At least two levels of approval within the European Union are required for adoption of the Draft Framework Principles for the EU-US Privacy Shield, the program proposed to replace the EU-U.S. Safe Harbor mechanism for transferring personal data from the European Union to the U.S. The California litigation involving the FBI’s request for a court order directing Apple to write software that would permit the FBI to unlock the phone is one factor that may threaten, or at least influence, approval of the Privacy Shield.
U.S. multinational organizations, then, have another reason to be wary of how their data transfers from Europe, which is the core of many businesses, will be affected by uncertainty that promises to continue for some time.
The Shield has already endured its share of criticism, including the Shield’s lack of provisions for mandatory limits on U.S. surveillance of the sort of information disclosed by Edward Snowden, which was a primary basis for the decision in Schrems v. Data Commissioner that invalidated the old Safe Harbor program. Jan Phillipp Albrecht, the data protection spokesman for the Greens in the European Parliament (the body that must approve the Privacy Shield) stated on February 29, “The new ‘Privacy Shield’ framework appears to amount to little more than a remarketed version of the pre-existing Safe Harbour decision, offering little more than cosmetic changes. It seems highly questionable that this new framework addresses the concerns outlined by the European Court of Justice in ruling the Safe Harbour decision illegal.” Max Schrems, the Austrian law student who brought the case that took down Safe Harbor, and not one for subtlety, called the Shield “ten layers of lipstick on a pig.”
A decision in favor of the government in the Apple litigation in California will only reinforce such concerns which were also stated by The Wall Street Journal, a publication now known for left-wing views and no particular friend to Silicon Valley. In an editorial on March 2, the publication raised concerns that granting the FBI’s motion would provide a door to every piece of data on every iPhone in the U.S.
At a minimum, the uncertainty about U.S. government surveillance capabilities as exemplified in the Apple matter will serve to delay full approval of the Shield, and perhaps result in more stringent controls over data flows from Europe to the U.S. Multinational organizations should consult with their information specialists and counsel as to how best to assure these flows in these uncertain times.
If you have questions on laws and regulations regarding information transfers between Europe and the United States, please contact Kenneth N. Rashbaum.