Privacy Shield FAQs

0
750
Privacy Shield FAQsJonathan ArmstrongBy Jonathan Armstrong
jonathan.armstrong@corderycompliance.com

The European Commission concluded more than six months of negotiations both within the EU institutions and with the US this morning with the announcement that agreement had been reached on the Privacy Shield scheme to transfer data from the EU to the US.

These FAQs look at our initial thoughts on Privacy Shield.  We use some technical terms which are explained in our glossary here.

What is Privacy Shield?

The Privacy Shield scheme was proposed in February 2016 to replace the Safe Harbor scheme which was struck down by the European Court in the first Schrems case (sometimes known as Schrems 1) in October 2015.  We gave background to the collapse of Safe Harbor and the announcement of Privacy Shield in our alert on 3 February 2016 here.

Why did it take so long?

As we said in February the announcement of the creation of Privacy Shield was premature.  It became apparent soon after the announcement that the February deal was, at best, a deal to do a deal.  An announcement had to be made in February as a deadline set by the Article 29 Working Party (often known as WP29) had expired at the end of January.  In February the European Commission said that they hoped that Privacy Shield would be finalised by the beginning of May.  Even that seemed ambitious in part because of the criticism that Privacy Shield received from WP29 in April.  You can see a summary of WP29’s criticisms of Privacy Shield in our alert and short film here.

Is there still opposition to Privacy Shield?

Yes.   Whilst we are yet to see whether WP29 are any happier with the extra concessions the Commission say they have secured from the US Government the Privacy Shield deal will still have its critics.  There seems to be confusion as to whether the US administration can deliver its side of the bargain, especially when recent court cases in the US are perceived to have undermined the rights of individuals.  Since some of the US side of the deal relies on instructions from the current administration there is also uncertainty as to what a change of administration in the US in January 2017 will bring.

Will Privacy Shield be protected by GDPR?

No.  Privacy Shield is not referred to in GDPR although one of the other methods of data transfer, Binding Corporate Rules (or BCRs) is.  The European Commissioner promoting Safe Harbor, Vĕra Jourová, said this morning that Privacy Shield would be reviewed prior to GDPR coming into force since it was a clear requirement that the US had ‘equivalent’ protection and this protection was likely to have the be improved once GDPR set the bar higher.

When does Privacy Shield come in?

The European Commission say they intend it will come in today.  Companies can join the scheme from 1 August 2016.

If I join Privacy Shield will the US authorities play a greater role?

Almost certainly.  There is likely to be much more supervision by the US authorities than there was under Safe Harbor.  It is not true to say there was no Safe Harbor enforcement (for example we looked at the investigation into TRUSTe here) but the European Commission are promising tougher enforcement.  This morning the Commission said on this:

“under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.”

Is Privacy Shield bullet proof?

Probably not.  Penny Pritzker, the US State Secretary of Commerce, said in announcing the deal this morning that she thought it would ‘withstand scrutiny’ and that she had been speaking with the chair of WP29 to try and reduce her concerns.  Commissioner Jourová also said she was confident it would survive a court challenge.

In our view it is unlikely that the concerns about Privacy Shield will disappear so quickly.  In addition there are rumours that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote and it could be that Regulators from some of those countries may also take an interest. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was.  In effect its legal status is similar to Safe Harbor – an adequacy finding from the European Commission.  There have been indications of likely court challenge already and the Schrems 1 case tells us that regulators must have more independence to investigate their concerns.  We are likely to see investigations from some of the German Regulators who have already taken Safe Harbor enforcement action (see for example our alert in June here).

In addition there is currently likely to be a challenge to the European Court of Justice (the ECJ) over model clauses.  We reported on this case, sometimes known as Schrems 3, in May.  There have been court hearings in the Schrems 3 case last week and we understand that counsel for the Irish Data Protection Commissioner flagged the fact that those proceedings might need to be amended to accommodate the inclusion of Privacy Shield.  In affect it seems that the intention from the Irish Data Protection Commissioner would be that the ECJ looks at the legality of the model clauses and Privacy Shield together.  The Schrems 2 litigation is not immediately relevant to Privacy Shield but you can find background on that case here.

Whilst a challenge does seem likely there is no guarantee that would succeed.  A differently constituted court on a different day may be more willing to uphold Privacy Shield especially with the extra effort that both the EU and US have made this time around.  Whatever the result however there is likely to be uncertainty since a court hearing may still be 2 years away.

As well as possible challenges from courts and regulators it should be remembered that Privacy Shield has a one-year shelf-life before being renewed.  The European Parliament in particular is likely to be looking carefully at the scheme’s first year and may challenge its renewal in 2017.

Should I even consider Privacy Shield for my business?

Probably.  Despite its faults those companies who were in Safe Harbor might find Privacy Shield fairly easy to achieve.  It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own.  It would be wise to look at the scheme to do a cost-benefit analysis.  Privacy Shield is likely to be more costly than Safe Harbor – in part due to higher arbitration costs – but may demonstrate a level of compliance to some of your customers.

What about Brexit?

There was a question at this morning’s press conference to Commissioner Jourová about the affects of Brexit and any likely adequacy decision for the UK.  Commissioner Jourová said it was too early to answer this question.

Due to the initial two year time frame for the Brexit negotiations (which have yet to commence) Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU.  Equally GDPR will also apply.  There is more information on the affects of Brexit on data protection, data transfer and data security in our film here.

What can I do?

In short to get started, the following are possible actions to take:

  • Have a plan for data transfer – we have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
  • Review Privacy Shield to see if it might work for you – even a system subject to a challenge may be useful for you;
  • Look again at your data flows to determine the following: what information travels outside of the EU and on what basis? is it inter-group or is it to third parties?; what steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
  • Consider the other options available to your business including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in GDPR and may be more resistant to challenge.  BCRs will not be the answer for everyone however;
  • Review your privacy policy. Some organisations have not reviewed their policy since the fall of Safe Harbor in October 2015.  Whichever way you make your data transfers lawful you should still be reflecting your current practices in your privacy policy.

[clickToTweet tweet=”Privacy Shield FAQs @armstrongjp” quote=”Privacy Shield FAQs” theme=”style3″]

Jonathan Armstrong and André Bywater are lawyers with Cordery in London where their focus is on compliance issues.