In February, the European Union (“EU”) and the United States met in Brussels to explore a new EU-US privacy pact as it relates to the transfer of personal data. Ultimately, the two sides came to an agreement over what they call the EU-US Privacy Shield. The Privacy Shield replaces the old Safe Harbor framework that EU and US. agreed on more than 15 years ago.
The Old Safe Harbor Framework
While the EU and US both protect their citizens’ personal privacy, both take a very different approach. In order to bridge that gap, in the late 1990s, the US Department of Commerce, in consultation with the European Commission (the EU’s executive body), developed the “Safe Harbor” framework, which originally provided a method for US companies to transfer personal data outside the EU in a way that did not violate the EU Data Protection Directive.
In 2000, the European Commission determined that transferred personal data would be adequately protected so long as an US company certified that it had complied with the Safe Harbor principles. As a result, self-certification under the Safe Harbor framework became the first choice option of many US companies.
CJEU Invalidates US Safe Harbor Decision
However, in October 2015, the Court of Justice of the European Union (“CJEU”) issued a landmark judgment that declared the European Commission’s 2000 decision invalid. In Schrems v. Data Protection Commissioner, a case that involved a complaint from Max Schrems to the Irish Data Protection Commissioner asking the Commissioner to investigate the adequacy of protection of Facebook data transferred to American servers, the CJEU declared:
[A] Commission decision on the ‘adequate protection’ offered by a non-EU member state cannot exclude or reduce the powers available to national data protection authorities to examine complaints brought to them by data subjects; and data protection authorities do not, themselves, have the power to invalidate a Commission decision. However, data protection authorities and data subjects can refer questions of validity to national courts, which, in turn, can refer the question to the CJEU. The CJEU does have the authority to declare Commission decisions to be invalid.
Having found that it had the authority to declare European Commission decisions invalid, the CJEU turned to the Commission’s US Safe Harbor decision. There, the CJEU concluded:
[T]he decision contains a derogation which allows safe harborites to share data for national security purposes. However, the agencies with whom data are shared fall outside the safe harbor scheme and the Safe Harbor Decision does not address whether there is adequate protection for personal data so processed; and the Safe Harbor Decision sets too high a bar for data protection authorities to be able to intervene. This undermines the independence of data protection authorities. The Commission does not have the authority to do this.
The CJEU’s decision in Schrems left the some 4,600 US companies that were using the Safe Harbor framework to rethink how to ensure the continuity of the protection when data is transferred from the EU to the US. The decision also left the European Commission with the hard task of forging a new privacy agreement with the US, which will satisfy the criteria set forth by the CJEU. Enter the EU-US Privacy Shield.
The New EU-US Privacy Shield
In late February, the European Commission released the text of the new EU-US Privacy Shield agreement. The new agreement will impose significantly more stringent obligation on US companies to protect the personal data of EU citizens. Additionally, the new agreement will impose stronger monitoring and enforcement obligations on the US Department of Commerce and the FTC, including through increased cooperation with European data protection authorities. Specifically, the EU-US Privacy Shield will provide the following greater protections to EU citizens’ personal data:
- US companies wishing to import personal data from Europe will need to commit to even more robust obligations on how personal data is processed and how rights are guaranteed.
- The US Department of Commerce will monitor companies to ensure that they publish their commitments, thereby making their commitments enforceable by the FTC under U.S. law.
- Any company handling human resources data from Europe is required to commit to complying with decisions of the European data protection authorities.
- The United States has given the European Union written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards, and oversight. Exceptions must be used only to the extent necessary and proportionate.
- The United States has ruled out the possibility that personal data transferred to the United States under the new arrangement will be subject to indiscriminate mass surveillance.
- Under the new scheme, US companies have deadlines to reply to complaints.
- European data protection authorities can refer complaints to the Department of Commerce and the FTC.
- A new Ombudsman position will be created to handle complaints that national intelligence authorities have accessed data.
FTC Chair Edith Ramirez Releases Statement on EU-US Privacy Shield
Given the FTC’s implication in the EU-US Privacy Shield agreement, FTC Chairwoman Edith Ramirez issued a formal statement regarding the European Commission’s release of the agreement. Ms. Ramirez statement said:
The EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, it benefits both consumers and business in the global economy. Strong law enforcement and increased cooperation will be critical to the new framework’s success, and the FTC will play a significant role in enforcing commercial privacy promises under the framework. As I affirmed in my letter to EU Commissioner Vĕra Jourová, the FTC will make enforcement of the new framework a high priority, and we will work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.
So, what does the newly minted EU-US Privacy Shield mean for US companies? Initially, at least, the US companies will need to examine the more robust principles set forth under the new agreement in order to make sure they can abide by them. However, the new agreement also signals a further increase in the FTC’s participation in regulating data security.
The FTC has already been flexing its muscle in the data security arena for a little while now, and under the new EU-US Privacy Shield, those efforts are only likely to increase. In the absence of our own legislation on data security practices’ enforcement, the FTC has stepped in as the “key cop on the beat” when it comes to data security. Therefore, US companies can add protecting personal data transferred from the EU to the US to their lists of business practices that will garner scrutiny from the FTC.
* Photo Cred.: euobserver.com