European Union data protection law restricts the transfer of EU-origin personal data to countries outside the European Economic Area unless there is a mechanism in place to ensure an adequate level of protection of the personal data.
In 2000, the European Commission approved the EU-SU Safe Harbor Privacy Principles that allowed many U.S. companies to voluntarily opt into a program that, with a self-certification of certain privacy processes and principles, allowed the companies to receive EU-origin personal data in compliance with EU law. The Safe Harbor provided a relatively easy way to meet the “adequacy” requirements of the EU data protection authorities. Other mechanisms to enable data transfers to the U.S., including binding corporate rules and the use of signed standard contract clauses, impose a significant administrative burden on companies doing regular business in the EU.
In October 2015, the European Court of Justice abruptly invalidated the safe harbor framework based, in part, on the disclosure by Edward Snowden of previously undisclosed surveillance of electronic communications by U.S. intelligence agencies. This decision led to a mad scramble by U.S. companies to find another way to legally receive and process EU-origin personal data.
Nine months later in July 2016, EU member states approved a new framework (EU-US Privacy Shield), with stronger provisions to address the concerns that led to the invalidation of the previous Safe Harbor Principles. To date, over 3,000 US companies have self-certified their acceptance of the requirements of the Privacy Shield.
During the review and negotiations of the Privacy Shield, EU data protection authorities issued an opinion identifying three areas of concern:
- The Privacy Shield does not require organizations to delete personal data when it is no longer needed;
- The U.S. government does not “fully exclude the continued collection of massive and indiscriminate data”; and
- It was unclear whether the newly appointed Ombudsperson to oversee enforcement of the Privacy Shield has sufficient powers to function effectively.
These concerns were echoed by the European Data Protection Supervisor, whose May 2016 opinion identified specific changes to provide better assurance that the protection of EU data in the U.S. would meet the requirements of EU law, including the General Data Protection Regulation.
Concerns about the “collection of massive and indiscriminate data” continue. In its first annual review of the Privacy Shield, the European Commission reaffirmed that the Privacy Shield was offering adequate protection, but the Commission made a number of recommendations to improve the protection, including, among others:
- Closer monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce; and
- Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28) into the Foreign Intelligence Surveillance Act (FISA).
Since the European Commission’s annual report in late 2017, the U.S. passed the CLOUD Act, allowing police to access personal data stored outside U.S. boundaries; Facebook revealed that Cambridge Analytica collected personal information of 87 million Facebook users (including 2.7 million European citizens); and Exactis disclosed a breach of 340 million records including sensitive personal information.
Not surprisingly, in early July the European Parliament voted in a non-binding vote to suspend the Privacy Shield by September 1 unless the U.S. is fully compliant with EU data protection rules. Although this vote was non-binding, it suggests that the next annual Privacy Shield report card from the European Commission this October may go from “needs improvement” to “failed”.
The Financial Times reports that the EU Commissioner for Justice wrote to the U.S. Secretary of Commerce in late July, demanding progress toward reaching compliance with the Privacy Shield requirements (appointing an ombudsman) by October. Lest there be any doubt about the seriousness of the issue, Commissioner Jourova commented, “If we suspend the system [the US] will see how quickly it will be on the top of their agenda. So let’s be smart and act.”
Meanwhile, several cases contesting the validity of the Privacy Shield are working the way through the EU courts, including a case brought by Max Schrems, the plaintiff in the 2015 case that resulted in the invalidation of the Safe Harbor Framework. If any of these cases are successful, the Privacy Shield may be invalidated without notice.
Bottom line: If you’re relying on the Privacy Shield for safe data transfer, it’s time to look for Plan B.