U.S. and E.U. officials formally approved the “Privacy Shield” this week, a new agreement governing the transfer of data between Europe and the United States. The final adoption of the transatlantic agreement comes after several years of negotiations, which were accelerated last October when the Court of Justice of the European Union (“CJEU”) invalidated a key part of the U.S.-E.U. “Safe Harbor,” an agreement that had previously enabled American companies to transfer data from the European Union without running afoul of its stricter privacy laws.
When E.U. Justice Commissioner Vera Jourová and U.S. Secretary of Commerce Penny Pritzker signed the agreement on July 12, officials on both sides of the Atlantic likely breathed a sigh of relief. Although American and European negotiators announced that they had reached a high-level deal in February, the road to approving the Privacy Shield has not been an easy one. The deal faced criticism from the European Data Protection Supervisor, national Data Protection Authorities (DPAs), and the European Parliament, many of whom argued that the safeguards it included were insufficient to protect Europeans’ privacy. But after undergoing a number of revisions this spring, the Privacy Shield cleared the final hurdle of approval by the E.U.’s Article 31 Working Group on July 8, paving the way for its official adoption a few days later.
The purpose of the arrangement is to ensure that American companies comply with more stringent E.U. privacy rules when processing or transferring the data of European citizens. Much like the original Safe Harbor agreement, the new Privacy Shield allows U.S. companies to self-certify to the Department of Commerce that their policies meet its requirements. The framework itself is voluntary, but once a company has publicly committed to it, that commitment will become enforceable under U.S. law. If they suspect that something is amiss, European citizens will be able to file formal complaints with their DPAs, who will then forward them on to the U.S. Federal Trade Commission and the Commerce Department to investigate and resolve the disputes. The Commerce Department will also be responsible for proactively conducting regular updates and reviews of participating companies in order to ensure that they are adhering to the rules.
All companies participating in the Privacy Shield will be required to inform individuals about the nature of the data processing they conduct, including details about their rights to access personal data. Companies must also disclose what information they have to provide to law enforcement authorities and who has jurisdiction over enforcement. Privacy Shield participants are further required to maintain data integrity and limit the personal information they collect to information that is “relevant for the purposes of processing.”
The framework also lays out detailed rules for transferring data to third parties, including requiring that they comply with notice-and-choice principles and imposing contractual obligations on third party data controllers to use and process that data for limited purposes. Finally, the Privacy Shield contains transparency and certification requirements in order to ensure ongoing compliance with its terms.
Although the Privacy Shield negotiations have been underway for more than two years years, they took on a new urgency in late 2015 after the CJEU handed down a decision in Case C-362/14, Schrems v. Data Protection Commissioner, 2015 E.C.R. I___ (Oct. 6, 2015). In Schrems, the high court of the E.U. held that the privacy principles adopted under the original Safe Harbor agreement in 2000 violated the 1995 European Data Protection Directive—a decision that jeopardized the ability of nearly 4000 American technology companies to operate in Europe without violating its privacy laws. The lawyer and privacy advocate who started the case when he sued Facebook in 2013, Maximilian Schrems, is also currently challenging the validity of the standard contractual clauses that American companies have been relying on instead of the Safe Harbor, arguing that the use of an alternative legal mechanism to transfer data from the E.U. to the U.S. does not address the underlying concerns about mass surveillance that prompted him to file his initial complaint.
Reaction to the final text of the Privacy Shield was mixed. U.S. and E.U. leaders unsurprisingly came out in support of the agreement, with Secretary Pritzker calling it a “milestone for privacy” and E.U. Commissioner Jourová indicating that it meets “the highest standards to protect Europeans’ personal data.” DigitalEurope, a trade group that represents Apple, Google, and IBM, also reacted positively to the news, adding that they “hope that the Privacy Shield will ease some of the recent pressure on alternative transfer mechanisms, particularly standard contractual clauses, so that Europe can get back to focusing on how international data flows can play a part in contributing to economic growth.”
Privacy advocates were less optimistic, however. UK-based Privacy International suggested that there was little difference between the Privacy Shield and the Safe Harbor agreement it replaced. EDRi, a European digital rights organization, referred to it as the “Privacy Sham” and its executive director quipped that the agreement “helps nobody at all.” Shrems told reporters that he believes the new framework is better than the previous Safe Harbor but that it still will not stand up to the CJEU’s scrutiny when it gets challenged in court, which experts think is likely to happen.
Danielle Kehl is a rising 2L at Harvard Law School and a fellow at New America’s Open Technology Institute.