Online Business’ Optimism Under Privacy Shield Is Tempered by EU Privacy Challenges AheadDecember 19, 2017 | Shari Claire Lewis |
There is good news for U.S. companies operating online, which nowadays, of course, includes virtually every business. The European Commission has published its first annual report on the agreement reached last year by the Commission and the U.S. government to protect personal data transferred from the European Union (EU) to U.S. companies for commercial purposes, known as the “EU-U.S. Privacy Shield” – and the Commission has determined that the Privacy Shield is working. Specifically, the Commission concluded that the Privacy Shield is ensuring an “adequate level of protection” for personal data transferred from the EU to participating U.S. companies.
Clients with an online presence should not assume, however, that international privacy issues no longer demand their attention. For one thing, the Commission’s report contained a number of recommendations for improvements that will have to be addressed to ensure the continued functioning of the Privacy Shield. Perhaps even more significant is what is looming directly ahead: the potential impact of the criticisms of the Privacy Shield by the Article 29 Working Party on the Protection of Individuals with regard to the Processing of Personal Data (WP29) and the need for U.S. companies doing business with EU citizens to become compliant with the EU’s General Data Protection Regulation (GDPR) by the May 2018 deadline.
U.S.-EU Privacy Divide
The core issue that separates the EU and U.S. is the EU principle, embedded in the EU legal system, that privacy is a fundamental human right. No corollary for this fundamental privacy right exists in the U.S. Constitution. Accordingly, neither the U.S. government nor U.S. companies are considered inherently “safe” under EU privacy guidelines, but must individually demonstrate compliance with heightened EU standards.
In October 1995, the European Parliament and the EU Council adopted a “Data Protection Directive” that provided that the transfer of personal data from the EU to a third country could occur only if the receiving country adequately protected that data. In response, the EU and the U.S. government agreed to a “safe harbor” under the Data Protection Directive that permitted personal data to be transferred from the EU to the United States upon demonstration that the U.S. recipient met certain criteria. Thousands of U.S. companies signed on to the safe harbor, and everything worked well for about two decades.
Then, in October 2015, the EU’s Court of Justice issued its decision in Maximilian Schrems v. Data Protection Commissioner (No. C-362/14, Oct. 6, 2015). In Schrems, the Court of Justice invalidated the safe harbor, reasoning that it applied only to U.S. companies that adhered to it and that it did not apply to the U.S. government. The Court of Justice also said that “national security, public interest and law enforcement requirements of the United States” prevailed over the safe harbor, so that U.S. companies were “bound to disregard” the protective rules laid down by the safe harbor where they conflicted with those requirements. The U.S. government could thereby interfere with the safe harbor and violate Europeans’ “fundamental right” of privacy, the Court of Justice concluded.
The Schrems decision placed thousands of U.S. companies at risk of violating EU privacy rules, and the ability of these companies to operate in the EU was thrown into chaos.
The Privacy Shield
Fortunately, in early February 2016, the Commission and the U.S. government reached an agreement on the Privacy Shield, which replaced the safe harbor and allowed transatlantic data flows to continue – an important facet of commerce today.
The Privacy Shield includes obligations for Privacy Shield-certified U.S. companies receiving personal data from the EU, such as limits on how long they may retain personal data (the so-called data retention principle) or the conditions under which data may be shared with third parties outside the framework (the so-called accountability for onward transfers principle).
The Privacy Shield also provides for monitoring by the U.S. Department of Commerce (DOC), strengthens the ability of EU individuals to complain if they think that their personal data is not being properly protected, and creates an Ombudsperson to address complaints concerning access to personal data by U.S. authorities. In addition, the U.S. government agreed to limit its ability to access personal data transferred under the Privacy Shield for national security, law enforcement, and other public interest purposes.
At least 2,400 companies already have been certified under the Privacy Shield, with about 20 new companies applying for certification every week. There is, however, a continuing problem with some companies falsely claiming to have been certified under the Privacy Shield, despite having never applied or having not yet been certified by the DOC. In fact, at the end of November, the Federal Trade Commission (FTC) approved settlements with three companies that, the FTC asserted, had deceived consumers by falsely claiming participation in the Privacy Shield. As part of the settlements with the FTC, available at https://www.ftc.gov/news-events/press-releases/2017/11/ftc-gives-final-approval-settlements-companies-falsely-claimed?utm_source=govdelivery, the companies were prohibited from misrepresenting the extent to which they participated in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization, and they must comply with FTC reporting requirements.
The Commission’s Report
When the Privacy Shield was launched in August 2016, the Commission said that it would review it on an annual basis to determine if it continued to adequately protect personal data. The Commission’s first report is now available, at http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=605619. As noted above, the Commission has determined that the Privacy Shield is working.
The Commission’s report highlighted a number of new elements introduced by the United States since the Privacy Shield was launched. For example, the report pointed out that the DOC has created a process for receiving and reviewing applications from companies seeking Privacy Shield certification. The DOC also has developed questionnaires as a tool to monitor on an ongoing basis whether certified companies are complying with their obligations under the Privacy Shield (companies have to respond within 30 days).
In addition, the DOC and the FTC, in cooperation with EU data protection authorities (DPAs), have put in place a variety of tools and instruments to help to ensure their cooperation, including a standard referral form that facilitates the referral of a company to the DOC for further compliance review if a DPA believes that the company is not complying with the Privacy Shield.
Finally, the U.S. Department of State has established an online platform at https://www.state.gov/e/privacyshield/ombud/ for the Ombudsperson and an electronic form for the Ombudsperson to receive complaints from the EU.
The Commission’s Recommendations
Despite its approval of the Privacy Shield, the Commission’s report contained a number of recommendations for the U.S. government in an effort to even further improve the Privacy Shield’s effectiveness.
For one thing, the Commission recommended that the DOC conduct regular searches for companies that falsely claim participation in or fall out of compliance with the Privacy Shield.
The Commission also suggested that the DOC and the DPAs work together to develop guidance on the legal interpretation of certain concepts in the Privacy Shield, such as with respect to the principle of accountability for onward transfers and the definition of human resources data.
Given the concerns expressed by the Court of Justice in Schrems regarding national security’s impact on data privacy, it should not be surprising that the Commission’s report also contained a number of national security suggestions.
The Commission said that it “would welcome” Congress adding protections for non-Americans to the Foreign Intelligence Surveillance Act (FISA), which is one of the primary laws that can be used by the government to access personal data of Europeans transferred from the EU to Privacy Shield-certified companies in the United States. It should be noted that FISA Section 702, which authorizes the government to acquire foreign intelligence information through the targeting of non-U.S. persons located outside the United States under certain conditions, is set to expire on December 31, 2017; at this writing, it appears that Congress is moving to address Section 702 by the deadline.
In addition, the Commission called on the Trump administration to “swiftly appoint” a permanent Ombudsperson, as well as the other members of the Privacy and Civil Liberties Oversight Board (PCLOB); see, https://pclob.gov/.
Finally, the Commission called on the PCLOB to release its report on Presidential Policy Directive 28 (PPD-28), which was issued in 2014 by former President Obama and which contains limits on the collection and use of personal data – including personal data of non-Americans – by U.S. public authorities for national security purposes. The Commission said in its report that, during its annual review of the Privacy Shield, the U.S. government “expressly confirmed” that the Trump administration is not making any changes to PPD-28.
Although the Commission is pleased with the roll-out of the Privacy Shield, the Privacy Shield may face some troubled waters ahead. First, the Privacy Shield was soundly criticized earlier this month by the WP29, an independent advisory body on data protection and privacy established under Article 29 of the Data Protection Directive. The WP29 indicated that it had “significant concerns” about the effectiveness of the Privacy Shield. It also identified “unresolved issues” concerning the commercial use of data and data transfers. The WP29 stated that it would likely take legal action if the U.S. government did not take steps to address its concerns.
More definite is the looming May 2018 deadline for companies to comply with the GDPR, including breach notification requirements that conflict with present U.S. federal and state requirements. The GDPR is expected to impact U.S. companies’ business with EU individuals and entities. One of my next columns will explore some of the issues businesses need to consider to address the GDPR’s impact.
Reprinted with permission from the December 19, 2017 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.