Published by The Lawfare Institute
in Cooperation With
There’s a lot going on in the privacy and data protection world. But one of the most pressing issues is the uncertain fate of Privacy Shield, the framework governing the flow of data between the EU and the U.S. for commercial purposes.
The Trump Administration has been given an ultimatum: comply with Privacy Shield, or risk a complete suspension of the EU-U.S. data sharing agreement. In a letter dated July 26, EU commissioner for justice Věra Jourová wagered to U.S. commerce secretary Wilbur Ross that suspension of the EU-U.S. Privacy Shield system would incentivize the U.S. to comply fully with the terms of the agreement. But Jourová’s urging that Ross “be smart and act” in appointing senior personnel to oversee the data sharing deal is hardly new. The July letter closely echoes a European Parliament (EP) resolution passed just three weeks earlier, and the European Commission (EC) voiced similar sentiments in its review of the Privacy Shield Framework last September. Further adding to the chorus of voices raising concerns about Privacy Shield compliance are tech and business groups, which jointly called for the nomination of a Privacy Shield ombudsperson in an Aug. 20 letter.
In addition to admonishing the EC’s failure to hold the U.S. accountable thus far, the EP resolution calls for a suspension of Privacy Shield if the U.S. has not fully complied by Sept. 1—though no such suspension has yet been announced. It also expresses serious concerns regarding the U.S.’s recent adoption of the Clarifying Lawful Overseas Use of Data (Cloud) Act and the legislation’s potential conflict with EU data protection laws. With the General Data Protection Regulation (GDPR)—the EU’s new regulatory regime for the protection of individual data—having come into effect on May 25, 2018, the EP considers the EC in contravention of GDPR Article 45(5). This article requires the EC to repeal, amend, or suspend an adequacy decision to the extent necessary once a third country no longer ensures an adequate level of data protection— until the U.S. authorities comply with its terms.
So what led to this ultimatum, and what’s next on the global data protection stage?
Privacy Shield: The Basics
Operational since Aug. 1, 2016, the EU-U.S. Privacy Shield is the framework for transatlantic data flow for commercial purposes between the EU and the U.S. To rely on Privacy Shield to effectuate data transfers from the EU, participating organizations must self-certify to the U.S. Department of Commerce their adherence to 23 principles laying out the requirements for the use and treatment of personal data received from the EU, as well as access requests and recourse mechanisms for EU citizen complaints. Organizations that are Privacy Shield-certified are deemed to provide “adequate” privacy protection to personal data transferred outside of the EU under the EU Data Protection Directive, which has since been superseded by GDPR.
After the European Court of Justice (ECJ) invalidated Safe Harbor—the previous EU-U.S. data sharing framework—in its October 2015 Schrems decision, the U.S. Department of Commerce and the EC created Privacy Shield to provide companies with a revised mechanism for data protection compliance when transferring data to the U.S. from the EU. Privacy Shield was crafted to enhance data protection after the demise of Safe Harbor; the agreement includes limitations on data retention, accountability for onward transfers, an Ombudsperson for redress by EU individuals in relation to the transfer of their data to the U.S., and more regular and rigorous monitoring by the Department of Commerce. Ultimately, in a July 2016 decision, the EC found that Privacy Shield does in fact ensure an adequate level of protection for EU to U.S. personal data transfers.
Both the 2016 adequacy decision and Privacy Shield itself commit to an annual EC review of the framework to ensure the adequacy of protection for data transfers. The first annual review took place on Sept. 18-19, 2017. While the EC’s first annual report ultimately determined that Privacy Shield ensures an adequate level of data protection, it also made a number of recommendations to improve the implementation of the framework. These recommendations include prohibiting companies from publicly referring to their Privacy Shield certification before the Department of Commerce finalizes that certification, in order to suppress discrepancies between the department’s internal list and publicly available information—thus minimizing uncertainty for companies in the EU that want to transfer data to the U.S. and preventing companies from undermining the credibility of the whole framework via unilateral action.
The EC also recommended enshrining the protections of Presidential Policy Directive-28 (PPD-28) in the Foreign Intelligence Surveillance Act (FISA), reasoning that the debate on the reauthorization of FISA Section 702 provided Congress a unique opportunity to strengthen FISA’s privacy protections, including those with respect to non-U.S. persons. While the debate ultimately resulted in the passage of a six-year reauthorization that did not fully incorporate PPD-28, the FISA Amendments Reauthorization Act of 2017 did result in “some significant changes to 702,” and PPD-28 remains untouched (even after an apparent Trump Administration review).
Finally, the EC recommended swift appointment of the Privacy Shield ombudsperson and members of the depleted U.S. Privacy and Civil Liberties Oversight Board (PCLOB) because of their important functions in the Privacy Shield framework and in the protection of privacy and civil liberties. The EC also called on PCLOB to release its yet-unpublished report on the implementation of PPD-28 given the directive’s relevance for the safeguards applying to government access for signals intelligence. Privacy Shield is due for its second annual review this October.
The Schrems Litigation
Meanwhile, Maximilian Schrems, the plaintiff whose case brought down the Safe Harbor agreement, now has Privacy Shield in his crosshairs. In what has been deemed “Schrems 2.0,” Schrems has updated his complaint to challenge the way personal data is transferred from the EU to the U.S. under standard contractual clauses (SCCs) subject to U.S. surveillance law. SCCs are EC-approved model clauses creating contractual obligations between data controllers and data processors that govern the transfer of data. After the invalidation of Safe Harbor and before the approval of Privacy Shield, businesses relied on SCCs for data transfers. Schrems specifically alleges that when his personal data is transferred to the U.S. within this SCC regime, it is “made available to US government authorities under various known and unknown legal provisions and spy programs such as the ‘PRISM’ program.”
U.S. legal experts filed testimony in this case in October and November 2016, and the Irish High Court held a trial in February and March 2017. On Oct. 3, 2017, the court found that the Irish Data Protection Commissioner (DPC) has “well founded grounds for believing that the SCC [standard contractual clauses] decisions are invalid,” with High Court Judge Caroline Costello asserting that it is “extremely important that there be uniformity in the application of the [Data Protection] Directive throughout the [European] Union on this vitally important issue.” Understanding that there were two options available to her—referring the situation to the ECJ as requested by the DPC, or dismissing the proceedings—Judge Costello picked the first option and decided to refer questions on issues of interpretation of European law to the ECJ. The Irish High Court finally submitted its questions—eleven, to be exact—in April. As Chris Mirasola describes, the ECJ must jump through a number of hoops in adjudicating these eleven questions as a matter of EU law before the Irish High Court can proceed in Schrems 2.0.
If Schrems is successful in this case, the implications of the decision will reach beyond Facebook and SCCs. The Irish High Court and eventually, on appeal, the ECJ are likely to address the adequacy of underlying U.S. surveillance and privacy law—the same law that applies to data transferred under Privacy Shield. The Irish High Court highlighted the connection in its referred questions, asking whether Privacy Shield provides remedy to data subjects whose data was transferred via SCC; whether Privacy Shield creates an obligation that the U.S. “ensure an adequate level of protection...by reason of its domestic law or of the international commitments it has entered into”; and if not, how Privacy Shield is relevant to the SCC regime.
The GDPR is an EU data protection and privacy regulation controlling how international businesses protect EU and EEA citizens’ personal data. Aiming to give citizens control over their personal data, the GDPR allows data transfers to third countries or international companies only when the relevant processor or controller—that is, the entity that determines the purposes, conditions or means of data processing—has fully complied with the GDPR’s privacy and data protection requirements.
The implementation of GDPR adds a new dimension to compliance under Privacy Shield, but it doesn’t immediately put Privacy Shield in danger. Chapter V of GDPR governs the legality of transfers of personal data to third countries and allows for the transfer of data to a third country when the EC decides that “a third country...ensures an adequate level of protection” or when there are appropriate safeguards in place. As previously mentioned, the EU-U.S. Privacy Shield framework received its adequacy decision in July 2016—and the GDPR, under Article 45, does not automatically invalidate previous adequacy decisions. In other words, this adequacy determination should stand until the EC decides that the framework doesn’t provide adequate protection anymore.
But the definition of “adequate” protection is now measured against the terms of GDPR and those terms are both more stringent and more expansive than those of the GDPR’s predecessor. GDPR’s increased penalties, added obligations, and extraterritorial reach made the initial launch across the EU in May a matter of global concern. In July, GDPR went into effect in Iceland, Liechtenstein and Norway (the European Economic Area states of the European Free Trade Association). Separately, Switzerland has begun the process of revising the Swiss Federal Data Protection Act to align more closely with the GDPR. Given its status as a sovereign nation outside of the EU and the EEA, Switzerland and the United States have their own agreement called the Swiss-U.S. Privacy Shield that mirrors the EU-U.S. Privacy Shield agreement. The Swiss-U.S. Privacy Shield interacting with the Swiss Federal Data Protection Act will likely parallel the dynamic between the EU-U.S. Privacy Shield and GDPR.
While the terms of Privacy Shield certification are a good start toward GDPR compliance, GDPR’s requirements exceed those of Privacy Shield. U.S. companies looking to handle EU personal data may still look to self-certification under Privacy Shield as a way to fulfill legal requirements, but these companies will likely also pursue compliance with GDPR requirements. In general, if these two regimes are both working properly, they should work in tandem—though they are not interchangeable. But Privacy Shield is not out of danger.
The newly-minted European Data Protection Board (EDPB) made note of the importance of Privacy Shield in its plenary meetings this summer. The board, a product of the GDPR and the successor to the Data Protection Directive’s Article 29 Working Party, comprises EU Member State’s data protection authorities, the European Data Protection Supervisor, and the European Commission. It invited Ambassador Judith Garber, the acting United States Ombudsperson for national security complaints under Privacy Shield, to its second plenary meeting, but wrote that it did not receive “a conclusive answer” to the concerns raised by the EC and the WP29 in the last Privacy Shield review, mentioned above. The board anticipates that the issues “will remain on the top of the agenda during the Second Annual Review.” The third EDPB plenary session will be held on Sept. 25 and 26, 2018, right before Privacy Shield’s second annual review.
Other Concerns for Privacy Shield
There a handful of other U.S. security issues simultaneously chafing the EU as well. Perhaps most prominently, the EP mentioned the Facebook-Cambridge Analytica data scandal as an example of why Privacy Shield requires better monitoring—both Facebook and Cambridge Analytica were self-certified. Members of the EP have called for U.S. and EU investigations into the issue in the context of the framework.
Another concern is the Cloud Act—recent U.S. legislation that facilitates specific types of law enforcement requests for data of non-U.S. individuals from U.S. companies outside of the framework of Mutual Legal Assistance Treaties (MLATs). In the same resolution in which it levied the Privacy Shield ultimatum, the EP mentioned that it has concerns about the Cloud Act allowing U.S. authorities to “target and access people’s data across international borders without making use of the [MLAT] instruments,” thus creating a potential conflict with EU data protection laws. While the Cloud Act isn’t immediately pertinent to Privacy Shield—it more likely complicates our EU-U.S. Data Protection Umbrella Agreement, which deals with law enforcement data cooperation instead of commercial data transfers—its mention in this ultimatum says volumes about the EU’s stance toward U.S. data protection writ large.
Assuming the United States does not make dramatic changes before Sept. 1, the U.S. will likely hear more chastising from European regulatory bodies. If Privacy Shield is suspended pursuant the June EP Resolution and Jourová’s letter, then expect protracted negotiations for modifications to, or replacements for, the agreement. Naturally, larger geopolitical questions like the future EU-U.S. trade deal may play a role in those negotiations. If the EC was bluffing about suspension, the aforementioned Schrems litigation may take care of the issue for them.
Then there’s a trend that may or may not be driven by the status of Privacy Shield: U.S. domestic privacy legislation. California legislators recently passed the California Privacy Act, perhaps a sign of a nascent push for more privacy protections within the United States. And in response to the Facebook-Cambridge Analytica debacle, several members of Congress have drafted federal regulations mirroring the GDPR and suggesting the possibility for U.S. standards homing in on EU principles.
There are a number of moving pieces in the global privacy regulation world—and if European data privacy regulations take the day, they could influence more than just multinational corporations with EU customers. The immediate tug-of-war between the U.S. and the EU on the validity of Privacy Shield will signal quite a bit about the strength of the EU’s convictions and the future of global privacy legislation.