The announcement of the change from Safe Harbor to Privacy Shield was swift, but its passage has been rocky. Wendy M Grossman looks at the story so far.
The October 2015 European Court of Justice (CJEU) decision invalidating Safe Harbor, the workaround agreement under which companies were allowed to transfer EU citizens' personal data to the US, which lacks comparable data protection laws, opened the way for months of uncertainty.
The result was a scramble to establish a new framework by the court's deadline: 2 February 2016. The European Commission seemed happy with the new arrangement, the EU-US Privacy Shield, but in mid-April the Article 29 Working Party, the pan-European group of data regulators, disagreed. The group praised Privacy Shield's improvements, but felt the agreement lacked overall clarity, does not protect onward transfers to third countries, and does not protect against wholly automated data-based decisions. It also felt that the proposed US ombudsman was insufficiently independent and the US Judicial Redress Act will not be workable for most EU citizens (see box).
Finally, and most importantly, the group complained that Privacy Shield leaves open the possibility of unacceptably massive and indiscriminate bulk data collection – exactly the reason Safe Harbor was invalidated in the first place. The question for businesses, now facing months of uncertainty, is: what do we do now?
Jörg Hladjk, a specialist in data protection law with Jones Day, gives a simple answer: businesses must find another legal basis for data transfers.
In his experience, "Most companies have opted for implementing EU data transfer agreements." These are of two basic types: 1) intergroup agreements between European subsidiaries and their ultimate US headquarters that are based on model contracts that have been approved by the European Commission; 2) agreements using model text between EU entities and US-based suppliers such as IBM, Amazon cloud services, or Salesforce.
"The data protection authorities have said that if Safe Harbor is not in force any more, the same is true of the model contracts," he says. This is because there's been no change to the cause of Safe Harbor's failure – access by the NSA and US law enforcement.
However, given that companies have to do something, as long as these contracts haven't been specifically ruled invalid they are being used as an interim solution. Changing business practices to avoid transferring data to the US, he says, is not an option for most companies: "I don't know of any company that can easily say no, we don't need to do it," he says.
"The old Safe Harbor was kind of a free pass for US companies, with very low overhead to avoid all of this complexity," says Willy Leichter, vice-president of marketing for the San Jose-based company Ciphercloud. "It was not well enforced, taken advantage of, out of date...it ended abruptly in October but there were already a lot of people complaining."
He adds, "Many US companies were claiming Safe Harbor, but it was so loose that it was hard to tell whether they really had it or what it meant."
Leichter describes himself as "slightly skeptical" about whether the beefed-up European regulations will hold up against the realities of the internet: "I will say that the internet will eventually win because people will use it anyway, but there are a lot of tugs of war around Facebook, cookies, and the breadth of the new data protection requirements."
Nonetheless, he says there will have to be compromise: both US companies and European regulators will have to find some grounds for agreement because neither the issues nor the usage will stop.
Longer-term, it's not clear what those grounds might be. To go back to the beginning, the prohibition on transferring personal data to countries lacking similar legal protections is a key element of data protection law. The most important such country is, of course, the United States, and in 1998, when data protection laws were first coming into force, Simon Davies, then director of Privacy International, predicted a trade war if the US couldn't understand that data protection was now as fundamental a human right in the EU as freedom of speech is in the US.
Nonetheless, in 2000, the US and the European Commission appeared to find a solution in Safe Harbor, an arrangement under which US companies could self-certify that their internal practices complied with the seven data protection principles. The following years saw the unimpeded expansion into Europe of companies like Google (founded 1998), Facebook (2004), and Twitter (2006).
Then, in 2013, Edward Snowden's revelations proved that US authorities had ready access to EU citizens' data. Based on that new evidence, the Austrian law student Max Schrems brought a case against Facebook's European subsidiary in Ireland; CJEU's ruling in Schrems' favor invalidated Safe Harbor.
Leading privacy lawyer Lokke Moerel, a member of the Dutch Cyber Security Council, the advisory body of the Dutch cabinet on cybersecurity, and professor of global ICT law at Tilburg University, sums up the key difference in how the EU and US view privacy this way: the US takes a harm-based consumer protection approach; the EU takes a rights-based approach.
In other words, EU citizens have the right to expect their data to be secured, while the US has no such general obligation except in specific sectors such as health and finance. Under the harm-based approach, companies must notify individuals when their data are compromised. Though the EU requirements seem more comprehensive, Moerel says, the US notification requirements have proven the stronger driver to improve data security.
Moerel sees the arrival in the EU of data breach notification laws as part of the General Data Protection Regulation, passed in mid-April 2016, as a turning point. "For the first time we are seeing data protection regulation implementing this harm-based approach, of breach notification," she says.
Moerel believes that the Privacy Shield requirements are sufficiently onerous that they may not be attractive to businesses. For one thing, she says, Privacy Shield's beefed-up reporting and disclosure obligations place both companies and independent dispute resolution bodies under the continuous scrutiny of third parties, which must report lack of compliance with their rulings to the relevant regulator or courts and the US Department of Commerce.
"Some of the requirements are now even more onerous than the requirements under European law and even the upcoming General Data Protection Regulation, such as the mandatory information requirements," she says. "Now the agreement on the Shield is taking so long to materialize, companies have to implement alternative transfer instruments in the interim, such as Standard Contractual Clauses (SCC) or Binding Corporate Rules. However, once these alternatives are in place, the incentive to yet certify under the Shield is no longer attractive because it's a costly step up."
Moerel notes that since the Safe Harbor decision, she's seen US cloud providers change tack, beginning to offer services they formerly found too difficult, such as European clouds and encryption where the key stays with the customer rather than the supplier. However, she argues, it's essential that the EU and US quickly reach closure on Privacy Shield. "Some European regulators seem to think we can do without US cloud suppliers," she says, "but the big European based multinationals – pharmaceutical companies, banks – this situation also hits them with not being able to transfer data throughout their group of companies, which they do as a matter of course. If they can't comply they are in a total fix."
Box Out: Judicial Redress Act
The lack of redress for EU citizens in the US when their privacy rights have been violated was a particular thorn in the CJEU Safe Harbor ruling. In February 2016, to facilitate Privacy Shield, the Obama administration oversaw the passage of the Judicial Redress Act, intended to remedy that situation.
Not everyone is convinced. EU Commissioner for Justice Vera Jourová has called it "a historic achievement [that] will ensure that all EU citizens have the right to enforce data protection rights in US courts". However, as the Article 29 Working Party points out, few EU citizens have the resources or ability to bring a legal case in the US.
The travel data privacy expert Edward Hasbrouck has been particularly scathing, calling the Act "worthless" because the rights granted to non-US citizens are bound by the limitations and exceptions of the 1974 US Privacy Act, which creates exemptions for almost all federal agencies. Hasbrouck also notes that the Judicial Redress Act applies solely to data transferred to federal agencies (or components thereof) for "preventing, investigating, detecting, or prosecuting criminal offenses" and ignores transfers via third countries. Similarly, the privacy scholar Robert Gellman has called the Act "little more than a gesture".
Box: Microsoft Ireland
The ongoing Microsoft Corporation v. United States of America may set an important precedent. In December 2013, a New York district judge ordered Microsoft to turn over to the US Department of Justice emails and data associated with an account hosted by Microsoft and belonging to an individual suspected of drug trafficking. Microsoft demurred; it turned over the account information hosted on its US servers but objected to turning over the email data stored in Ireland on the basis that a US search warrant had no authority there.
In May 2014, a federal magistrate judge upheld the original judge's order, and Microsoft appealed. Organizations such as the Electronic Frontier Foundation, the Center for Democracy and Technology, the Brennan Center for Justice, and the American Civil Liberties Union have filed supporting briefs, as have many technology and telecommunications companies and the country of Ireland.
The case is significant because it is fundamentally about jurisdiction and sovereignty. Which should take precedence: the nationality of the server's ultimate owner or the laws of the country where it is located? Do the requirements of US law enforcement pre-empt the fundamental privacy rights of Irish citizens? Is the US willing to grant similar authority to law enforcement in other nations seeking access to data on US servers? The UK has already claimed extraterritorial jurisdiction: in the 2014 Data Retention and Investigatory Powers Act.
The Department of Justice – and the British Home Office – argues that a loss could create data havens for criminals that will seriously impede its ability to investigate and catch criminals. Opponents generally argue that if the government in question has sufficient cause, they should approach the relevant national government for access; proponents argue that this process is too slow and time-consuming. A loss by Microsoft could pave the way for every country to claim jurisdiction over every server that contains any data relating to its citizens.