U.S. Privacy Shield will take the form of a decision of the European Commission, the EU's executive arm, that finds new promised protections to be put in place by the U.S. government to be adequate for preserving the privacy of data subjects who provide their data to U.S. companies.

Andrus Ansip, Commission Vice-President for the Digital Single Market, said at a briefing in Brussels that “we want to be sure that when Europeans' data is sent to the U.S., the data continues to be protected.” The Privacy Shield would offer “significant improvements compared to the previous scheme,” he said.

In particular, “the U.S. side has clarified that they do not carry out indiscriminate mass surveillance of Europeans,” and has offered “specific assurances” that any law enforcement or national security access to the personal data of Europeans held in the U.S. would be necessary and proportionate, Ansip said.

Meanwhile in Washington, U.S. Commerce Secretary Penny Pritzker hailed the pact as a way forward, saying she was confident the pact will withstand scrutiny in the EU. “It was a tough negotiation focused on protecting privacy,” she said.

Under the Privacy Shield data transfer agreement, the U.S. Federal Trade Commission will coordinate with EU data protection officials to resolve data subject complaints about government access to data, she added.

The Commerce Department will soon be offering a series of briefings for companies on the details of the Privacy Shield, Pritzker said. There will be changes in what companies need to do regarding data transfers, she said, but there will be a transition period to allow companies to undertake compliance efforts.

Concern about the lack of safeguards to limit U.S. law enforcement access to transferred personal data was one of the main factors the European Court of Justice cited in its October 2015 ruling invalidating the Safe Harbor. The court also cited insufficient redress options for EU citizens in case their information was misused. The invalidation of Safe Harbor affected some 4,400 U.S. companies certified in the program as well as thousands of EU companies that relied on the certification to transfer personal data to those companies.

Vera Jourova, the European Commissioner for Justice, Consumers and Gender Equality, said that the Privacy Shield arrangement “lives up to the requirements of the ECJ,” and offered “clear safeguards and transparent obligations on U.S. access to data.”

Brian Hengesbaugh, a partner with Baker & McKenzie LLP in Chicago, who was previously the U.S. Department of Commerce General Counsel's Office lead attorney on Safe Harbor, told Bloomberg BNA Feb. 2 that the agreement looked likely to satisfy the conditions laid down by the ECJ when it invalidated Safe Harbor, and should therefore provide relief to companies that had been facing legal uncertainty over their data transfers.

“It really builds on what the framework rules were in the Safe Harbor, which were really commercial rules,” Hengesbaugh said. Under the Privacy Shield, companies could expect “some level of pre-checking” of their data protection practices by the Department of Commerce, accompanied by “more aggressive oversight,” he said.

Alan Raul, a partner at Sidley Austin LLP in Washington, told Bloomberg BNA Feb. 2 that the new agreement “definitely should withstand a legal challenge in the EU.”

Details Hazy

No text of the agreement was made available, but the commission said in a statement that it would require companies to publish commitments setting out “robust obligations on how personal data is processed and individual rights are guaranteed.”

The new system would offer EU citizens redress for privacy breaches in commercial contexts, and would, separately, create an ombudsman who could step in in cases involving law enforcement or national security access to data.

Ansip said that the ombudsman would be created within the U.S. State Department and would follow up referrals from EU data protection authorities.

On redress, Jourova said there would be “several affordable and accessible dispute resolution mechanisms,” and that EU citizens would ultimately be able to channel complaints to the U.S. Department of Commerce, which should act within a “reasonable deadline.”

Failing that, “as a last resort there will be an arbitration mechanism” via which enforceable decisions could be issued, she said.

The commission said that the formal Privacy Shield adequacy decision would be prepared “in the coming weeks,” and would be submitted to a committee of EU member state representatives.

Privacy Regulator Approval?

The Article 29 Working Party of data protection officials from the 28 EU member states had set a Jan. 31 deadline for replacing Safe Harbor, saying it would investigate transfers under the old system if a replacement deal was not in place.

The group is meeting in Brussels Feb. 2-3 to assess the situation and has said it will provide Feb. 3 results of an assessment of whether alternative mechanisms for data transfer from the EU to the U.S., such as binding corporate rules and standard contractual clauses, remain valid in light of the ECJ ruling that invalidated Safe Harbor.

Raul said whether those alternative are still valid under the new Privacy Shield is an “important question that is not answered” by the pact. It is likely that the Working Party will endorse the Privacy Shield because it is unlikely “the European Commission would go forward with this arrangement unless they had engaged in a series of discussions with the Article 29 Working Party.” It would be “quite surprising” if EU DPAs were unwilling to back the new arrangement, he said.

New Deal Welcomed

Business groups welcomed the Privacy Shield announcement.

Susan Danger, managing director of the American Chamber of Commerce to the EU said in a statement that “this new framework gives business the necessary confidence to continue to invest in the transatlantic marketplace,” and was “a step in the right direction towards rebuilding trust and confidence.”

John Higgins, director general of DIGITALEUROPE, which represents digital technology companies including Apple Inc., Cisco Systems Inc., Google Inc. and Microsoft Corp., said the Privacy Shield would “re-establish a sustainable path for data transfers between the EU and US.”

EU data protection authorities should view the announcement of an agreement as a “sign of good faith,” and should “hold off with any potential enforcement action until the new agreement has been fully implemented.”

The Information Technology Industry Council (ITI), BSA | The Software Alliance and DIGITALEUROPE praised the movement towards an agreement. “Today’s economy is online and it runs on data, and so the biggest winners here are the EU and U.S. economies,” ITI President and Chief Executive Officer Dean Garfield said today in a statement.

Not All Impressed

Max Schrems, the Austrian privacy activist whose complaint prompted the ECJ ruling, was critical of the Privacy Shield. Questions about the viability of privacy safeguards the U.S. has agreed to under the pact may provide the basis for a further court challenge, he said.

Jan Philipp Albrecht, the German Green lawmaker who was responsible for steering the new EU General Data Protection Regulation through the European Parliament, was also critical of the Privacy Shield calling it “little more than a reheated serving” of Safe Harbor.

“This is just a joke,” Albrecht tweeted in reaction to today's announcement. The replacement as outlined by EU officials would likely not withstand further ECJ scrutiny, he said.

Albrecht was critical of a provision that would prohibit mass government surveillance as “vague” and the creation of an ombudsman to accept complaints as insufficient because of a lack of detail on what happens after a complaint is filed.

With assistance from Donald G. Aplin in Washington

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com