EU Privacy Pushback Prompts Lawyers to Look For Plan B

The opinion “puts a huge cloud on this arrangement and makes it very unattractive,” says Lothar Determann, a partner in Baker & McKenzie's Palo Alto, CA, office, and author of “Determann's Field Guide to Data Privacy Law.”

The EU regulators on one hand lauded parts of the deal that aim to strengthen oversight of U.S. companies' compliance with key EU data-privacy principles. “However, the Working Party has strong concerns on both the commercial aspects and the access by public authorities to data transferred under the Privacy Shield,” it said in a statement.

The 58-page opinion of the working party is technically nonbinding on the European Commission, which as the EU's executive arm negotiated the data-transfer framework. The deal is an update to the Safe Harbor privacy arrangement from 2000 that was invalidated by the Court of Justice of the European Union in a ruling last October. See, “Safe Harbor European Court Data Protection Ruling,” in the November 2015 issue of e-Commerce Law & Strategy.

Deadline Approaching

But the reaction is important politically ahead of a decision expected this month by EU member-state governments on whether to approve the deal. The criticism from independent regulators could make it harder for some states to come out in support of the deal, potentially keeping the commission from finalizing it by its June target.

And if the European Commission is unwilling to reopen negotiations with the U.S. ' or unable to secure new concessions ' the opinion may add weight to any future legal challenge against the Privacy Shield. Under the October ruling, the data regulators themselves also have explicit authority to challenge arrangements like the Privacy Shield in court.

Some U.S. privacy lawyers and experts see litigation as all but certain in the coming months, as European privacy advocates try to test the bounds of the October ruling by the EU Court of Justice. “I think the minute it gets approved, somebody is going to challenge it,” says Miriam Wugmeister, a partner in Morrison & Foerster's privacy and data-security practice in New York.

Paul Schwartz, a special adviser at Paul Hastings in San Francisco and a director of the UC-Berkeley Center for Law and Technology, says the working party's opinion “puts down a marker” for the EU high court to evaluate the new framework.

Either way, the opinion is a sign that companies that rely on being able to transfer data out of Europe may want to find other options besides the Privacy Shield.

Both Determann and Wugmeister note that, since the October decision, companies that participated in Safe Harbor have put in place other measures to make sure they can lawfully transfer EU citizens' data to the United States. These include so-called “standard contractual clauses” that are pre-approved by EU data regulators.

These have the added benefit, Wugmeister notes, of not requiring companies to take on the Privacy Shield's new obligations to participate in various types of dispute settlement proceedings if an EU citizen brings a complaint about how his or her data were used.

Determann adds that although he thinks the Privacy Shield is a potentially useful tool, signing up for it amid continued scrutiny of the deal may provide limited benefits and could actually just be setting companies up for legal action by EU regulators further down the road.

Continued Shortcomings

The European Commission initiated negotiations for what would become the Privacy Shield in 2014, about a year after the Edward Snowden revelations brought to light the extent of U.S. surveillance activities through programs like Prism. The negotiations accelerated after the October court decision invalidating Safe Harbor, in which about 4,000 companies had participated.

The new framework, like its predecessor, incorporates a number of EU data-privacy law “principles” to which companies self-certify they will adhere. But it also includes letters from U.S. government officials about how data are collected and used by law enforcement and intelligence authorities.

While deeming the Privacy Shield agreement an improvement upon the defunct Safe Harbor agreement, the opinion by the EU's Article 29 Working Party admonished the agreement's data protection and enforcement shortcomings, as well as the vagueness and ambiguity of the agreement's language.

The Working Party, which is made up of the European Commission, data protection authorities from each EU country and a European Data Protection Supervisor, criticized the agreement's structure for being unclear. The statement noted that the dispersion of information among the “adequacy decision and in its annexes makes the information both difficult to find, and at times, inconsistent.”

“This contributes to an overall lack of clarity regarding the new framework as well as making accessibility for data subjects, organizations, and data protection authorities more difficult,” it added. “Similarly, the language used lacks clarity.”

The group also reproached the agreement for not reflecting “some key data protection principles as outlined in European law.”

Among them was uncertainty surrounding the data retention principle, which the Working Party noted is “not expressly mentioned and cannot be clearly construed from the current wording.”

There was also unease about the lack of any protections against “automated individual decisions based solely on automated processing,” and the lack of clarity regarding the “application of the purpose limitation principle to the data processing.”

The misgivings over data protection expanded to the language regulating onward transfers, which the Working Party called “insufficiently framed, especially regarding their scope.” The group insisted that such transfers from a certified company to a third-party recipient be on par with the level of protections “on all aspects of the [Privacy] Shield,” as to not diminish or circumvent the EU's data protection principles.

One of the key criticisms from the Article 29 Working Party is that the communications from the Office of the Director of National Intelligence “do not exclude massive and indiscriminate collection of personal data originating from the EU.”

That's an issue that observers say would be difficult to resolve. The European Commission struggled for months to extract more specifics from the U.S. about the limits on the collection and use of personal data, yielding an 18-page letter from the director's office. Renegotiating for more would not be a quick or easy task.

Determann and other lawyers also see the Working Party as holding the U.S. to a standard that many EU member state surveillance bodies themselves could not meet.

The group offered praise, however, for the Privacy Shield's inclusion of language stipulating data access and handling for purposes of national security and law enforcement, calling it a “considerable step.” But it also admonished the “representations of the U.S. Office of the Director of National Intelligence (ODNI)” for not excluding “massive and indiscriminate collection of personal data originating from the EU,” and reiterated its long standing opposition to the practice.

The “indiscriminate surveillance of individuals can never be considered as proportionate and strictly necessary in a democratic society, as is required under the protection offered by the applicable fundamental rights,” the Working Party said, adding that there is “a tendency to collect ever more data on a massive and indiscriminate scale in the light of the fight against terrorism.”

Other concerns focused on the additional resources the Privacy Shield offers for individuals to affirm their data rights, such as the agreement's Notice principles, free alternative dispute resolution, and binding arbitration, which the opinion noted may in practice “prove to be too complex, difficult to use for EU individuals and therefore ineffective.”

There was also apprehension over another redress method, the establishment of an ombudsperson within the Department of State to handle all Privacy Shield-related grievances. Though calling it a “significant improvement for EU individuals' rights with regards to U.S. intelligence activities,” the Working Party expressed concern over the independence of the ombudsperson and questioned whether it had “adequate powers to effectively exercise” and “guarantee a satisfactory remedy in case of disagreement.”

Working Group Recommendations

Going forward, the group urged the European Commission to resolve its concerns and provide clarification on the agreement language, and it noted that “a review must be undertaken” after the implementation of the EU's upcoming General Data Protection Regulation.

The Working Party's tepid response to the agreement may serve to increase industry anxiety over the continuing lack of regulation concerning transatlantic data transfers since the dissolution of Safe Harbor.

In a statement posted shortly after the release of the opinion, the Information Technology and Innovation Foundation (ITIF), noted it was “disappointed that the Article 29 Working Party has not affirmed the adequacy of the EU-US Privacy Shield Framework negotiated between the European Commission and the U.S. Department of Commerce.”

It added that “the agreement has achieved widespread support on both sides of the Atlantic from many policymakers, businesses, and advocacy groups for offering an opportunity to move forward after the European Court of Justice invalidated the Safe Harbor agreement in the Schrems decision [Maximillian Schrems v. Data Prot. Comm'r, ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14]. ' While members of the Article 29 Working Party should continue to offer suggestions on how to strengthen this agreement ' and there are opportunities for improvement ' the opportunity for improvement should not preclude official approval of the agreement. A prolonged climate of regulatory uncertainty places unnecessary strain on the digital economy, hurting businesses, workers, and consumers.”'

Other criticisms in the opinion might be simpler to address. For example, the Working Party also said that the various mechanisms under the Privacy Shield through which EU citizens can bring complaints “may prove too complex” to be effective.

Ve?ra Jourov', the EU justice commissioner, said in a statement that the commission plans to come forward with a “user's guide” for citizens on how to seek redress for their complaints. But she fell short of saying the commission would enter into new negotiations with the U.S. on other issues flagged by the Working Party.

Referring to its criticisms as “useful recommendations,” Jourov' said the commission “will work swiftly to include them” in the final document approving the Privacy Shield framework.

What's Next?

While there is some disagreement over the effects and significance of the Working Party's rebuke, there is consensus that the opinion will delay any agreement over transatlantic data transfers for the time being. And such a delay, Daniel Castro, vice president of the Information Technology and Innovation Foundation (ITIF) and director of the Center for Data Innovation told our ALM sibling, Legaltech News, does not portend well for U.S. businesses.

“By invalidating the Safe Harbor agreement, The European Court of Justice (ECJ) created a legal nightmare for companies which relied on that process for transatlantic data transfers. The Privacy Shield framework was supposed to solve this problem, but with growing uncertainty about whether it will be upheld, companies are scrambling to adjust to this uncertain terrain,” he said.

The Working Party opinion, while not legally binding, may also, however, forbade incertitude and delays further down the line in the agreement's approval process.

Castro noted that due to the ECJ ruling in the Schrems case that invalidated Safe Harbor, “individual countries are going to have to make adequacy determinations on their own. It would be untenable to have an agreement that is signed off on by the European Commission, but rejected by various member states.”

There is also some indication in the industry that patience for clarification is wearing thin. “The current text is the product of over two years of negotiations ' the negotiations began long before the Safe Harbor was invalidated by the Court of Justice of the European Communities,” says Peter Blenkinsop, partner at Drinker Biddle & Reath.

“So that gives you a sense of how slow progress has been. There is now a great deal of uncertainty as to how much longer the process for further negotiation and approval of the Privacy Shield framework might take.”

How much uncertainty the delay causes, however, is arguable, with some dismissing the idea that without the Privacy Shield, data transfers are happening in a dangerous regulatory void.

Deema Freij, global privacy officer at secure collaboration provider Intralinks, notes that for businesses, the Working Party's opinion “isn't too catastrophic. EU Model clauses and binding corporate rules are still seen as legitimate alternatives to the Privacy Shield according to [the] announcement. ' At the moment, businesses have switched ' or are switching ' to EU model clauses so they are able to transfer personal data to the U.S., and they can continue to use these in spite of the decision today.”

This view is not shared by all. Being at the mercy of EU's data protection regulations, Castro said, may leave U.S. companies with three less-than-ideal options: ignore regulators at their own risk; hire lawyers to restructure “data flows using model contracts or binding corporate rules ' an expensive and time-consuming proposition;” or “abandon all transatlantic data flows ' shutting down projects and services or building new data centers in Europe.”

Furthermore, the binding corporate rules and contracts used in lieu of a transatlantic data agreement, adds Blenkinsop, may not be a full proof assurance.

“Although there are contractual mechanisms that can be used to transfer personal data, the sufficiency of those contractual mechanisms is also being challenged in European courts. As a result, businesses are faced with the dilemma of expending significant time and money to put in place contractual measures that might end up being declared legally insufficient, waiting for a replacement to the Safe Harbor to become effective and in the interim being technically out-of-compliance with EU data transfer requirements, or stopping data flows from the EU to the U.S. altogether. And for many businesses, that last option is actually a Hobson's choice.”

Ben Hancock is a reporter for The Recorder, the San Francisco-based ALM sibling of e-Commerce Law & Strategy. This article also contains reports from Ricci Dipshan, the Deputy Editor of our ALM sibling, Legaltech News.