Privacy Shield rejected, GDPR accepted
July 2016 | SPOTLIGHT | RISK MANAGEMENT
Financier Worldwide Magazine
On 13 April 2016, the European Union Article 29 working group issued an opinion on the proposed EU-US Privacy Shield arrangement, stating that although the Privacy Shield was a “great step forward”, it was still unacceptable because it still permitted the US to carry out mass and indiscriminate surveillance of European Union citizens. The Privacy Shield then went to the Article 31 Committee, a committee comprised of representatives from each of the member states and a representative from the European Commission. But on 20 May 2016, the Article 31 Committee was unable to come to any definitive conclusion regarding the endorsement of the Privacy Shield, and instead stated that it needed additional time to understand the Shield’s implications. However, at the same time, the European Parliament provided final approval for the new EU General Data Protection Regulation (GDPR) after four years of work between the European member states.
While many US organisations will be disappointed to learn of the Article 29 Working Group’s rejection of Privacy Shield by finding that the Shield still fails to provide a sufficient level of protection to EU residents, it should not come as a surprise. The Article 29 group continued to raise concerns over the possibility of “massive and indiscriminate” bulk collection by US authorities of EU personal data. In addition, the Article 29 group raised other concerns as well, tipping their hat to the concern that unless these issues are addressed, a similar challenge could be brought against the Privacy Shield as was brought against Safe Harbour in the European Court of Justice, thus invalidating Privacy Shield. Given the issues the Article 29 group raised, it should also not be surprising that the Article 31 group could not ratify the Privacy Shield, instead claiming that further review is required, presumably due to ongoing negotiations between the US Department of Commerce and the EU Commission and further oral explanations made by each of these organisations.
Impact to businesses
The rejection by the Article 29 Working Group and the refusal to give an affirmative nod from the Article 31 Committee puts the US Department of Commerce and the EU Commission, which jointly proposed the Privacy Shield after almost two years of negotiations, in a difficult situation. The decision leaves US organisations with significant uncertainty on how to continue to provide services to EU residents and puts these organisations at risk of further enforcement actions by European Data Protection Authorities. However, the Privacy Shield was not necessarily an easy solution for many organisations and organisations that would have (or will) joined Privacy Shield may open themselves up to attacks by the public, and ultimately Privacy Shield may be invalidated by the European Court of Justice for similar reasons as its invalidation of Safe Harbour if it wasn’t modified to address the Article 29 Working Group’s concerns. While Privacy Shield, if and when adopted, would be one of the permissible methods to transfer personal data between the US and the EU, the decision to join is one that every US organisation should not take lightly, especially as there are other methods of transatlantic data transfers, such as the EU Standard Contractual Clauses and Binding Corporate Rules. Although these are both more complex compared to Privacy Shield, their relative certainty may be the best option for transatlantic data flow at this time. However, the adequacy of each of these methods are also expected to be reviewed by the working group following the final version of Privacy Shield by the European Commission. Furthermore, companies will almost certainly need to repeat some of their efforts to put these methods in place to comply with the upcoming GDPR.
Although the GDPR is intended to harmonise data protection in all 28 member states of the EU, there are certain provisions of the new regulation left to local laws (for example, in the area of processing health information and the age of consent), which will lead to continued complexity for compliance by international companies. Although organisations will not be required to be fully compliant with GDPR for two years, organisations will need to become familiar with the provisions of GDPR, and begin planning for implementation now, because violations of the GDPR may result in stiff penalties up to 4 percent of the organisation’s worldwide revenue or €20m, whichever is greater.
Things businesses should start doing today to prepare for GDPR and Privacy Shield
The GDPR will apply to almost all businesses that monitor or process the personal data of European citizens, without any regard to the physical location of the processor or controller. Although the penalties for non-compliance with the GDPR will not be enforced until 25 May 2018, businesses that collect or process the personal data of EU citizens have a lot of work to do to be ready. Likewise, although Privacy Shield has encountered some roadblocks to its adoption, it seems likely that it will be adopted in some form and companies who consider adopting Privacy Shield have some preparation to do before they can adopt it.
We recommend that companies consider the following to prepare for GDPR and Privacy Shield: (i) perform a gap assessment between your organisation’s current security and privacy practices against the requirements of GDPR; (ii) begin drafting or revising your written information security policies to meet the requirements of GDPR, including procedures ensure continual monitoring for compliance; (iii) perform a data inventory and put processes in place to conduct privacy impact assessments if necessary; (iv) maintain detailed records of the processing performed on personal data; (v) consider how your organisation will comply with the principles of privacy by design; (vi) review and update privacy policies to ensure they meet the new obligations, including transparency of how data will be collected and processed, and how individuals can have their complaints addressed; (vii) review and revise your methods of obtaining consent from data subjects to ensure that specific, informed, unambiguous opt-in consent is provided before data processing; (viii) review your ability to comply with data subjects’ right to be forgotten and new data portability rights; (ix) review your cyber-incident response plans and update if necessary to be able to implement notification to supervisory authorities within 72 hours of a breach; (x) if you are using binding corporate rules or standard contractual clauses (SCCs) for transatlantic data flows, these should be reviewed for compliance with the new requirements of GDPR; (xi) begin to search for qualified data protection officers (DPO); and (xii) review insurance policies for scope and limits of coverage.
Companies should be aware that GDPR shifts the issue of privacy and personal data protection even further from an IT issue to a board of directors and C-suite issue. GDPR will have a tremendous impact on the day-to-day operations, costs, and potential liabilities of the company that demands board level attention.
Details of the Article 29 Working Group and Article 31 Committee decisions
In the highly-anticipated press conference on 13 April 2016, chairwoman Falque-Pierrotin indicated that while Privacy Shield was a “major improvement” compared to the now-invalidated Safe Harbour framework, the Article 29 Working Group believed there was still work to do and urged the EU Commission to resolve the concerns. The announcement described a number of issues with the Privacy Shield proposal, including: (i) the documents and annexes provided by the US government were “rather complex” and not always consistent, making it difficult for the Article 29 Working Group to understand the proposal as a whole; (ii) the purpose limitation was not clear and may have permitted reuse of personal information for a large amount of purposes and transfers; (iii) there is no express discussion of what the permissible scope of data retention is and therefore it remains unclear what an organisation’s obligations regarding data retention and destruction obligations are; (iv) the proposal offered too many avenues for individual recourse that are too difficult for end users to navigate; (v) because Privacy Shield is built on the old Data Protection Directive, there needs to be some capability of adjusting the framework for the new General Data Protection Directive; (vi) the six exceptions for bulk surveillance (including an undefined “counter terrorism” purpose) provide too much of a possibility for massive, indiscriminate surveillance; and (vii) the independence and authority for enforcement of the new ombudsman is questionable.
In describing the new role of an ombudsman, chairwoman Falque-Pierrotin expressed the concerns that, while the creation of this new role is a major step forward, there are still concerns that the ombudsman may not be a truly independent authority with the effective powers to enforce the Privacy Shield. The ombudsman, as currently proposed, would be appointed by, and would report to, the US Secretary of State. On 30 May 2016, the European Data Protection Supervisor (EDPS) suggested that it shared many of the same concerns as the Article 29 Working Group. In its published Opinion, EDPS stated that Privacy Shield “does not adequately include all appropriate safeguards to protect the EU rights of the individual to privacy and data protection” as well as with respect to “judicial redress”.
The Article 31 Committee provided little guidance as to what their specific concerns were, but instead simply indicated that they required additional time to review the implications of the Privacy Shield. Statements from the European Commission suggest that it has been updating the Article 31 Committee on the ongoing discussions between the US Department of Commerce and the European Commission to address the Article 29 Working Group’s concerns and are making progress toward resolution.
Next steps for Privacy Shield
While the decision calls the future of Privacy Shield into question, it does not necessarily mean its end. The Article 29 Working Group’s opinion and that of EDPS are only advisory in nature, and the Article 31 Committee still has not arrived at a definitive decision. Notwithstanding, the opinions of the Article 29 Working Party and EDPS would carry significant weight should Privacy Shield be challenged in the European Court of Justice. Article 31 Committee is expected to hold additional meetings in throughout June, with a decision potentially in June or July.
Given the Article 31 Committee’s need to further understand the implications of the Privacy Shield, it is likely that the EU Commission and US Department of Commerce will (and likely have) resume talks to further work Privacy Shield and address the Article 29 group’s and the Article 31 committee’s concerns. Although the Article 29 Working Group’s recommendation is purely advisory, the Privacy Shield must pass the Article 31 Committee by a qualified majority of 16 Member States before it may move forward. But even assuming the Article 31 Committee approves it without changes, it is unclear whether the Commission would implement the Privacy Shield despite a rejection by the Article 29 group. During a debate on the finalisation of GDPR on 13 April EU justice commissioner Vera Jourova, who has been deeply involved in the negotiation of Privacy Shield, indicated that the Commission will “study the opinion and address concerns in the final decision”.
It seems more likely that a new revision of the Privacy Shield will be proposed before it is allowed to be presented to the European Commission, and press releases on both sides of the Atlantic suggest that additional negotiations have already begun. A decision to adopt Privacy Shield without fully addressing the most important concerns of the Article 29 Working Group is almost certain to meet with legal challenges in front of the Court of Justice of the European Union, the same court that invalidated Safe Harbour over similar fears about mass surveillance in the US by the NSA. Following the rejection by the Article 29 Working Group, chairwoman Falque-Pierrotin indicated that such a recourse to the CJEU “is always an option”. This potential, which would lead to even greater uncertainty for both European and US companies, may put significant pressure on both the European Commission and the US Department of Commerce to address the issues in writing prior to the European Commission final decision. However, it may take an act of the US Congress to sufficiently address the concerns to address a legal challenge.
Regardless of what happens with Privacy Shield, if implemented in its current draft, it would only be a short-term solution given that it is based upon the old Data Protection Directive and is not fully compliant with GDPR, which will be in-force in May 2018.
Next steps for GDPR
The GDPR was published in the EU Official Journal on 4 May and was officially considered in-force 20 days following the publication. There will be a two-year implementation period following the in-force date, which will require that organisations be fully compliant starting on 25 May 2018.
Aaron K. Tantleff is a partner and Steven M. Millendorf is an associate at Foley & Larder LLP. Mr Tantleff can be contacted on +1 (312) 832 4367 or by email: email@example.com. Mr Millendorf can be contacted on +1 (858) 847 6737 or by email: firstname.lastname@example.org.
© Financier Worldwide
Aaron K. Tantleff and Steven M. Millendorf
Foley & Larder LLP