2016 Spring Update On U.S.-EU Privacy Shield Program

Although it has been almost five months now since the United States-European Union Safe Harbor program was held invalid by a European Court, no clear solution is in immediate sight. Although a new "Privacy Shield" program was announced, whether the provisions as currently "agreed" will survive European ratification remains to be seen.

Nonetheless, it is important for U.S.-organizations to keep the recent changes in data privacy law in the EU in mind, as they plan their organizational data practices. As one of the U.S.' largest trade partners, the European data protection laws are likely to push U.S. laws in a similar direction, especially as EU members push for more from the U.S. on the Privacy Shield program.

Countries in Asia, particularly members of the Asia-Pacific Economic Cooperation (APEC), have also continued to push for broader inter-operability rules. Multi-national corporations based in the U.S. should also closely watch such developments, to make sure that their protocols for trans-Pacific and trans-Atlantic data transfers will be forward-compatible.

1. The "Privacy Shield" For Transatlantic Data Protection Framework

   In light of the Snowden revelations, an Austrian privacy activist named Max Schrems brought suit against Facebook for its alleged transfer of personal data to the United States' National Security Agency (NSA), as part of NSA's PRISM program. Schrems' "Europe v. Facebook" group filed suit against Facebook in Ireland with the Irish Data Protection Commissioner. On June 18, 2014, the suit before the Irish High Court was referred to the Court of Justice of the European Union (CJEU). The central question of the referral was the legitimacy of the European Union's granting of the "Safe Harbor" status to the United States when it came to the transfer of personal information.

   On September 23, 2015, the CJEU found that with respect to the powers of national supervisory authorities, the European Commission may adopt a decision that a third country ensures an adequate level of protection that is binding on all member states and their organs, including national supervisory authorities. 1 However, a European Commission determination, such as the Commission Decision 5000/250 that first found the Safe Harbor "adequate," does not prevent a national supervisory authority from examining claims lodged by individuals concerning the processing of their personally identifiable information (PII). In fact, "[w]hile the Advocate General (of the CJEU) acknowledges that the national supervisory authorities are legally bound by the Commission decision (on the Safe Harbor)...such a binding effect cannot require complaints to be rejected summarily." 2 Thus, the CJEU found that the Safe Harbor program was inadequate in so far as it allowed for government interference with individual privacy rights, it failed to give individuals violated a means of redress, and it prevented national supervisory authorities from exercising their powers on behalf of their citizens. 3

   Although the European Union said it had reached an agreement in principal with the United States on a revised Safe Harbor program for trans-Atlantic data flow by the end of January 2016 – deemed the "Privacy Shield" program – debates on the details continue to the date of this publication. Organizations and scholars were quick to notice that Schrems also put into question mechanisms such as Binding Corporate Rules (BCRs) and standard contractual clauses (SCCs). 4 The national supervisory authorities know this as well. The national supervisor authority of France announced that Facebook would have only three months to fix their various data transfer issues, 5 while the authority in Hamburg Germany announced that it will soon be ready to hand down fines against three unnamed companies for relying on the Safe Harbor. 6

   The FTC, White House, and Congress are all apparently working hard to negotiate not only the Privacy Shield program details, but also other assurances that need to be in place. For example, on February 24, 2016, President Obama signed into law what was previously named the "Judicial Redress Act," in an effort to given EU citizens the right to sue the U.S. government for alleged privacy violations. 7

   On February 29, the FTC announced more tentative details of the Privacy Shield program, subject to a determination of adequacy from the EU prior to...