The New “EU-US Privacy Shield”

Since the European Court of Justice invalidated the fifteen-year-old EU-US “Safe Harbor Privacy Framework” last October, thousands of US companies have been awaiting the results of negotiations between the US government and the European Commission to produce “Safe Harbor 2.0,” a set of protocols to permit the continued flow of personal data between Europe and the US in contexts as varied as ecommerce, social media posts, and the internal management of global corporate groups.  Today, the sleep-deprived negotiators announced a framework agreement for an “EU-US Privacy Shield,” two days after an informal deadline for reaching agreement.

The framework agreement is not the end of the story, and it will likely be weeks, at least, before American companies can actually rely on the new program. The Commission must first draft a more detailed “adequacy decision,” which will be approved only after consulting the EU member state governments and representatives of the national data protection authorities (“DPAs”).  Moreover, the October court decision makes it clear that the DPAs may also make their own determinations on the adequacy of privacy protection when data are transmitted outside the EU.  Their representative “Article 29 Working Group” meets tomorrow and will subsequently issue an opinion on the framework agreement, and it is entirely possible that some national DPAs (or state-level DPAs in Germany) will reject the deal or demand additional conditions.  Beyond that, privacy advocacy groups in Europe are already forecasting new court challenges, arguing that the arrangement does not sufficiently rein in electronic snooping by the US government.

According to today’s press release from the European Commission, the new focus is on transparency and recourse for government surveillance, but there is also a commitment to more rigorous enforcement.  It does not appear that the substantive elements of the Safe Harbor Privacy Principles will be changed materially, but the US government has reassured the European Commission that the US Department of Commerce will monitor compliance by participating companies and that the Federal Trade Commission (FTC) will enforce their commitments.

The new element in the agreement is an undertaking to control US governmental surveillance of trans-Atlantic communications, which was the aspect of privacy protection that the European Court of Justice found lacking in the old Safe Harbor program. Here is how this undertaking is described in the Commission’s press release:

“For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.”

Moreover, European citizens will have more options for transparency and redress. Companies will be required to respond to questions and complaints within a fixed time period.  European DPAs will be able to refer complaints to the Department of Commerce and the FTC.  Alternative dispute resolution mechanisms also must be made available to individuals free of charge.  Finally, an Ombudsman will be appointed to investigate claims of inappropriate monitoring by US national security agencies.

It should become clearer over the next few days and weeks whether the new deal will be broadly accepted in Europe and provide a satisfactory road forward for the many companies, large and small, that must share data across geographical borders. Meanwhile, companies with international business must continue to rely on other legal bases for transborder data flows, prominently informed consent, transfers necessary for the performance of a contract, data transfer agreements using EU-approved model contract clauses, and, for a few relatively large corporate groups, approved “binding corporate rules.”

All of these may conceivably fall prey to concerns over US governmental surveillance, however, no matter how carefully the companies themselves handle personal information in the course of their business. Thus, the new undertakings by the US government may represent an important step forward in balancing public and private interests in personal information and communications, one that promises to benefit global trade.  It is conceivable that more US companies will be attracted to the new EU-US Privacy Shield, if it becomes more widely accepted than other legal approaches precisely because it includes governmental as well as corporate commitments.

This raises some interesting questions:

• Will the arrangement spread beyond the 28 EU countries? The three non-EU members of the European Economic Area – Norway, Iceland, and Liechtenstein – will presumably be bound by the new version of Safe Harbor, as they were by the old one. Israel also allowed data transfers to US Safe Harbor companies and will probably allow transfers to companies participating in the new EU-US Privacy Shield program. Switzerland adopted its own Safe Harbor program modeled on the EU-US Safe Harbor Framework and is likely to do the same with the new program. It is even possible that other countries with comprehensive data protection laws ultimately could take the approach of approving data flows to the US subject to corporate and governmental Privacy Shield commitments.

• Will the EU demand similar undertakings from other business partners? Surely, the privacy risks are no less significant when personal data flows from the EU to Russia, China, Iran, or a host of other countries with sophisticated surveillance capabilities and, in many cases, much less transparency and legal recourse. If the governments of those countries are not willing to make similar commitments, will the EU try to block data flows? Will it even ask? Or is the EU approach simply to seek improved privacy protections among the more like-minded liberal democracies?

• Will the EU apply similar standards for government surveillance in its own territory? In the UK, Parliament is currently revisiting its oversight structure for the GCHQ, a counterpart of the American NSA. Will the resulting scheme parallel in some respects the “EU-US Privacy Shield?” Will similar forms of transparency and redress move forward in Germany, the Netherlands, Denmark, and other countries that reportedly share communications intelligence with the NSA? The recent terrorist attacks in Paris have actually produced broader authorizations for surveillance by French and Belgian police and intelligence agencies, and that trend is reflected in other European countries worried about Islamic State sympathizers and a massive wave of refugees from Syria, Libya, Afghanistan, and other hotbeds of “radical Islam.” The governing parties in several EU member states, such as Poland and Hungary, seem to be riding a wave of nativist reaction to perceived external threats. Will they agree to conform to an EU consensus on the proper limits of electronic surveillance? Is there such a consensus?

The oversight of national intelligence agencies in a democracy is a complex issue of great public importance, one that must necessarily evolve with changing technologies. In this case, that evolution has suddenly accelerated, not through comprehensive public or legislative debate but as the result of a single court decision about storing Europeans’ social media posts on American servers.  Even in a digital world, sometimes the tail wags the dog.