Safe Harbor 2.0 got onestep closer to implementation last week when the European Commission and the United States announced they’d agreed on a new framework for transatlantic data transfer: the EU-US Privacy Shield.
Privacy Shield is designed to replace the Safe Harbor agreement, which the European Court of Justice ruled invalid in October 2015 as it failed to protect fundamental European human rights in a sufficient manner because U.S. government officials had unrestricted access to EU citizen’s data. (For more on the ruling, read Security Management’s February Cybersecurity “An Unsafe Harbor").
This immediately threw into question the data transfer structures that more than 4,000 U.S. companies relied on to share data between the EU and the United States. It also set into motion major negotiations between the European Commission, the U.S. Department of State, and the U.S. Department of Commerce to reach a new agreement by January 31 to continue data transfers.
The negotiators, however, did not reach a deal by the initial deadline. Instead, on February 2, EU Commissioner Věra Jourová announced that a new framework for data transfer had been agreed to.
“The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies,” she said in a statement. “For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.”
Jourová also explained that the new framework will include strong obligations on companies handling Europeans’ personal data and robust enforcement, clear safeguards and transparency obligations on U.S. government access, and effective protection of EU citizens’ rights with redress possibilities.
However, the negotiators have not publicly released a text of the framework, which has many wondering what will be included in the final version of the Privacy Shield agreement, whether it will be approved by the EU at all, and what impact it will have on the corporations using it to transfer data.
Security Management Assistant Editor Megan Gates sat down with Trevor Hughes, CEO of the International Association of Privacy Professionals (IAPP), to discuss those concerns. Following is a lightly-edited transcript of their conversation.
Gates: Just last week the EU Commission announced that an initial framework to replace Safe Harbor had been agreed to, but so far no real details have been released. What do you know about the agreement so far?
Hughes: The day after the imposed compliance deadline set by regulators in Europe (January 31), the European Commission and the United States government announced the Privacy Shield agreement. In announcing the Privacy Shield agreement, they stated that the concerns of the European Court of Justice have been satisfied.
They outlined a number of components, including a privacy ombudsman in the United States housed within the Department of State and a process through which every compliant made by Europeans would be resolved and handled, both in Europe and in the United States. And a mechanism for redress and for arbitration of those complaints. But it was just a high level outline from a speech by Commissioner Jourová. And that’s it, so we don’t have the final language.
Gates: Do you know when the final language will be released? And what happens next?
Hughes: The EU Commission’s promised the final language by the end of this month. But that is just one more mile marker in what could be a very long, long journey because not only do we need that text to come out—but once that’s out, then the Article 29 Working Group, which is made up of all the data protection authorities and the privacy commissioners of every member country, needs to pass judgment. And we understand that the European Parliament also needs to approve this document.
And then I think, invariably, once those things happen there will be a legal challenge to the new Privacy Shield agreement once it hits the marketplace. So the European Court of Justice would be the ultimate stop on its path towards sustainability and longevity.
Gates: With all of that to accomplish, how optimistic are you that come February 29 we’re going to have an official agreement?
Hughes: I’m optimistic in the sense that I cannot imagine global data transfers of the size, significance, and importance of the EU-U.S. data transfer relationship failing. Something has to work.
That said, when I look at the Privacy Shield agreement—and I know that not only do we not have final language, but it’s understood that there remain some very important details to hammer out—that the idea of a due process being created so that there is a compliant resolution process for Europeans to go through, that includes not only a company but the data protection authority, the Federal Trade Commission, and then finally a mandatory arbitration process. That seems very complex and challenging to actually implement.
I imagine we will get something. Whether it is exactly what we’re looking at right now, or something different, or something modified, I’m not entirely clear. But something has to work, because the stakes are just far too high.
Gates: When it comes to the mandatory arbitration process you mentioned and creating due process for EU citizens, would Congress have to take action to make that happen?
Hughes: One of the things that we certainly understood throughout the negotiation process was that passage of the Judicial Redress Act was going to be necessary for the Europeans to agree to anything. (The Judicial Redress Act allows citizens from designated countries or regions—like the EU—to bring a civil case against the U.S. government for unlawfully disclosing their data.) Based on some reporting we saw over the weekend, it may be that this is or is not the case—it’s not entirely clear.
But perhaps the bigger point to make is that there remains a tremendous amount of apprehension and concern in Europe associated with national security-based surveillance being done in the United States and elsewhere, by the United States. That will remain a sticking point until there is, under the terms of the agreement, some sense of proportionality to that surveillance and the risks being addressed.
Terrorist attacks have occurred in Europe in the intervening months (between when Safe Harbor was struck down and the announcement of Privacy Shield), and some have argued that there has been a new look at those questions.
So do we need something from Congress? I think it would certainly help if we had full passage and signage of the Judicial Redress Act, and action from Congress, but it doesn’t seem like it’s absolutely necessary.
Gates: Since the Paris attacks, there’s been a push in some European countries to give their governments the power to do some of the same surveillance that the United States is doing. Do you think that may make the EU more willing to soften its stance on national security-based surveillance techniques?
Hughes: There is always a push and pull, a debate in society whenever a terrorist attack occurs. People will express a willingness to sacrifice some privacy in order to obtain greater security. But the fact is, that’s a false choice. The two are not mutually exclusive. And the aims of national security—and security generally—are not necessarily inconsistent with legitimate desires for privacy or individual privacy.
So I think in the details of these agreements and these standards, it is important to recognize that obtaining national security is absolutely a vital interest. At the same time, protecting privacy of individuals throughout those national surveillance activities and national security protection activities is also a vital interest. And governments and organizations need to do both.
Gates: When Safe Harbor was initially ruled invalid, companies obviously had a lot of concerns about their operations and questions about whether sharing data between the EU and the United States was now illegal. With the announcement of Privacy Shield, what should companies be doing to prepare for the possible new agreement?
Hughes: There are a few key messages here. First and foremost, get help. If you don’t have dedicated privacy professionals inside your organization and you don’t have outside counsel with deep expertise on information privacy addressing these issues of global data transfer and compliance with these increasingly complex laws, get help quickly.
One thing is explicitly clear: regardless of the result of the Privacy Shield negotiations, the compliance environment is not only going to get more complex, but much, much riskier. So get help.
Second, prepare now. We have very limited time before February 29. We have very limited time before European regulators, regardless of whether Privacy Shield comes into effect or not, begin to enforce against those companies that are not currently using a sufficient mechanism for transferring data from Europe to the United States.
And to be clear, just because you are a U.S.-based organization and may not even have an office or an employee in Europe, that may be insufficient to get you off the hook. European regulators increasingly are deeming a company to be doing business in Europe if people can access its website in Europe and data transfers from Europe to the United States.
So start now at looking at not only the potential of Privacy Shield as a data transfer mechanism, but at the alternate transfer mechanisms—things like standard contractual clauses or binding corporate rules. Those are the two other predominant mechanisms for transferring data. Make sure you’re looking at those and assessing those, and be ready to implement soon—if not immediately.
And third, this is the new normal. Complexity in privacy law around the world, friction between globalized technologically driven digital economy companies and national level laws, will only increase in the future. National boundaries are built on a physical plain, and the global information economy doesn’t really respect those boundaries in the same way that we do in the physical world. And that inherently creates massive friction.
So global business platforms do not necessarily work well with hundreds of privacy laws, many of which differ around the world. So prepare for that new normal. Privacy law will only get more complex, the tensions between jurisdictions that are struggling to enforce and maintain the cultural norms of privacy that they have in their jurisdictions will only increase.
And that new normal is going to be very, very challenging for some organizations that are trying to exploit the great dream of a frictionless globalized economy.