The Demise of Safe Harbor and Rise of Privacy Shield: How Can Personal Information Now Be Exported from the EU to the United States?

Posted on 11-08-2016

 

By: David Bender Special Counsel, Data Privacy, GTC Law Group.

Since 2000, the Safe Harbor program has provided a relatively painless way for U.S. companies to import into the United States the personal information of European Union (EU) residents in compliance with the EU’s rigid restrictions on export of personal information.

THIS PROGRAM WAS CREATED IN 2000 BY AGREEMENT between the United States and the EU for export of personal information to the United States, and some 4,400 U.S. companies certified to it. In October 2015, the EU’s highest court, the Court of Justice of the EU (the CJEU), invalidated the decision by which the EU adopted Safe Harbor. Thus, since October 2015, Safe Harbor has been unavailable as a lawful basis for export of personal information from the EU to the United States. Although there are other mechanisms that arguably could render this export lawful, most are subject to the same deficiencies (real or imagined) that the CJEU found in Safe Harbor. There is an enormous amount of trade between the United States and the EU, and much of it requires the transfer of personal information from the EU to the United States. Accordingly, the uncertainty resulting from the CJEU’s decision has caused much gnashing of teeth on both sides of the Atlantic.

The CJEU Decision

The CJEU became involved in the Safe Harbor matter through a procedure allowing a court of an EU Member State—in this case, Ireland—to request from the CJEU a “preliminary ruling” on issues of EU law. The sole issue on which a preliminary ruling was sought here was totally peripheral to whether the EU Safe Harbor decision was valid. Nevertheless, in its decision the CJEU:

  • Ruled on an issue (adequacy of U.S. data protection law) beyond the Irish court’s request
  • Relied on sources that took at face value published news articles containing substantial falsehoods
  • Ignored corrections subsequently made to those articles
  • Ignored numerous substantial changes that had since been made to U.S. surveillance procedures after publication of the articles
  • Although it might have no effect on the precise issue at hand, ignored the fact that, overall, U.S. national security surveillance is more privacy-sensitive than most EU Member State national security surveillance

Privacy Shield

Discussions between the United States and the EU on modifying Safe Harbor had been underway since well before the Safe Harbor decision’s invalidation, and they moved into high gear immediately thereafter. As a result, in July 2016, the United States and the European Commission (the executive branch of the EU) agreed to a Privacy Shield arrangement to replace Safe Harbor. Privacy Shield opened for business on August 1, 2016. Privacy Shield is modeled on Safe Harbor, in that both are built around a set of seven privacy principles,1 and permit U.S. companies to self-certify their compliance with these principles.

Nevertheless, Privacy Shield differs from Safe Harbor in several significant ways. First, the role of the U.S. government has been intensified. In Safe Harbor, the U.S. Department of Commerce (DOC) played largely a ministerial role, namely, that of registration and record-keeping. Under Privacy Shield, DOC would be much more active, by vetting initial certifications and seeing that the list of certified companies remains current. Also, the Federal Trade Commission (FTC) has represented that under Privacy Shield it would give priority attention to complaints from EU residents that their personal information has been treated inappropriately.2 Further, under Privacy Shield the United States would create a new position—the Ombudsperson—in the Department of State, totally independent of the intelligence community. The purpose of the Ombudsperson would be to investigate and respond to complaints of EU residents that their personal information had been inappropriately processed by the U.S. intelligence community. One major focus of the CJEU decision was that U.S. National Security Agency (NSA) bulk collection of the personal information of EU residents violated EU law.3 Accordingly, the EU insisted that any Safe Harbor successor must have some mechanism to guard against improper U.S. governmental surveillance.

Criticism of Privacy Shield

After Privacy Shield was proposed, and before it was agreed upon, it was analyzed by three EU organs (the Article 29 Working Party (WP29),4 the European Parliament,5 and the European Data Protection Supervisor (EDPS)) that lack the power to veto it, but nevertheless have some influence on the entities that do have veto power. The Opinion released by WP29 contained several specific criticisms of the new Privacy Shield:

  • Data retention restrictions were not expressly mentioned.
  • There was no articulation of the protection against decisions based solely on automated processing.
  • Application of the purpose limitation principle to data processing was unclear.
  • Because some data would be transferred on from the United States to third countries, these onward transfers must provide the same level of protection on all aspects of Privacy Shield (including national security)—onward transfer was insufficiently framed.
  • The specified redress mechanisms might, in practice, prove too complex and difficult to use for EU individuals, and therefore ineffective.
  • While establishment of an Ombudsperson was welcome, this position was neither sufficiently independent nor vested with adequate powers to exercise its duty effectively, nor did it guarantee a satisfactory remedy in case of disagreement.

And finally, as to government surveillance, WP29 saw as positive the increased transparency offered by the United States on legislation applicable to intelligence data collection. But the national security representations in Privacy Shield did not exclude “massive and indiscriminate collection” of personal data originating from the EU. According to WP29, such surveillance could never be considered proportionate and strictly necessary in a democratic society. Comprehensive oversight of all surveillance was seen as critical. WP29 noted a tendency to collect ever more data on a massive and indiscriminate scale in the fight against terrorism. Given the concerns this brings to protection of fundamental privacy rights, WP29 looked to the forthcoming rulings of the CJEU in cases regarding massive and indiscriminate data collection.

In conclusion, WP29 asked the Commission to resolve WP29’s concerns, identify appropriate solutions, and provide the requested clarifications “in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.”

Several days later, the European Parliament passed a nonlegislative resolution welcoming the efforts of the Commission and the United States to agree on a Safe Harbor successor, but expressing concern about what the members perceived to be deficiencies in Privacy Shield:

  • U.S. government access to data transferred under Privacy Shield
  • The possibility of collecting bulk data that does not meet the “necessity” and “proportionality” criteria set forth in the Charter
  • The U.S. Ombudsperson, which Parliament viewed positively, but believed to be neither “sufficiently independent” nor “vested with adequate powers”
  • The complexity of the redress mechanism, which must be made more “user-friendly and effective”

Parliament proposed that the EU Commission continue to negotiate with the United States to remedy these “deficiencies.”

Not to be outdone, the EDPS chimed in a few days later, opining that, while it may be “a step in the right direction,” in its current form Privacy Shield did not include all appropriate safeguards for protecting and redressing individual privacy rights. Additional reassurance was required in terms of necessity and proportionality. Further, representations by public officials could play only a short-term role and were insufficient in the long term. The EDPS wanted a “binding federal law” to enshrine “at least the main principles of the rights to be clearly and concisely identified” as ensuring an adequate level of protection.

Further, the EDPS saw Privacy Shield as growing the national security “exception” into the rule. Conceding that there had been movement from indiscriminate to targeted surveillance, there was a concern that that the scale of intelligence collection, and volume of data transferred from the EU subject to collection and use, would still be high and that Privacy Shield might “legitimize this routine.” EDPS believed government access to and use of data transferred for commercial purposes should take place only in exceptional circumstances and where indispensable for specified public interest purposes. The EDPS also noted that the current EU data protection framework would be succeeded in May 2018 by the General Data Protection Regulation, which creates obligations extending beyond those embodied in Privacy Shield. Accordingly, the EDPS believed the Commission should seek “longer term solutions to replace Privacy Shield, if any, with more robust and stable legal frameworks to boost transatlantic relations.”

Moreover, as to redress and oversight, EDPS believed that the role of the Ombudsperson should be further developed, so that he or she is able to act independently not only from the intelligence community but also from any other authority. Reporting directly to Congress could be one option in this regard. And it should be made clear that all agencies will cooperate with the Ombudsperson and respect his or her decisions and recommendations.

Subsequent Negotiations

As a result of these criticisms and suggestions, the Commission and the United States have had further discussions, and the United States has given the EU additional assurances in the form of a second letter from the general counsel of the Office of the Director of National Intelligence. This letter focuses on the instances when the United States may engage in bulk collection of personal information. The United States has also given the EU assurances on the independence of the Ombudsperson. Some of the other suggestions of WP29, Parliament, and the EDPS were also embodied in the final version of Privacy Shield, but many were not. In any event, it seems clear that Privacy Shield will be challenged in court. Such a challenge will surely result in a reference to the CJEU, as was the case with Safe Harbor. Thus, the critical question is how Privacy Shield will fare before the CJEU.

Privacy Shield and the CJEU

The two biggest problems the CJEU had with Safe Harbor were the perceived free rein given the U.S. government regarding national security surveillance of EU residents’ personal information and the lack of redress that EU residents had with regard to U.S. government surveillance. The success of Privacy Shield before the CJEU will most likely depend in large part on five factors, namely, the degree to which the court:

  • Concludes that Privacy Shield is meaningfully different from (and superior to) Safe Harbor
  • Takes proportionality into consideration (as the court was required to, but did not, in its Safe Harbor decision)
  • Is willing to distinguish the factual basis of present U.S. national security surveillance from the one (inaccurately) portrayed in its Safe Harbor decision
  • Is willing to acknowledge (at least implicitly) the importance and realities of commerce
  • Views the Judicial Redress Act6 and the Ombudsperson as providing sufficient judicial redress against U.S. national security surveillance

What Is a Company to Do?

So what is a U.S. company that is dependent on personal information from the EU supposed to do while this all works itself out? Some such companies are simply transferring data as though the CJEU decision had never been handed down. This can be dangerous, as several data protection authorities7 are threatening to enforce the law against such exporters, and at least one data protection authority (in Germany) has already begun to do so. Privacy Shield is one option. EU law also permits several other legal bases for export, but in the environment in question most of them confront major impediments. One of these bases is the use of “standard contractual clauses,” that is, one of the three sets of model clauses adopted by the EU for export. These clauses were held adequate by a decision of the Commission, and can be invalidated only by a ruling of the CJEU. Many companies now use such clauses. However, they appear susceptible to invalidation because they suffer from the same perceived deficiencies that condemned Safe Harbor, namely, that they do not protect against U.S. governmental surveillance. Nevertheless, unless and until the CJEU invalidates them, they may suffice to provide a legal basis for export. And perhaps Privacy Shield (or some other Safe Harbor successor) will be operative before then.

Another legal basis that has attracted more attention in the wake of Safe Harbor invalidation is binding corporate rules (BCRs). With the approval of the Data Protection Authority (DPA) in all the affected Member States, these can be promulgated for a family of entities that are part of a single enterprise, (e.g., the subsidiaries of a single parent corporation). However, because an enterprise relationship is necessary, BCRs are not generally available. Moreover, they may well fall victim to the same disease that felled Safe Harbor—perceived inappropriate U.S. governmental national security surveillance.

To the extent that a company can incorporate encryption into its data storage and data transmission, this may also enhance the probability that its efforts will pass muster by the EU, especially if the encryption key cannot be made available to the U.S. government. Encryption is often quite cumbersome, and may be expensive, but it can greatly enhance security.


David Bender is an Adjunct Professor at the University of Houston Law Center and Special Counsel, Data Privacy, GTC Law Group.. He spent the majority of his career at White & Case, where he founded the IP practice and later headed the global privacy practice. He is a member of the International Technology Law Association (President, 1999–2000). Mr. Bender is the author of Computer Law (LexisNexis) and Bender on Privacy (LexisNexis 2015).


To find this article in Lexis Practice Advisor, follow this research path

RESEARCH PATH: Intellectual Property & Technology >Privacy & Data Security > Drafting Privacy Policies > Articles> Key Privacy Considerations

Related Content

For an overview of the major privacy and data security laws in the United States and the European Union, see

> KEY PRIVACY AND DATA SECURITYCONSIDERATIONS WHEN NEGOTIATING ORREVIEWING A TRANSACTION OR AGREEMENT

RESEARCH PATH: Intellectual Property &Technology > Privacy & Data Security > Privacy & Data Security Compliance > Practice Notes > Complying with Privacy & Data Security Laws

For a discussion on the differences between the European Union and Canadian approaches to the international transfer of personal information, see

> PRIVACY LAW IN CANADA

RESEARCH PATH: Intellectual Property &Technology > Privacy & Data Security > International Privacy & Data Security > Practice Notes > Canada

1. Generally, Notice, Choice, Access, Security, Enforcement, Onward Transfer, and Data Integrity. 2. It is not clear how Congress, or U.S. citizens who bother to consider this matter, will view the promise of a taxpayer-funded U.S. federal agency to give priority to complaints of foreigners over those of U.S. citizens. 3. The primary U.S. national security surveillance program that caught the EU’s attention was the PRISM program, whose existence was first disclosed to the public by Edward Snowden in June 2013. Under PRISM, the U.S. National Security Agency (NSA) acquired in the United States the content of international e-mail messages. The CJEU held that this violated the Charter of Fundamental Rights of the EU (the Charter), an instrument that has constitutional status in the EU political structure. In fact, the PRISM collections were never “bulk,” and the CJEU failed to follow the Charter’s mandate to consider the element of proportionality in reaching its conclusion. For a more detailed description of this failing, see David Bender, Export of Personal Data from the EU to the US—Ramifications of the Schrems Decision, 2016 Emerging Issues 7394. 4. This entity is composed of a member from each Member State data protection authority, and a member from the EU Data Protection Supervisor’s office, and is influential in data protection matters. 5. Parliament is the EU’s legislature, comprised of 751 members, each elected in his or her home Member State. It is viewed as the most populist of the organs of EU government. 6. This statute, Pub. L. 114-126, 130 Stat. 282 (Feb. 24. 2016), was enacted in response to the EU’s complaint that EU residents lacked the rights that U.S. citizens had against U.S. government processing of personal data. 7. A data protection authority is the independent governmental agency that the EU requires each Member State to establish for the implementation and enforcement of data protection law.