Seven months after the invalidation of the EU-US Safe Harbor program left multinational businesses in a data transfer quandary, the European Commission (EC) approved its replacement, the EU-US Privacy Shield, on July 12, 2016. Caution and some confusion predominated over rapture.
The Court of Justice of the European Union (CJEU) invalidated the Safe Harbor Program, under which companies could self-certify to certain principles of EU data protection and thereby send protected data from the EU to the U.S. with relative ease, in October 2015. The court ruled that the disclosures of Edward Snowden regarding mass surveillance of data of US citizens, and non-citizens rendered the EC’s 2000 decision that the Safe Harbor program afforded European-style levels of privacy protection inoperable. More than 4,000 companies were registered with Safe Harbor, and their information flow business processes were thrown into chaos. Many turned to Model Contract Clauses, data transfer agreements in which the signatories agree to clauses reflecting EU privacy safeguards. Others tried to sneak continued Safe Harbor transfers by the local data protection authorities. Not so fast, though: The data protection authority of Hamburg, Germany caught on and fined three multinationals, Unilever, Adobe and Punica.
The EU-US Privacy Shield will, in many ways, resemble Safe Harbor and, it is hoped, will result in similar efficiencies in transferring data from the EU to the US. Registration will be through a Department of Commerce website, self-certification to privacy principles will be required and the Federal Trade Commission will be empowered to handle complaints involving false certifications and failure to abide by the principles, thought his time the FTC’s oversight will have sharper teeth.
But the Shield comprises important differentiators, including a commitment to limit mass surveillance, appointment of a State Department Ombudsman for surveillance complaints and defined mechanisms for redress for EU citizens who believe their data was inappropriately used or disclosed by the US recipient.
So where is the joy? Max Schrems, the Austrian law student who brought the case that took down Safe Harbor, and others have criticized the oversight components of the Shield, as well as the complex nature of the redress processes and the limited protections afforded by the Shield’s provisions on limitation on use of the data solely for the purpose for which it was collected.
Schrems and others have indicated that a challenge to the Shield is likely, given, they believe, the failure of the program to meet the CJEU criteria in the case that struck down Safe Harbor. Shield registration is not yet open, as regulations, registration procedures and oversight criteria must be hashed out. Business will sign up for the program, but would be well advised to have a “Plan B” in place in the likely event of a court challenge, so that they may continue the cross-ocean data transfers that are the lifeblood of multinational business.
If you have questions regarding the Shield and other data transfer mechanisms, please contact Kenneth N. Rashbaum.