International Business and Technology Blog

Data Harbors become Shields

Posted by John Worthington on Thu, Feb 18, 2016

Privacy Shield is the reassuringly protective and secure sounding title given to the new US-EU deal (February 2016) on transatlantic data flows. Essentially, the concern is one way, that of European Union (EU) data flows to the United States (US). The previous agreement, seductively entitled Safe Harbor, proved to be anything but safe for EU data and was finally struck down by the European Court of Justice (ECJ) in October 2015. Safe Harbour has been described as “a way for US businesses to transfer EU citizens’ personal data to the US even though American data protection laws are not up to the European standard”. In retrospect, it seems amazing it lasted so long.

no_safe_harbor.jpgA little background. Safe Harbor was the name of the agreement forged in 2000 between the EU and US by which data could be exported from the EU to the US, in compliance with the EU Directive on Data Protection. Safe Harbor stipulated that a US company transferring and using EU data had to comply with seven principles (notice, choice, consent to onward transfer, security, integrity, access, and enforcement) and could self-certify the compliance with the US Department of Commerce. Since then, approximately 5,000 US companies, including top tech giants Apple, Google, Facebook, have all signed up and transferred whatever data they wished from the EU to the US. All went swimmingly well as EU to US data transfer grew year by year. Then two things happened to sink this seemingly acquiescent EU to US data security and protection understanding, starting with some leaks.

Firstly, Edward Snowden’s leaked confidential files revealed the extent of data transfer, upsetting for everyone, including EU political leaders. At the very least this set a supportive level of EU public and private opinion for what happened next. Max Schrems, an Austrian law student (still at 28 years old?) started Europe versus Facebook, back in 2011, to ask the all-important question “Are EU Data Protection Laws enforceable in Practice?”. Max began this data security journey in California, when studying there as he understood the US attitude to be: “Europeans are cute with their privacy laws, but you can do pretty much whatever you want and nothing is going to happen”. Back in Europe, he set in motion his “right to access” legal process. His website goes on to explain: “We unintentionally landed in the middle of a big experiment after filing 22 complaints against Facebook in Ireland, because of breaches of the most basic privacy rules. We happened to look at Facebook for a number of reasons, but the results are very likely exemplary for a whole industry”. Max took his case to Ireland, who refused to act citing Safe Harbor, and then all the way to the ECJ where he won his case in October 2015. The ECJ found that “… national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. The United States safe harbour scheme thus enables interference, by United States public authorities, with the fundamental rights of persons.” Edward Snowden did not lose the opportunity to tweet; “Congratulations, Max Schrems. You’ve changed the world for the better”.

Thousands of US companies could no longer “legally” transfer all that EU data to the US. The European Data Protection Authorities (and guess what there are 28 of them, one for each EU country) had to act to stop the EU to US data transfer process, notably the Irish where many US titans (including Facebook) had chosen to head quarter themselves in the EU for both fiscal and data management related reasons. Equally the EU Commission and US counter parts had to act, but they had to find and implement “Plan B” as rapidly as possible, to resurrect  “a way for US businesses to transfer EU citizens’ personal data to the US.” Hard at work and rushing to secure the new agreement, were the experienced hands of the EU Commission and the US Administration, indeed many of those responsible for Safe Harbor, and they (re)-produced Privacy Shield.

On February 2nd, 2016 the EU justice commissioner Věra Jourová stated:  "For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms."  I do not know why, but I had assumed that EU citizens had that “protection” before but evidently not. And do we really have that now? Jourová helps a little by elaborating further: “Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments." Andrus Ansip, EU VP for the Digital Single Market went into the weeds on the subject: “Our people can be sure that their personal data is fully protected” and “We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering. Today's decision helps us build a Digital Single Market in the EU, a trusted and dynamic online environment; it further strengthens our close partnership with the US. We will work now to put it in place as soon as possible." And that means the country level DPA’s, who in the eventuality of a dispute, and many are expected, will hand it off to the ECJ, again!

data_shield.jpgOn the US side, Secretary of Commerce Penny Pritzker shared her view; “This historic agreement is a major achievement for privacy and for businesses on both sides of the Atlantic. It provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online. Beyond being essential to transatlantic commerce, the EU-U.S Privacy Shield also underscores the strength of the U.S.-EU relationship. It demonstrates our commitment to working together as leaders in the global economy, promoting our shared values, and bridging our differences where they exist”. Now the issues of implementation, the Judicial Redress Act, has made its way, with unanimous consent, through Congress and on to the desk of President Obama whose signature is expected shortly. The Act will give foreign citizens (in this case EU citizens under Privacy Shield) the same judicial redress recourse as Americans, with regards to the misuse of personal information by federal agencies. Well almost. As ever, the devil is in the detail, and the US Attorney General is given discretion when dealing with non-US citizens. We now have to await the US Executive designation detailing the applicability with regards to both countries and agencies. So it is not over yet.

One of the singular beneficiaries of this situation has been those practicing the legal arts, finding themselves awash with requests, flooded by questions on both sides of the Atlantic and beyond, demanding to know what was happening and what to do. That rapidly turned into thousands of billable hours. The EU US data divide began many years ago, but most recently culminating in 15 years of Safe Harbor, the 3 months of interregnum and now Privacy Shield. Amongst those many international practices providing legal solutions, I found a particularly focused organisation called Privacy Europe; their straightforward but effective web site proffers links to many data protection expert lawyers (EU and non-EU) and “..professional advice on data protection questions. The Privacy Europe network provides you with legal advice on both the general legal framework as well as each countries legislation”.

Growing at 15% per annum, the multi-trillion USD/Euro transatlantic digital economy, employing hundreds of thousands of US and EU citizens, is so valuable and has so much potential for both parties, that you can be sure that this is not the end of the EU-US data story. We are perhaps at just the beginning of the Harbor and Shield protective armoury.


Tags: All posts, Digital Compliance