After four years in the making, the European Union’s General Data Protection Regulation (GDPR) received its legislative approval earlier this year. The regulation will be implemented over a two-year period, going into effect on May 25, 2018, and provides a new set of rules to govern the processing of personal data, replacing the 1995 EU Data Protection Directive (“Directive”). The GDPR prohibits the transfer of personal data to non-EU countries unless such data can expect an “adequate level of protection” by mechanisms such as the Privacy Shield (“Shield”). And with non-compliance fines of the greater of up to 4% of a company’s annual global turnover or €20 million, businesses are rushing to sign up – but are they on the right track?
The EU Court of Justice (CJEU) ruling in the Schrems decision in 2015, invalidated the U.S.-E.U. Safe Harbor, a legal protocol employed by over 4,700 U.S. companies to transfer personal data from the EU to the U.S. for over 15 years. Following from the ruling, the European Commission launched the EU-U.S. Privacy Shield in mid-2016, a replacement mechanism with a heightened data protection standard for U.S. companies looking to receive personal data from EU. Companies looking to adopt the Shield are now able to certify to the Department of Commerce their compliance upon completion of a self-assessment process. Almost two months from its inception, over 300 companies (including Microsoft, as the first global cloud service provider) have now completed the self-certification and signed up under the Shield. The adoption of the Shield in this manner is designed to provide companies with adequate legal basis for engaging in transatlantic data transfers instead of relying on other alternative mechanisms, namely adopting standard contractual clauses or binding corporate rules (BCRs).
In spite of improvements on data protection standards, data privacy experts across the EU remain skeptical of the new mechanism. Other EU Data Protection Authorities (DPAs) have criticized the new framework as failing to offer an equivalent level of protection for privacy rights of EU citizens, lacking in its scope of judicial redress and have already announced plans to challenge it.
6 key regulatory factors and operational challenges:
The 6 factors discussed below have led to the deep-seated skepticism behind the Shield:
- MORE OF THE SAME SAFE HARBOR: The central issue in Schrems case was the failure to resolve the main concerns affecting Safe Harbor, particularly those relating to mass surveillance by U.S. law enforcement and national security agencies. The Shield remains an assortment of obligations and notes from various parts of the U.S. Government which fails to provide clarity on how some of these protections would apply in practice. Data privacy advocates across EU believe that U.S. laws on surveillance intelligence collection may still be in conflict with the Shield, and there is a strong likelihood for the Shield to be brought to court on similar grounds as the Safe Harbor.
- INADEQUATE COMMERCIAL SAFEGUARDS: An influential advisory body of EU Data Protection Authorities (DPA) known as the Article 29 Working Party (WP29) expressed serious reservations with the final version of the Shield. In its review, the WP29 noted that “a number of these concerns” still remain regarding “commercial aspects”, i.e. the indiscriminate collection of personal data by U.S. businesses. WP29 has confirmed that it will continue to provide more information for businesses regarding their obligations on accessibility and use of data as a controller, and guidance to citizens on their rights. The ink on the Shield is barely dry but the WP29 has made clear it would play a crucial vigilante role on an ongoing basis and lead the charge at the annual review of the Shield.
- LACK OF INDEPENDENCE (OR EVEN THE APPEARANCE OF IT): The WP29, in its review of the Shield, also noted that “it would have expected stricter guarantees concerning the independence and the powers of the Ombudsperson mechanism”. The Ombudsperson mechanism is meant to serve as a contact point for EU authorities and work independently in addressing concerns raised by EU citizens. As per the Shield, the Ombudsperson is to be appointed by and would work under the Secretary of State, an executive power which has left question marks about the independence and impartiality of the entire mechanism. Other U.S. legislations like the Intelligence Authorization Act for FY 2017 (S. 3017) are likely to put the Shield into further jeopardy. When enacted, the law would limit the Privacy and Civil Liberties Oversight Board’s (PCLOB) jurisdiction only to the protection of U.S. citizens and lawful permanent residents. The PCLOB is a civil liberty watchdog and an institution that was meant to provide oversight and protect rights of EU residents whose personal data were transferred to the U.S. This limitation is certain to open another can of worms with the WP29.
- BREXIT REPERCUSSIONS: Businesses with UK presence and particularly those collecting personal data in, and transferring it from the UK to the U.S. will need to keep close tabs on the Brexit discussions. It is almost certain that UK would want to trade with the EU Single Market on equal terms and would have to prove ‘adequacy’ in relation to data privacy laws. Although the UK Information Commissioner’s office was quick to dispel any near-term impact, data privacy experts believe that long term consequences of the GDPR for the UK, upon confirmation of final Brexit terms, is likely to be similar to that of the U.S. in relation to EU. In an interesting turn of events, a UK legislation called the Investigatory Powers Bill (popularly labelled as “the Snoopers’ Charter”), was recently passed by the House of Commons. The Act confers far-reaching powers to UK authorities for interception of communications based on national security concerns, and has been flagged as a peril to the EU ‘adequacy’ decision. The Bill continues its path through Parliament, and is likely to go into effect by January 2017. Watch this space.
- AVAILABILITY OF OTHER ALTERNATIVES: While businesses have started signing up to the Shield system, it seems that many would do so in conjunction to other stable alternative mechanisms, including adding standard data protection clauses (the ‘Model Clauses’) or by implementing BCRs. It remains to be seen if a considerable number of U.S. businesses will go through the expensive and complicated operational implementation of the Shield, particularly with DPAs exhibiting legal uncertainty over the mechanism. While Model Clauses is no panacea, experts recommend sticking with such alternative mechanisms (with appropriate amendments, where necessary), or using the Shield as an additional option.
Although approval of the Shield framework has been welcomed by many in the business community, its appropriateness for any particular organization needs to be evaluated by taking into consideration such organization’s operations, instances of transatlantic data transfer and particular types of data that may be in question. Given the uncertainty and potential for litigation around the Shield, we expect organizations to use a combination of alternative data transfer mechanisms or wait until effects of the Shield adoption earns a greater degree of legal certainty.
Our next article in this series will offer a transatlantic perspective on implementation aspects of GDPR, including a detailed analysis on alternative data transfer mechanisms U.S. businesses must consider in preparing themselves for compliance with GDPR.
About the Author:
Vishal Anand is the SVP of Contracts Practice at Mindcrest. For a dozen years, Vishal has been sitting in corporate legal departments and law firm conference rooms helping attorneys and risk-officers implement practical solutions by use of emerging technologies and integrated legal services. For our clients in the Contracts space, he is your go-to when designing solutions to your challenges.