The European Commission and the US administration have now concluded more than six months of negotiations both within the EU institutions and in the US to establish the Privacy Shield scheme to transfer data from the EU to the US.
These FAQs look at our initial thoughts on Privacy Shield. We use some technical terms which are explained in our glossary here.
What is Privacy Shield?
The Privacy Shield scheme was proposed in February 2016 to replace the Safe Harbor scheme which was struck down by the European Court of Justice (ECJ) in the first Schrems case (sometimes known as Schrems 1) in October 2015. There is some background to the collapse of Safe Harbor and the announcement of Privacy Shield in our alert on 3 February 2016 here.
Why did it take so long?
As we said in February the announcement of the creation of Privacy Shield was premature. An announcement had to be made in February as a deadline set by the Article 29 Working Party (often known as WP29) had expired at the end of January. In February the European Commission said that they hoped that Privacy Shield would be finalised by the beginning of May. Even that seemed ambitious in part because of the criticism that Privacy Shield received from WP29 in April. You can see a summary of WP29’s criticisms of Privacy Shield in our alert and short film here.
When did Privacy Shield come in?
The scheme opened for business on 1 August 2016.
Who has joined so far?
The US administration has indicated it will check applications more than it did under Safe Harbor and as a result the process is likely to take a little longer. As at 15 August 2016 34 businesses were registered under the scheme. The most interesting include Microsoft, Workday and Salesforce.
If I join Privacy Shield will the US authorities play a greater role?
Almost certainly. There is likely to be much more supervision by the US authorities than there was under Safe Harbor. It is not true to say there was no Safe Harbor enforcement (for example we looked at the investigation into TRUSTe here) but the European Commission are promising tougher enforcement. The Commission said on this in their 12 July announcement:
“under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.”
Is Privacy Shield bullet proof?
Probably not. Penny Pritzker, the US State Secretary of Commerce, said on 12 July 2016 in announcing the deal that she thought it would ‘withstand scrutiny’ and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner Jourová also said she was confident it would survive a court challenge. In our view it is unlikely that the concerns about Privacy Shield will disappear so quickly.
As well as possible challenges from courts and regulators it should be remembered that Privacy Shield has a one-year shelf-life before being renewed. The European Parliament in particular is likely to be looking carefully at the scheme’s first year and may challenge its renewal in 2017. WP29 have also indicated that the first annual review will be a critical time for Privacy Shield.
Could it be challenged by Regulators?
Almost certainly. Reports on the 4 August 2015 suggest that Johannes Caspar, the Hamburg Data Protection Regulator who had been very critical of Safe Harbor would like to refer to the scheme to the ECJ. Caspar is petitioning the Germany authorities to allow data protection regulators to refer issues like this to the ECJ directly.
In addition there are rumours that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote and it could be that Regulators from some of those countries may also take an interest although the WP29 statement on 26 July 2016 makes an immediate challenge less likely. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect its legal status is similar to Safe Harbor – an adequacy finding from the European Commission.
A challenge from the Irish Data Protection Commissioner is also likely to happen through the Courts.
What about a court challenge?
There have been indications of likely court challenge already and the Schrems 1 case tells us that regulators must have more independence to investigate their concerns.
In addition there is currently likely to be a challenge to the ECJ over model clauses. We reported on this case here, sometimes known as Schrems 3, in May. There were court hearings in the Schrems 3 case at the end of July and we understand that counsel for the Irish Data Protection Commissioner flagged the fact that those proceedings might need to be amended to accommodate the inclusion of Privacy Shield. In affect it seems that the intention from the Irish Data Protection Commissioner would be that the ECJ looks at the legality of the model clauses and Privacy Shield together. The Schrems 2 litigation is not immediately relevant to Privacy Shield but you can find background on that case here.
Whilst a challenge does seem likely there is no guarantee that would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield especially with the extra effort that both the EU and US have made this time around. Whatever the result however there is likely to be uncertainty since a court hearing may be unlikely before the end of 2018 on current court timetables.
Will Privacy Shield be protected by GDPR?
No. Privacy Shield is not referred to in GDPR although one of the other methods of data transfer, Binding Corporate Rules (or BCRs) is. Commissioner Jourová said on 12 July 2016 that Privacy Shield would be reviewed prior to GDPR coming into force since it was a clear requirement that the US had ‘equivalent’ protection and this protection was likely to have the be improved once GDPR set the bar higher.
Should I even consider Privacy Shield for my business?
Probably. Despite its faults those companies who were in Safe Harbor might find Privacy Shield fairly easy to achieve. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise to look at the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor – in part due to higher arbitration costs – but may demonstrate a level of compliance to some of your customers. Some of the former Safe Harbor arbitration schemes have also adapted themselves to manage Privacy Shield arbitrations.
How much will it cost to join Privacy Shield?
As well as the arbitration scheme cost an organisation must pay an annual fee to the US Department of Commerce (DoC). That fee is tiered based on the organization’s annual revenue and ranges from $250 to $3,250. Additionally there is a fall-back arbitration scheme which will be funded by a levy on Privacy Shield participants. Currently DoC has yet to set the amount of this levy. DoC seems to be currently advising that this figure may not be known until February 2017. It currently expects that this additional fee will also be tiered and that it may be around the same level as the annual joining fee. We raised this uncertainty with the Privacy Shield team in the US in August 2016 and they told us that the fund would be managed by a third party and that the fees would be reviewed at the Annual Review by the US administration and the European Commission “with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations”.
What about Brexit?
There was a question at the 12 July 2016 press conference to Commissioner Jourová about the affects of Brexit and any likely adequacy decision for the UK. Commissioner Jourová said it was too early to answer this question.
Due to the initial two year time frame for the Brexit negotiations (which have yet to commence) Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU – this is unlikely to be much earlier than January 2019. Equally GDPR will also apply. There is more information on the affects of Brexit on data protection, data transfer and data security in our film here.
What can I do?
In short to get started, the following are possible actions to take:
- Have a plan for data transfer – we have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
- Review Privacy Shield to see if it might work for you – even a system subject to a challenge may be useful for you;
- Look again at your data flows to determine the following: what information travels outside of the EU and on what basis? is it inter-group or is it to third parties?; what steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
- Consider the other options available to your business including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in GDPR and may be more resistant to challenge. BCRs will not be the answer for everyone however;
For more information please contact Jonathan or André who are lawyers with Cordery in London where their focus is on compliance issues.