FW moderates a discussion on the impact of the EU-US Privacy Shield between Dr Jochen Lehmann, a partner at GÖRG, and Stuart D. Levi, a partner at Skadden, Arps, Slate, Meagher & Flom LLP.
FW: Could you provide a brief overview of the new EU-US Privacy Shield legislation based on the information currently available? What do you consider to be the framework’s most challenging components?
Lehmann: Based on the current situation, it is not quite foreseeable what any legislation will look like moving forward, particularly not from the EU point of view. The reason for this situation relates to EU legislation governing the transatlantic data transfer of EU data. The previous programme, which has now been overturned, was the Safe Harbour scheme based on a decision by the European Commission in 2000, following an agreement between the EU and the US. The decision to overturn Safe Harbour was taken last year by the European Court of Justice following a case that originated in a complaint lodged by an Austrian citizen, Max Schrems. The Court used language to criticise the Safe Harbour agreement that was unequivocal, even blunt in parts, particularly regarding the level of data protection available for EU data in the US. Concerning Safe Harbour’s eventual replacement, the EU Commission has therefore been rather careful and has asked the European data protection authorities, the Article 29 Working Party, for its opinion before any further steps are taken. That opinion is still outstanding as the Working Party is taking longer than expected. Several national regulators have voiced their doubts about whether they are going to be satisfied with the Privacy Shield scheme. However, the EU Commission stated that the new framework for transatlantic data transfers will address all the issues raised by the European Court of Justice and not only provide more transparency on the access of European citizens’ data, but will also provide protection against inappropriate access. This should encompass a process whereby European citizens may question the access to their data by government authorities. And the EU Commission shall have means to monitor whether these safeguards are being effective.
Levi: The Privacy Shield consists of framework principles plus official representations and commitments by six US governmental authorities. From a corporate compliance perspective, the Privacy Shield closely tracks the Safe Harbour principles. It also expands on the recourse and enforcement options available to consumers. However, what will likely prove to be the Privacy Shield’s most challenging components are the obligations imposed on US government entities aimed at providing transparency regarding the use of data for national security purposes. This includes effective avenues of recourse for European citizens whose data has been misused and more rigorous enforcement mechanisms.
FW: What have been the key driving factors behind the introduction of the EU-US Privacy Shield? How radical are the differences between the new framework and its predecessor, Safe Harbour?
Levi: The key driving factor behind the introduction of the EU-US Privacy Shield was the October 2015 decision by the Court of Justice of the European Union in Schrems vs. Data Protection Commissioner. In that case, the court invalidated the then-current Safe Harbour framework because it did not adequately protect the interests of data subjects. The court’s decision centred on the ability of the US government to access EU personal data for national security purposes and the lack of recourse available to EU residents who felt their privacy rights had been violated fundamentally. There had also been a growing sentiment among European privacy advocates and European data protection authorities that companies were not abiding by the Safe Harbour and that the Federal Trade Commission was not adequately enforcing its provisions. Given that the primary focus of the Schrems decision was the US government’s access to person data, it is not surprising that most of the differences between the Privacy Shield and the Safe Harbour relate to the government’s accountability for accessing the personal information of EU residents.
Lehmann: The key driving factors behind the legislative changes have been the European Court’s decision and the initiative of national regulators on the one hand and the EU Commission’s efforts to ensure a transatlantic data transfer on the other. Particularly, the regulators put considerable pressure on the Commission in the wake of the European Court’s decision by threatening to stop any transfer if the EU Commission did not find a way to better protect European citizens against access to their data in line with the findings of the court. Although the EU Commission expressed that its first priority is to safeguard EU citizens’ rights, its press notices and its behaviour in the past makes it much more likely that its aim is to prevent the transatlantic data flow from drying up. Thus, it will be a compromise between these two positions in the end. There are radical differences between the old and the new scheme. The most striking might be the promise by the US to check its clandestine mass surveillance, to afford some kind of redress to EU citizens and to offer some kind of control to the EU. However, it remains to be seen what that means in practice, whether in essence this is some kind of laissez-faire mechanism no one wants to use in the future, or whether something is really going to change.
“The Snowden revelations put a direct spotlight on the activities of the US government as it relates to bulk access to data. These revelations led to increased focus on issues of trans-border data flow from the EU to the US and specifically the Safe Harbour.”
FW: To what extent have the Snowden revelations influenced the invalidation of Safe Harbour and the introduction of the Privacy Shield?
Lehmann: From the European point of view, the current situation and the necessity of a new framework for transatlantic data transfers mostly hark back to the disclosures made by Edward Snowden. Although there already had been a survey saying that a great number of enterprises registered under the Safe Harbour scheme did neglect their duties after all, the real and final blow to Safe Harbour was delivered by Edward Snowden. From the European Court of Justice’s point of view, there was, based on Snowden’s revelations, no protection of European citizens’ data against access by American investigative authorities such as the FBI, NSA and others. Furthermore, European citizens did not have any opportunity to defend their right to privacy in the US or even get any information about what happened to their data.
Levi: The Snowden revelations put a direct spotlight on the activities of the US government as it relates to bulk access to data. These revelations led to increased focus on issues of trans-border data flow from the EU to the US and specifically the Safe Harbour. Many see the Schrems decision as the culmination of that focus. That said, during the year prior to Schrems there had been growing criticism of the Safe Harbour within the EU, especially among data protection authorities. Whether the Court of Justice of the European Union would have invalidated the Safe Harbour even absent the Snowden revelation will never be known. However, it is fair to say that the European data protection authorities were already heading down that path.
FW: How extensive are the new legislation’s attempts to incorporate limitations, safeguards and oversight mechanisms? In your opinion, do the proposed redress mechanisms go far enough in ensuring satisfactory consumer protection?
Levi: The Privacy Shield goes quite far in incorporating limitations and safeguards. For example, the Department of Commerce (DoC) will appoint a dedicated contact for European data protection authorities who will provide information about the Privacy Shield and receive complaints regarding noncompliance. The US Department of State will establish a new mechanism to facilitate the processing of requests relating to national security access to EU personal data that is transmitted under the Privacy Shield. This mechanism will be administered by a Privacy Shield ombudsperson, who is independent of the US intelligence community and reports directly to the US Secretary of State. The ombudsperson will be responsible for coordinating with other US government authorities, including the Office of the Director of National Intelligence and the Department of Justice, to investigate in order to confirm that any surveillance complies with all applicable laws or, in the event of any noncompliance, to remedy such noncompliance.
Lehmann: Apparently there will only be an exchange of letters at a diplomatic level between the EU Commission and the US, represented by the DoC. This has sparked doubts in Europe regarding whether that could be “binding enough”, given that those US laws which allow for mass surveillance will not be amended. That means that the redress mechanism, although being free of costs, will probably not be satisfactory because the citizen will have to learn about his or her data being accessed first. Without such knowledge, there will be no redress. Since mass surveillance is clandestine by nature, redress will not be much help. This also applies to any order that access must be kept secret, which purportedly is still a possibility.
FW: In your opinion, are there substantial differences between how the EU and the US view data privacy issues? Is there a sense that the new data transfer legislation is based on mutually agreed principles?
Lehmann: The differences are probably huge. In Europe, particularly in former dictatorships like Germany, the prevailing opinion is that fundamental rights are there to protect citizens against their government and to ensure some kind of space that the government may not touch. This also extends to information, as there is a common notion is that is not advisable to give too much information the government. Thus, data protection ranks very high among those rights EU citizens deem to be important. Even if the government is trying to protect its citizens from harm such as terrorist threats, Europeans want to see that their fundamental rights are still in effect and they are prepared to let some crooks get off the hook before they give up their fundamental rights.
Levi: There are significant differences in how the EU and the US view data privacy, and the Privacy Shield represents an attempt by US and EU officials to bridge these markedly different perceptions. As a historical matter, Europeans are far more concerned about access to their personal data by companies and the government. They view the protection of personal data as a fundamental right. In contrast, US citizens have been more willing to allow companies to use their personal data – within limits – in exchange for access to services or improved services. Until the Snowden revelations, there was also minimal concern about government access to data. These views may be slowly changing. As companies increasingly collect and process big data, US consumers are becoming wary of how their personal information is being used. Similarly, partly as a product of the Snowden revelations, US citizens are at least more aware of government access to their data. Whether this will result in stricter privacy laws in the US remains to be seen.
“There are significant differences in how the EU and the US view data privacy, and the Privacy Shield represents an attempt by US and EU officials to bridge these markedly different perceptions.”
FW: Could you outline the ongoing role to be played by the Article 29 Working Party, the Department of Commerce (DoC) and the US Federal Trade Commission (FTC) in the implementation of the EU-US Privacy Shield?
Lehmann: The Article 29 Working Party is a group of national regulators established by Art. 29 of the European Data Protection Directive. They work together, regularly publishing several papers – so-called working papers – a year on important questions of data protection and although these papers are in no way legally binding they provide, in fact, general guidelines on the topics dealt with throughout the EU. That working group was a driving force behind the Privacy Shield because they put a lot of pressure on the Commission to find something new after the demise of the Safe Harbour scheme. The Working Party set a deadline for the solution to the question of transatlantic data, and had that deadline not been met the national regulators that are members of the Working Party would have been free to launch a general investigation into the transatlantic data transfer. Currently, the Working Party is reviewing the information received from the EU Commission on the Privacy Shield, but the results have not been published.
Levi: The Working Party will play an even larger role under the Privacy Shield than under the Safe Harbour. Indeed, one of the key holdings of the Schrems court was that data protection commissioners have “complete independence” and are free to challenge the European Commission’s privacy-based decisions. With respect to the specific implementation of the Privacy Shield, one of the recourse mechanisms that US companies can offer EU citizens to investigate unresolved complaints is through a panel of data protection authorities (DPAs). The DoC is responsible for administering the Privacy Shield, including verifying that each self-certifying organisation complies with its obligations. For those organisations that withdraw or fail to comply, the DoC will follow up to ensure they are treating personal data collected under the Privacy Shield appropriately, and are not misrepresenting their participation in the Privacy Shield. The department also is responsible for maintaining a Privacy Shield website directed to EU individuals, EU businesses and US businesses that describes the rights of EU individuals and the recourse mechanisms available to them. Finally, the department will designate a dedicated contact for European DPAs who will provide information about the Privacy Shield and receive complaints regarding noncompliance. We expect that the FTC will play a far greater enforcement role with respect to the Privacy Shield – especially since one of the harshest critiques by the DPAs was that the FTC had fallen short with respect to the Safe Harbour.
FW: What advice would you give to companies in terms of preparing for the introduction of the EU-US Privacy Shield, and for the time until the Privacy Shield has been fully realised? What is the scope of penalties for non-compliance?
Lehmann: For European enterprises the most important thing should be preparing for failure of the Privacy Shield or at least for a failure of the first attempt. Since Safe Harbour is dead and so-called binding corporate rules will find favour with the regulators, the only way would be the standard contractual clauses by the EU; however, some regulators have stated that enterprises should be quick about it. As to the potential implementation of the Privacy Shield, I do not see anything to be done because the impression left by the last press release from the Commission was that it is the US – both government authorities and private enterprises – that would have to implement the Privacy Shield, such as by establishing the promised means of redress or cutting down on surveillance.
Levi: In the short term, companies that transfer personal data from the EU to the US are clearly in unchartered territory. While many had expected that European DPAs would not bring any enforcement actions under the Safe Harbour until the Privacy Shield was fully enacted, certain German DPAs do not seem to be taking this position and have recently brought enforcement actions against companies relying on the Safe Harbour. Companies based in Germany may therefore want to carefully consider their other options. That said, the German DPAs have also indicated that the ‘model contracts’, which is the best available option to most companies, may also be invalid based on the same logic that that Schrems court used. Companies outside of Germany that have relied on the Safe Harbour will likely want to stay the course, especially if moving to a model contract regime is not realistic. However, they will want to monitor closely the enforcement activities of the DPAs until the Privacy Shield is enacted. The Privacy Shield does not set forth specific penalties for noncompliance, and given the dearth of Safe Harbour enforcement actions to date, it is hard to estimate what the fines will be. However, given that one of the key criticisms of the Safe Harbour was a lack of meaningful enforcement, it is quite possible that the noncompliance fines will be meaningful.
FW: How do you envisage the EU-US Privacy Shield implementation process unfolding over the coming months and years? In general, do you expect to see a smooth roll-out?
Levi: I think that the key challenges will come as the Privacy Shield winds its way through the various European bodies on its way toward possible ratification. As we saw at a 17 March hearing of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, many are questioning whether the Privacy Shield adequately addresses the concerns raised by the Schrems court and by EU privacy advocates. It is quite possible that even if the Privacy Shield is ratified, individuals will promptly bring claims challenging its validity in the European court or directly to DPAs. The roll-out therefore might not be that smooth. Ironically, for all the changes introduced by the Privacy Shield, the roll-out for the private sector – especially for companies that already self-certify to the Safe Harbour – will likely not be that complicated. While companies will need to introduce certain redress options, their baseline use and handling of data, if they were in compliance with the Safe Harbour, will not need to change.
Lehmann: The first step would be to convince the Article 29 Working Party that the current scheme offers enough protection for EU citizens, which may not be that easy. I am not sure whether the Working Party will demand some improvements or more legally binding steps. However, even if that is achieved, the new scheme will be under scrutiny from a lot of people and institutions alerted by the Snowden revelations and the Schrems case. As a consequence, I expect that those who are suspicious of any transatlantic data transfer will seek any chance to question the new scheme and will try anything to put the new scheme before the European Court of Justice. Only if the European Court of Justice upholds the new scheme may one expect to see a smooth running of transatlantic data flows.
Dr Jochen Lehmann has been a partner at GÖRG since 2007 and specialises in IT matters with a particular focus on data protection and data security. He has built up his expertise in that particular field of law since he started working for GÖRG about 15 years ago. Dr Lehmann is a regular speaker on the subject of data secrecy and data protection in various contexts, such as data secrecy and directors’ liability or data secrecy and insurance. He is also a member of GÖRG’s IT group, which is led by four partners including himself, as well as the firm’s internal IT advisory board. He can be contacted on +49 221 3366 0244 or by email: jlehmann@goerg.de.
Stuart D. Levi is co-head of Skadden’s Intellectual Property and Technology Group, and coordinates the firm’s outsourcing and privacy practices. He has a broad and diverse practice that includes outsourcing transactions, technology and intellectual property licensing, privacy and cyber security advice, branding and distribution agreements, cloud computing agreements, technology transfers, strategic alliances and joint ventures. Mr Levi also counsels clients on a variety of issues, including website and technology policies, intellectual property matters and legislative compliance. He can be contacted on +1 (212) 735 2750 or by email: stuart.levi@skadden.com.
© Financier Worldwide