Industry Lauds Safe Harbor Deal That Privacy Groups Question and All Agree Will Take Time To Implement
Industry representatives are praising the new U.S.-EU safe harbor framework that promises businesses on both sides of the Atlantic a better legal footing. But privacy supporters remain skeptical about the legal basis of the new EU-U.S. Privacy Shield that aims to strengthen the privacy rights of millions of European citizens. The new data transfer agreement announced Tuesday (see 1602020028) replaces the 15-year-old safe harbor framework, and government negotiators said it provides stronger data protections for EU citizens and implements safeguards that limit data access by U.S. intelligence agencies. While the text of the agreement wasn't released -- and likely won't be for several weeks -- observers questioned whether the new framework could withstand a court challenge.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Activist Max Schrems said in a statement posted on his Twitter account that a system of "signed letters" by "high ranking" U.S. government officials isn't a legal foundation for data transfers. "A couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance," he said. Schrems' successful case sparked a European court ruling that struck down the last safe harbor, and EU data protection authorities (DPAs) waited until Jan. 31 to hold off on enforcement for lack of framework.
The new agreement "amounts to little more than a reheated serving," said European Parliament Member Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany. His chief complaints were that the new framework isn't legally binding, relying instead on declarations by U.S. authorities based on their interpretations of the legal situation on surveillance by security services; and that the independent ombudsman will be "independent but powerless." Depending on how the pact is implemented, it seems to provide "some improvements on the protection of EU citizens’ personal data when it is transferred" to the U.S., said Jens-Henrik Jeppesen, Center for Democracy & Technology European affairs director, in a statement. But he said it's "highly unlikely" the European Court of Justice will view the agreement as sufficient due to a lack of U.S. surveillance reforms.
The EU-US Privacy Shield pact "provides certainty by ensuring that thousands of European and American businesses and millions of consumers can continue to access services online that improve their livelihoods and strengthen their businesses," Commerce Secretary Penny Pritzker said in a news media call Tuesday. It includes a "robust system of limitations and safeguards on our intelligence community," said Pritzker, saying it will build on Presidential Policy Directive-28 (PPD-28), which was issued in 2014 and aims to protect the privacy and civil liberties rights of people outside the U.S. "The surveillance reforms since 2013 were essential to bringing the Europeans on board," emailed Peter Swire, Georgia Institute of Technology law and ethics professor. "The Schrems litigation assumed there was 'mass and indiscriminate surveillance' by the US. The USA-Freedom Act and PPD-28 gave our allies what they needed."
Pritzker said Privacy Shield strengthens the FTC's commitment to cooperate with DPAs and also provides eight new means for EU citizens to pursue complaints about improper government access to their data. It has a cost-free alternative dispute resolution mechanism for EU citizens, a Commerce Department commitment to resolve EU citizen complaints, and "as a matter of last resort companies will commit to a new arbitral model," she said. The pending Judicial Redress Act (see 1601290021) isn't integral to the deal, but "would be an addition," she said.
While the new framework will be a relief to many multinational companies, "details still must be worked out between the two sides," said attorney Ann LaFrance, Squire Patton (London) data privacy and cybersecurity practitioner. "The threat of new litigation will hang like the sword of Damocles over any new [European Commission] adequacy decision." This is simply a mandate for the preparation of a more detailed adequacy decision in the coming weeks, said McDermott Will (Brussels, Paris) regulatory compliance attorney Mélanie Bruneau. Those features have "clearly been designed" to comply with the Schrems decision, and the agreement tries to address the issues raised there, she told us.
It appears Privacy Shield provides a wider protection for data transfers to the U.S., Barlow Robbins (U.K.) technology attorney Laurie Heizler emailed us. It would be a step forward and would recognize that the U.S. can enforce strong data protection laws, he said.
Industry groups praising the deal includedBSA | The Software Alliance, Direct Marketing Association, Information Technology Industry Council, Information Technology and Innovation Foundation and Internet Association. Their statements said it will help U.S. companies avoid any disruption to their businesses. More than 4,400 companies were certified under the old deal and the trans-Atlantic trade is valued at nearly $1 trillion a year.
"It’s a great first steps in bringing back some legal certainly, legal clarity for both businesses and individuals in data transfers," Thomas Boué, BSA policy director-Europe, Middle East and Africa, said in an interview. "It’s not an end in [and] of itself and it’s not the end of the road." He said the Article 29 Working Party, composed of independent DPAs that had threatened enforcement if a deal wasn't struck, and the Article 31 Committee, made up of representatives of EU member states, need to provide opinions and "green light" the agreement before it can be sanctioned by the EC. He said European Justice Commissioner Věra Jourová indicated that could take up to three months.