Hear that whoosh sound? That's U.S. companies collectively breathing a sigh of relief after details of the recently inked U.S.-EU Privacy Shield pact emerged in late February.
For 15 years, more than 4,400 American companies had followed the Safe Harbor guidelines for the transference of data originating in Europe. But once the Court of Justice (ECJ), Europe's highest court, ruled Safe Harbor invalid last Oct. 6, following a complaint by Max Schrems, an Austrian privacy activist, who argued that U.S. mass surveillance programs, as revealed by Edward Snowden, were in violation of the basic privacy rights of European citizens, the EU and U.S. scrambled to create a new legal framework to better protect residents' data and meet Europe's stringent privacy requirements.
The Privacy Shield replacing the self-certification Safe Harbor is the result of reportedly “heated” negotiations since the court ruling between U.S. and EC officials. With the draft text now released, European review entities, such as the Article 29 Working Party, will scrutinize the framework and possibly ask for changes. The text details a sign-up process for American companies desiring to abide by the pact's principles.
Four primary components include assurances that supervision mechanisms would be in place “to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply.”
Second, the U.S. government pledged that any “access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” That language specifically addresses a key ECJ concern: NSA's widespread collection of EU citizens' personal data.
However, the NSA still held out its right to use data collected in bulk for six situations. This requirement may put the agreement at risk as the ECJ argues that it compromises “the fundamental right to respect for private life.”
Following ratification of the Privacy Shield, businesses in the U.S. would be obligated to be more responsive to complaints from Europeans objecting to use of their data and U.S. businesses would need to be more vigilant in maintaining their processes.
In late March, a senior official from the U.S. Department of Commerce (DOC), speaking on condition of anonymity, told SC Magazine in an interview that "We think the agreement was a real achievement for privacy" and that he thinks the European Commission will "end up supporting and framework and we'll see it approved."
“We'll need to see how it plays out with U.S. law,” says Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), who, as a U.S. lawyer, is eager to review the text carefully to “reflect on how the paradigm shifted compared to the Safe Harbor.”
Alan Raul (left), partner with the Washington, D.C. law firm Sidley Austin, says the it should satisfy the new requirements and safeguards sought by the ECJ's criteria in Schrems.
That ruling simply served as a catalyst for the EU and U.S. to address EU concerns about the Safe Harbor have persisted for years. Chris Zoladz, founder of Navigate LLC, a Germantown, Md.-based privacy consultancy, believes the U.S. DOC and Federal Trade Commission (FTC) are committed to preserving that the transatlantic flow of personal data is beneficial to U.S. and EU multinational companies.
And James L. Bindseil, CEO of Globalscape, a San Antonio, Tex.-based firm, points to an “erosion of trust” between the EU and U.S. following Snowden's disclosures.
Privacy professionals weren't surprised the European court invalidated Safe Harbor because the Snowden revelations really placed a question mark on its fate, says the IAPP's Tene. “The stars were aligned in Europe to terminate Safe Harbor.”
Yorgen Edholm, CEO of Palo Alto, Calif.-based Accellion, says the pact is a “noble” attempt to bridge differences in legal structures between the two continents, but “because the legal frameworks are not in sync, purists will always be able to point at incompatibilities where different laws step on each other.”
“[European] data protection authorities (DPA) will retain a continued role,” Raul says, adding the FTC will enhance its intake process for complaints and increase resources for that purpose.
In regard to concerns by EU citizens over national security surveillance-type information transferred to the U.S., the State Department is appointing an ombudsperson to help adjudicate any complaints. “The DPAs have said there were a larger number of complaints referred to the FTC, but there's no evidence of that,” adds Raul, noting the agency had received only four complaints from European protection authorities in 15 years of Safe Harbor.
“There's been no suggestion that there has been a large number of complaints and no suggestion the complaints had previously gone uninvestigated and unenforced,” he adds.
Still, some privacy advocates are worried that an ombudsmen working within the White House administration could show bias in favor of federal law enforcement. Addressing such concerns, the senior Commerce official told SC Magazine that the creation of an ombudsmen post "in many ways parallels processes that exist in European member states, so by any assessment it answers the call."
The official also noted that the ombudsman will have access to independent tools to help maintain objectivity when considering matters of redress. "The ombudsman is able to leverage the independent inspectors-general that exist in each element of the intelligence community, [and] is able to refer matters to the Privacy and Civil Liberties Oversight Board, which is independent" as well, the official said.
Raul was among the co-authors of a 173-page Sidley Austin report in late January that provided a report to EU government officials comparing the legal systems of the U.S. and EU for privacy and data protection. The report was prepared on behalf of the firm's clients.
Another new wrinkle of Privacy Shield, Tene notes, is the DOC being involved in resolving disputes. “The DOC never has been involved in law enforcement before,” Tene observes.
Privacy Shield appears to call for a long process to resolve disputes. Aggrieved consumers will first contact companies that allegedly misused personal data, then complaints will go to European DPAs, which will refer cases to the DOC, which channels it to the FTC. Then there will be arbitration.
European privacy expert Craig Gibson believes enforcement of Privacy Shield will evolve through case law. “A harm floor below which activities are increasingly expensive and class actions operating below it will amount to enforcement, primarily through market forces,” says Gibson. “This will dial up over time as case law accumulates.”
Tene notes there had been European concern that enforcement not be triggered by complaints. “The FTC is not a complaint resolution agency; it chooses what it wants to investigate.”
A lack of resources, says Zoladz, will likely focus enforcement on the “most significant violations.” But Bindseil cautions the “most egregious violators of privacy law both in the U.S. and in the EU will be at risk of punitive action as an example to others. Authorities will likely not stand for any behavior that is seen as flouting the agreement and EU law.”
Edholm doesn't see the pact as the U.S. merely paying lip service to appease Europe. “I believe all companies, and big multinational companies in particular, are worried about offending customers – that's the strongest deterrent against abusing customer data,” he says, adding the ECJ invalidated Safe Harbor because U.S. security laws weren't compatible with European privacy laws.
Respecting privacy rights and investing in the means of protecting data is good business, Bindseil points out. The Privacy Shield recognizes that the U.S. and EU have a vested interest in maintaining a warm trade relationship, he says. “Data is currency in the digital age, and what we see with the rejection of Safe Harbor and the likely adoption of Privacy Shield, are growing pains.”
Privacy Shield's broad political and economic implications are “basically the cornerstone of global trade of the data, online and digital economy,” notes Tene. “That's so heavily dependent on data, you're bound to see these [policy] collisions continue to arise.”
Senior Reporter Bradley Barth contributed to this story.