The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies, writes Conor Hogan.
A recent EU Commission press release trumpeted the EU-US Privacy Shield as the solution to the recent Safe Harbour debacle, suggesting that it would bring legal certainty to individuals and to businesses.
Indeed, the business and technology communities in Ireland and across Europe welcomed the Commission-brokered framework on the premise that it would save Irish jobs and remove the threat that hangs over transatlantic trade centred on US multinationals located in Ireland and Irish companies who have outsourced data-related services to US corporates.
While Privacy Shield represents an interesting and potentially far-reaching contribution to the debate, it’s clear that many questions – not least the implementation, legal ramifications and enforceability of the framework – remain unanswered. These unanswered questions centre on an individual’s right to privacy versus a state’s obligation to protect its citizens.
The background to Safe Harbour
In October 2015, the European Court of Justice (ECJ) ruled that the existing Safe Harbour framework was invalid, finding decisively in favour of the privacy rights of Europeans. Safe Harbour was a framework for data protection compliance developed by the US Department of Commerce in coordination with the European Commission. US privacy requirements are significantly different from EU data protection legislation and the Safe Harbour framework was developed in an effort to bridge the gap between both jurisdictions.
Safe Harbour allowed US organisations to self-certify that they were in compliance with European privacy standards and effectively facilitated the large-scale transfer of personal data to the US under a self-endorsed claim of compliance with the EU’s Data Protection Directive.
The ECJ’s ruling meant that the routine transfer of personal data to the US was noncompliant with EU data protection legislation. Many European businesses were therefore breaking the law if they continued to transfer data under the old framework.
The subsequent uncertainty around legal methods for transferring data out of Europe has seen the EU Commission broker the Privacy Shield framework in an attempt to return certainty to normal business operations.
A balancing act
Privacy Shield purports that data transfers will be facilitated, managed and monitored, and that the EU has written assurances from the US supporting that claim. Privacy activists are traditionally sceptical about agreements with the US government, especially given recent historical events with US surveillance, Edward Snowden, and the seemingly irrepressibly long reach of foreign governments (not least the US) to snoop on web activity.
The Commission proposes that the new framework will establish the following controls to protect the privacy rights of EU data subjects:
- Strong obligations on companies handling europeans’ personal data and robust enforcement: US companies will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. These commitments will be published and enforceable under US law by the US Federal Trade Commission. Companies handling HR-related data from the EU will have to comply with the relevant EU data protection laws;
- Clear safeguards and transparency obligations on US government access: Clear limitations and oversight mechanisms will be established for access to data by public authorities for law enforcement and national security. The Commission and the US Department of Commerce will carry out a joint annual review of such access, including national security access. The US has ruled out indiscriminate, mass surveillance on personal data transferred; and
- Effective protection of EU citizens’ rights with several redress possibilities: Privacy Shield will afford EU citizens a number of redress options. Companies will have to reply to citizens’ complaints or anyone who feels their personal data has been misused before a mandated deadline. European data protection authorities will be able to refer complaints to the US Department of Commerce and the Federal Trade Commission. A new Ombudsperson will be created to investigate complaints.
Continuing uncertainty surrounding the transfer of data would be detrimental to commercial transatlantic trade and its true magnitude could not be underestimated, as it represents an unacceptable level of risk to the EU and Irish economies. The severe pressure the Commission is under to produce a fix is telling, with competing interests of business versus privacy. The EU-US Privacy Shield framework appears to give the message that, even with the blunt Safe Harbour legal opinion from Europe’s highest court, everything is under control.
Protecting privacy
So does the Commission’s proposal provide any assurance to the individual whose data is at the centre of the ECJ’s decision? The answer is unclear. While legitimate business interests are important, the protection of continental trade interests, national security and international surveillance practices should not be pursued at the expense of eroding the privacy rights of individuals.
The US Chamber of Commerce welcomed the deal, claiming that it assists in “eliminating uncertainty and allowing businesses to plan effectively”. The substance of what Privacy Shield will deliver remains unclear, however. Yes, there is agreement to implement a tighter regime for managing personal data transfers out of Europe, but just how this will play out remains to be seen.
There is still some way to go to assuage concerns that the US government can indiscriminately collect and retain vast swathes of personal data. While this may not concern every individual, it should. Privacy is not something that should be given up easily or involuntarily. The impact that new and developing technologies have on the lifestyle of customers is enormous, both in enabling us to live more efficient and easier lives and in facilitating the mass-collecting of data – of habits, likes, dislikes, interests, hobbies, preferences, personal details, spending habits and tastes. In today’s technology-driven society, an individual shares more personal information with their search engine than their friends.
Conclusion
Amid growing mistrust and suspicion within Europe of US intelligence practices, the ECJ’s October decision reinstated the EU’s position at the forefront in the protection of the individual’s right to privacy. It remains to be seen whether the proposed Privacy Shield framework is truly the much- needed reform that will enable trade and protect national security interests while reinforcing and defending the privacy rights of individuals.
Conor Hogan is Manager, IT & Audit Security, Mazars.