European Parliament Votes to Suspend the EU-U.S. Privacy Shield
By Jay F. Kramer and Sean B. Hoar
On July 5, 2018, the European Parliament voted to suspend the EU-U.S. Privacy Shield Framework (Privacy Shield), an agreement between the United States and the European Union regarding the obligations of U.S.-based companies to protect Europeans’ personal data. The Parliament’s resolution calls for the European Commission (the executive arm of the EU) to suspend the existing EU-U.S. data-sharing deal “unless the U.S. is fully compliant” with its terms by September 1, 2018, the date of the Privacy Shield’s next annual review.
The EU’s call to suspend the Privacy Shield now casts doubt on the viability of one of the primary mechanisms for U.S. corporations to ensure compliance with EU data privacy law. In addition, its passage, just six weeks after enhanced privacy protections went into full effect under the new General Data Protection Regulation (GDPR), may signal enhanced EU privacy enforcement efforts against U.S. organizations.
History of the Privacy Shield
Since 2016, certification under the Privacy Shield has provided U.S. organizations engaged in transatlantic commerce with the means to demonstrate compliance with EU data protection law. It has allowed a measure of predictability and reliability to EU-U.S. commerce, and an assurance to U.S.-based organizations that they will not face enhanced EU regulatory scrutiny or potential EU fines or sanctions for non-compliance.
The EU and the U.S. adopted the Privacy Shield in 2016, in direct response to an adverse legal ruling on October 6, 2015 by the Court of Justice of the European Union (CJEU) in the case Maximillian Schrems v. Data Protection Commissioner (CJEU Case C-362/14). In that matter, Max Schrems, an Austrian lawyer and privacy advocate, filed a complaint against Facebook, which was incorporated in Ireland, to prohibit Facebook’s transfer of personal data from Ireland to the U.S. The suit was brought by Schrems in the wake of several disclosures made by former National Security Agency (NSA) employee Edward Snowden, including a specific allegation that Facebook USA participated in the NSA’s PRISM surveillance/bulk collection program.
On September 23, 2015, the CJEU ruled in Schrems’ favor, declaring a prior EU-U.S. data protection agreement – the Safe Harbor Framework – invalid. In response, the U.S. and the European Commission (“EC”) began negotiating a replacement for the Safe Harbor Framework, and on July 12, 2016, U.S. Secretary of Commerce Penny Pritzker and EU Commissioner Věra Jourová announced the approval of the EU-U.S. Privacy Shield Framework. The Department of Commerce began accepting Privacy Shield compliance certifications on August 1, 2016.
Suspension of the Privacy Shield and GDPR Compliance
Under the broad-reaching requirements of the EU’s new GDPR, organizations must not transfer the personal data of EU data subjects outside the EU unless the transfer is to a third country or territory determined by the EC to afford EU personal data an “adequate level of protection.” In light of persistent allegations that the U.S. has not appropriately respected the privacy rights of EU data subjects, the U.S. is not one of the countries deemed by the EC to afford adequate protection for EU personal data. Therefore, U.S.-based organizations must separately demonstrate adherence to EU data privacy and protection principles. If certification to requirements of the Privacy Shield is suspended in September 2018, U.S. organizations must establish a new legal basis to provide for ongoing transatlantic data transfers. These compliance mechanisms might include adoption of EC-approved “Standard Contract Clauses” or the development of sector-specific codes of practice or other certification schemes. Regardless of the alternative means adopted, the effect will likely be that U.S.-based organizations will have to expend time and resources to ensure continued EU data transfer compliance.
As Commissioner Jourová announced during the last review of the Privacy Shield in 2017, "transatlantic data transfers are essential for our economy, but the fundamental right to data protection must be ensured also when personal data leaves the EU. Our first review shows that the Privacy Shield works well, but there is some room for improving its implementation. The Privacy Shield is not a document lying in a drawer. It's a living arrangement that both the EU and U.S. must actively monitor to ensure we keep guard over our high data protection standards."
The European Parliament’s resolution last week reinforces the need for active monitoring of the Privacy Shield and the potential renegotiation and strengthening of its provisions. Interestingly, while Facebook played a central role in the Schrems decision and the invalidation of the Safe Harbor Framework, the furor over its release of data to Cambridge Analytica may play a central role in the debate by the EC this fall. At stake for U.S.-based organizations will be whether the Privacy Shield remains a viable means to afford adequate protections for EU data or if it will meet the fate of the prior Safe Harbor Framework.
Regardless of the outcome of this fall’s review of the Privacy Shield, U.S.-based organizations that are established in the EU, or that offer goods and services to residents of the EU, would be well served to evaluate all current data handling processes including data security, storage, transfer, and retention – and ensure compliance with other required data privacy schemes (GDPR, California Consumer Privacy Act, etc.) and information security frameworks (National Institute of Standards and Technology Special Publication 800-53 Rev. 4, ISO 27002, etc.). This should ensure compliance with current EU and U.S. data privacy law, and establish a solid foundation from which to respond to future changes in the evolving global data privacy law landscape.