Hear that whoosh sound? That's U.S. companies collectively breathing a sigh of relief after details of the recently inked U.S.-EU Privacy Shield pact emerged in late February.
For 15 years, more than 4,400 American companies had followed the Safe Harbor guidelines for the transference of data originating in Europe. But once the Court of Justice (ECJ), Europe's highest court, ruled Safe Harbor invalid last Oct. 6, following a complaint by Max Schrems, an Austrian privacy activist, who argued that U.S. mass surveillance programs, as revealed by Edward Snowden, were in violation of the basic privacy rights of European citizens, the EU and U.S. scrambled to create a new legal framework to better protect residents' data and meet Europe's stringent privacy requirements.
The Privacy Shield replacing the self-certification Safe Harbor is the result of reportedly “heated” negotiations since the court ruling between U.S. and EC officials. With the draft text now released, European review entities, such as the Article 29 Working Party, will scrutinize the framework and possibly ask for changes. The text details a sign-up process for American companies desiring to abide by the pact's principles.
Four primary components include assurances that supervision mechanisms would be in place “to ensure that companies respect their obligations, including sanctions or exclusion if they do not comply.”
Second, the U.S. government pledged that any “access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” That language specifically addresses a key ECJ concern: NSA's widespread collection of EU citizens' personal data.
However, the NSA still held out its right to use data collected in bulk for six situations. This requirement may put the agreement at risk as the ECJ argues that it compromises “the fundamental right to respect for private life.”
Following ratification of the Privacy Shield, businesses in the U.S. would be obligated to be more responsive to complaints from Europeans objecting to use of their data and U.S. businesses would need to be more vigilant in maintaining their processes.
In late March, a senior official from the U.S. Department of Commerce (DOC), speaking on condition of anonymity, told SC Magazine in an interview that "We think the agreement was a real achievement for privacy" and that he thinks the European Commission will "end up supporting and framework and we'll see it approved."
“We'll need to see how it plays out with U.S. law,” says Omer Tene, VP of research and education at the International Association of Privacy Professionals (IAPP), who, as a U.S. lawyer, is eager to review the text carefully to “reflect on how the paradigm shifted compared to the Safe Harbor.”
Alan Raul (left), partner with the Washington, D.C. law firm Sidley Austin, says the it should satisfy the new requirements and safeguards sought by the ECJ's criteria in Schrems.
That ruling simply served as a catalyst for the EU and U.S. to address EU concerns about the Safe Harbor have persisted for years. Chris Zoladz, founder of Navigate LLC, a Germantown, Md.-based privacy consultancy, believes the U.S. DOC and Federal Trade Commission (FTC) are committed to preserving that the transatlantic flow of personal data is beneficial to U.S. and EU multinational companies.
And James L. Bindseil, CEO of Globalscape, a San Antonio, Tex.-based firm, points to an “erosion of trust” between the EU and U.S. following Snowden's disclosures.
Privacy professionals weren't surprised the European court invalidated Safe Harbor because the Snowden revelations really placed a question mark on its fate, says the IAPP's Tene. “The stars were aligned in Europe to terminate Safe Harbor.”
Yorgen Edholm, CEO of Palo Alto, Calif.-based Accellion, says the pact is a “noble” attempt to bridge differences in legal structures between the two continents, but “because the legal frameworks are not in sync, purists will always be able to point at incompatibilities where different laws step on each other.”
“[European] data protection authorities (DPA) will retain a continued role,” Raul says, adding the FTC will enhance its intake process for complaints and increase resources for that purpose.
In regard to concerns by EU citizens over national security surveillance-type information transferred to the U.S., the State Department is appointing an ombudsperson to help adjudicate any complaints. “The DPAs have said there were a larger number of complaints referred to the FTC, but there's no evidence of that,” adds Raul, noting the agency had received only four complaints from European protection authorities in 15 years of Safe Harbor.