The 28 members of the EU may have given their approval to rejiggered EU-US Privacy Shield Agreement in a Friday vote, but that won't stop the pact from being challenged in court, privacy pros said.
The thumbs up vote by EU members will move Privacy Shield closer to implementation – with final approval expected early this week – despite concerns expressed by both the Article 31 Working Group (A31WG) and the more detailed critique by the Article 29 Working Group (AWP29).
“It's an encouraging development but I don't think it's the end of the story,” Joseph G. Falcone, partner at the law firm of Herbert Smith Freehills New York LLP, told SCMagazine.com. Companies can "take some comfort in [the vote], but can't breath a full sigh of relief."
The AWP29 in April released its much-anticipated opinion, hailing the proposed accord as showing progress by establishing privacy protections, but contending that it still didn't adequately address the chief issue that got its predecessor, Safe Harbor, tossed by a European Court of Justice – mass surveillance of private citizens.
In response to concerns raised by European data protection and privacy advocates, the EU and U.S. recently made changes to the agreement, including new rules that affect bulk data collection and proposed safeguards governing use of that data, including rules ensuring companies delete data. An independent watchdog, unaffiliated with intelligence agencies, will be appointed, and the U.S. government will issue a statement promising that government bulk collection of data sent by Europe will be "as targeted and focused" as possible.
“Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice. Today's vote by the Member States is a strong sign of confidence,” European Commission VP Andrus Ansip and justice commissioner Vera Jourová said in a joint statement about Friday's vote.
"EU citizens are given new assurances that their personal data will be protected via equivalent means and in a similar fashion as if their personal information remained on servers in the EU. Privacy Shield, according to Commissioner Jourova, now includes 'clear limitations, safeguards and oversight mechanisms' on how personal information is to be protected," Aaron Tantleff, privacy and information security lawyer at Foley & Lardner LLP, said in email correspondence with SCMagazine.com.
American multinational companies had been on tenterhooks regarding data transfer since a European Court of Justice decision in the Max Schrems case led to Safe Harbor's demise. Friday's nod from the EU member states will likely assuage some of their concerns that they would be left to figure out the complexities of data transfer.
“The approval of Privacy Shield, an arrangement facilitating commercial data flows between the EU and U.S., concludes a process set off by the Snowden revelations about the extent of security agencies' access to communications data,” Omer Tene, vice president of research and education at the International Association of Privacy Professionals (IAPP), said in comments sent to SCMagazine.com. “Companies were caught between strong government interests on both sides of the Atlantic, increasing risk and legal costs.”
With an important phase of the Privacy Shield approval process behind them, Europe and the U.S. can turn their attention “to the upcoming implementation of GDPR [General Data Protection Regulation] and Brexit [Britain's recent referendum to exit the EU],” Tantleff said, noting that EU economy depends on virtual information and all parties should remember that the rapidly growing trans-Atlantic digital trade is currently hovers around $250 billion annually.
The current pact "includes commitments by both self certifying companies and the U.S. Government, will mitigate uncertainty and risk and increase trust in the global digital economy," Tene said, though "companies will need to train and educate a workforce on basic principles of privacy and data protection."
Still, the agreement will likely be adjudicated despite its importance and promises by U.S. authorities to respect and protect data privacy. It's "highly anticipated," Tantleff said, that "Privacy Shield will be challenged given that Schrems and others have stated that 'any legal basis will be subject to invalidation or limitations under EU fundamental right.'”
Though its comments were nonbinding, WP29 had said it appreciated the efforts of negotiators, they believed "Privacy Shield didn't go far enough in protecting EU-generated data from bulk collection by U.S. intelligence agencies," Falcone said, noting that the U.S. had offered assurances and did pass the Judicial Redress Act, which was designed to address that concern."
Tantleff did concede that "perhaps some steam was let out of the potential challenge as Privacy Shield has 'ruled out indiscriminate mass surveillance of European citizens' data,'" saying a main challenge "has just been put to bed."
But other challenges will come from data protection authorities and activists, "such as the fact that Privacy Shield, like Safe Harbor, relies on self-certification for compliance," Tantleff said. "In addition, the European Data Protection Supervisor, [Giovanni] Buttarelli, noted a number of concerns, and questioned whether Privacy Shield would be strong enough to stand up."
Someone, Falcone said, "is going to start a legal challenge" that claims "judicial redress doesn't give EU citizens the same protection as U.S. citizens."
Or, a challenge in Ireland's High Court in Dublin "relating to a decision by the Data Protection Commissioner on EU-US data transfer channels still remains," Tantleff said. "That challenge may wind its way all the way up to the European Court of Justice to decide whether the Standard Contractual Clauses that provide legitimacy to many existing trans-Atlantic data transfers are legal."
The Privacy Shield likely will be impacted by the eventual Second Circuit Court ruling in a case that has Microsoft notably locked in a battle with the Justice Department over Justice's attempts to get customer email stored on a server in Ireland.
Microsoft refused to hand over the emails, saying that the US has no power to ask for that data, as it is held in another country and well outside of their jurisdiction. In April 2014, a federal judge ordered Microsoft to cough up those records to which Microsoft gave largely the same answer as before and was found in contempt of court. The case has been languishing in the second circuit appeals court since September 2015, awaiting a decision. "The real concern coming out of the EU is U.S. authorities' ability to access data," said Falcone. "How might that decision [in the second circuit] figure into Privacy Shield?"
With a number of cases pending, Privacy Shield "may be in for some choppy waters in crossing the Atlantic," Tantleff said.