Much of the world economy has become reliant on the quick and safe transfer of data. Transferred data includes everything from an online employee directory to individual social media profiles to billing and payment information. Everyday, companies in the United States send and receive the personal data of millions of European Union citizens. Various international agreements and legal instruments have been used in the past to protect personal data and to ensure it is securely handled. The Safe Harbor Agreement (“Safe Harbor”) between the US and the EU was one of these pieces of regulation, and the EU-US Privacy Shield (“Privacy Shield”) has been proposed to replace Safe Harbor.
The Outgoing Safe Harbor
In 2009, the European Commission (“EC”) enacted the Directive on Data Protection (the “Directive”). This Directive established standards that non-EU countries had to meet before they would be permitted to transfer personal data on EU citizens. In order to comply with these standards, the US and the EC developed the Safe Harbor framework. This framework was designed to help US organizations join the Safe Harbor program and make them eligible to transfer personal data of EU citizens.
Under Safe Harbor, only US organizations that were regulated by the FTC or certain organizations under the jurisdiction of DOT were eligible to participate in the Safe Harbor program. According to Export.gov, organizations such as financial institutions, telecommunication carriers, labor associations, and non-profits among others were not the subject of FTC or DOT jurisdiction and therefore were ineligible to participate in Safe Harbor. Since 2009, over 4,400 US organizations have transferred personal data from the EU to the US.
In October 2015, Safe Harbor was essentially invalidated by the Court of Justice of the European Union (“CJEU”) which questioned whether the EC thoroughly appraised the United States’ level of protection of private data of EU citizens. These concerns gained traction in the wake of the Edward Snowden’s revelations about US government agencies. Essentially, the CJEU was concerned that US government agencies may be requesting data that if provided would place US organizations in violation of major components of Safe Harbor.
The Incoming Privacy Shield
Following the decision from CJEU, the US Department of Commerce and the EC negotiated a successor to Safe Harbor. The Privacy Shield, Safe Harbor’s replacement, includes stronger obligations on companies processing data of EU citizens, new safeguards and transparency obligations for US government agencies, as well as a redesigned system to process complaints. The new agreement was designed to offer a more durable agreement that echoes both the US’ and EU’s privacy and security values. Privacy Shield, at this point, is designed to impact the same businesses impacted by Safe Harbor. Impacted businesses include businesses and organizations regulated by the FTC and DOT.
Implications on US Organizations
While there may be wide ranging implications for US organizations, especially cloud based computing companies, on the way the conduct business, interact with EU citizens, and structure privacy agreements, there is significant speculation as to whether or not the proposed Privacy Shield agreement will ultimately pass the same assessment that shot down the Safe Harbor agreement.
First, a significant portion of the agreement must still be drafted before the agreement is even presented to the European Parliament and EU countries for approval. The drafting process is not expected to be finished until April 2016 at the earliest. In the interim, companies should continue to comply with the outgoing Safe Harbor regulations until the Privacy Shield agreement goes into effect, if it does.
According to the Information Technology and Innovation Foundation (“ITIF”), companies should fully and carefully evaluate the new regulations of Privacy Shield before self-certifying. ITIF stated that “onward transfers” are one of many items that the Privacy Shield will protect and enforce more strictly. An onward transfer involves exporting data from the EU to the US where it is then passed onto a third party. This third party, who may not even be certified under the Privacy Shield program (or even Safe Harbor), will likely be required to provide assurances that the data will be protected once delivered to them. Similar to Safe Harbor though, it is anticipated US businesses will still be able to self certify under Privacy Shield.
Additionally, there is reason to believe that US organizations and businesses will be permitted a reasonable amount of time to transition and gain required certification. It is unlikely that normal business operations will be impacted or halted simply to gain approval. However, it is obviously recommended that once Privacy Shield is enacted, businesses begin any required transitions and approval processes as soon as possible.
Ultimately, experts have a few recommendations for American organizations and businesses. In the interim, organizations should continue to abide by any agreements made under Safe Harbor and continue to follow Safe Harbor protocols. Experts also recommend businesses stay in close contact with their lawyers to ensure they update agreements, protocols, and procedures as advances to and details about Privacy Shield become public. Ultimately, businesses should remember that Privacy Shield has not and ultimately could not be signed into effect and therefore businesses should accommodate for any delays, interruptions, or other business events that could arise if the Privacy Shield ultimately fails to clear a necessary hurdle.
Skepticism Regarding the Future of Privacy Shield
There is speculation as to whether the Privacy Shield will pass the required approvals and be enacted. The Privacy Shield faces a very long and complex approval process which includes securing approval from EU governmental agencies, quasi-governmental agencies, the EU, as well as the EU member countries.
Of most significant concern however, may deal with who the new regulations impact. The CJEU’s conclusion regarding Safe Harbor seemed to indicate shortcomings relating to the US government and data requests made by the US government to private sector organizations. However, many of the proposed requirements under the Privacy Shield impact only the private sector and do not address the CJEU’s concerns about how the US government potentially endangered the security of EU citizens’ data under Safe Harbor. These lack of changes could ultimately lead the CJEU to arrive at the same conclusion for Privacy Shield as they did for Safe Harbor.