Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

EU-U.S. Privacy Shield Finalized

By Jonathan Armstrong and Andre Bywater
August 01, 2016

The European Commission concluded more than six months of negotiations both within the EU institutions and with the U.S. on July 12 with the announcement that an agreement had been reached on the Privacy Shield scheme to transfer data from the EU to the U.S.

What Is Privacy Shield?

The Privacy Shield scheme was proposed in February 2016 to replace the Safe Harbor scheme, which was struck down by the European Court in the first Schrems case ( Schrems 1 ) in October 2015. Maximillian Schrems v. Data Prot. Comm'r, ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14 (Schrems 1). The Schrems 1 case was brought by an Austrian law student, Maximilian Schrems, against Facebook. Mr Schrems initially complained to the Irish Data Protection Commissioner about the way in which Facebook was transferring his data using Safe Harbor. The Irish Data Protection Commissioner felt that she did not have the power to investigate since the European Commission had put the Safe Harbor scheme in place. The court disagreed and also felt that the entire Safe Harbor scheme was unlawful.

These FAQs look at our initial thoughts on Privacy Shield. We use some technical terms that are explained in our glossary.

Why Did It Take So Long to Agree to a New Deal?

Some might say that the announcement of the creation of Privacy Shield was premature. It became apparent soon after the announcement that the February deal was, at best, a deal to do a deal. An announcement had to be made in February as a deadline set by the Article 29 Working Party (often known as WP29) had expired at the end of January. In February, the European Commission said that they hoped that Privacy Shield would be finalized by the beginning of May. Even that seemed ambitious in part because of the criticism that Privacy Shield received from WP29 in April.

Is There Still Opposition to Privacy Shield?

Yes. While we are yet to see whether WP29 is any happier with the extra concessions the Commission says it has secured from the U.S. government, the Privacy Shield deal will still have its critics. There seems to be confusion as to whether the U.S. administration can deliver its side of the bargain, especially when recent court cases in the U.S. are perceived to have undermined the rights of individuals. Since some of the U.S. side of the deal relies on instructions from the current administration, there is also uncertainty as to what a change of administration in the U.S. in January 2017 would bring.

Will Privacy Shield Be Protected by GDPR?

No. Privacy Shield is not referred to in the General Data Protection Regulation (GDPR), although one of the other methods of data transfer, Binding Corporate Rules (BCRs) is. The European Commissioner promoting Safe Harbor, V?ra Jourov', said in July that Privacy Shield would be reviewed prior to GDPR coming into force since it was a clear requirement that the U.S. had “equivalent” protection, and this protection is likely to have to be improved once GDPR set the bar higher.

When Does Privacy Shield Come In?

The European Commission says it intends for it to come in now. Companies can join the scheme from Aug. 1, 2016.

If I Join Privacy Shield Will the U.S. Authorities Play a Greater Role?

Almost certainly. There is likely to be much more supervision by U.S. authorities than there was under Safe Harbor. It is not true to say there was no Safe Harbor enforcement (for example the FTC's investigation into TRUSTe), but the European Commission is promising tougher enforcement. On July 12, the Commission said:

Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.

Is Privacy Shield Bullet Proof?

Probably not. Penny Pritzker, the U.S. State Secretary of Commerce, said in announcing the deal on July 12 that she thought it would “withstand scrutiny” and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner Jourov' also said she was confident it would survive a court challenge.

In our view, it is unlikely that the concerns about Privacy Shield will disappear so quickly. In addition there are rumors that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote and it could be that regulators from some of those countries may also take an interest. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect, its legal status is similar to Safe Harbor ' an adequacy finding from the European Commission. There have been indications of a likely court challenge already, and the Schrems 1 case tells us that regulators must have more independence to investigate their concerns. We are likely to see investigations from some of the German regulators who have already taken Safe Harbor enforcement action.

In addition, there is currently likely to be a challenge to the European Court of Justice (ECJ) over model clauses. This case is already progressing in Ireland and is a proposed referral to the European Court by the Irish Data Protection Commissioner of Schrems' additional complaints about the way in which Facebook uses model clauses. There have been court hearings in the Schrems 3 case already and we understand that counsel for the Irish Data Protection Commissioner flagged the fact that those proceedings might need to be amended to accommodate the inclusion of Privacy Shield. In effect, it seems that the intention from the Irish Data Protection Commissioner would be that the ECJ looks at the legality of the model clauses and Privacy Shield together. (We should mention that the Schrems 2 litigation is not directly relevant to Privacy Shield, but rather concerns potential civil damages claim relating to Facebook's alleged data transfer practices.)

While a challenge to Privacy Shield does seem likely, there is no guarantee that it would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield, especially with the extra effort that both the EU and U.S. have made this time around. Whatever the result, however, there is likely to be uncertainty since a court hearing may still be two years away.

As well as possible challenges from courts and regulators, it should be remembered that Privacy Shield has a one-year shelf life before being renewed. The European Parliament in particular is likely to be looking carefully at the scheme's first year and may challenge its renewal in 2017.

Should I Even Consider Privacy Shield for My Business?

Probably. Despite its faults, those companies that were in Safe Harbor might find Privacy Shield fairly easy to achieve. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise to look at the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor ' in part due to higher arbitration costs ' but may demonstrate a level of compliance to some of your customers.

What About Brexit?

There was a question at the July 12 press conference to Commissioner Jourov' about the effects of Brexit and any likely adequacy decision for the UK. Commissioner Jourov' said it was too early to answer this question.

Due to the initial two-year time frame for the Brexit negotiations (which have yet to commence), Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU. Equally, GDPR will also apply.

What Can I Do?

Clearly the exact list of actions you will need to take will vary from corporation to corporation. Here are some possible actions you could consider:

  • Have a plan for data transfer. We have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
  • Review Privacy Shield to see if it might work for you. Even a system subject to a challenge may be useful for you;
  • Look again at your data flows to determine: What information travels from the EU to the U.S. and on what basis? Is it inter-group or is it to third parties? What steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
  • Consider the other options available to your business, including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in the GDPR and may be more resistant to challenge. However, BCRs will not be the answer for everyone;
  • Review your privacy policy. Some organizations have not reviewed their policy since the fall of Safe Harbor in October 2015. Whichever way you make your data transfers lawful you should still be reflecting your current practices in your privacy policy.

Jonathan Armstrong and Andr' Bywater are lawyers with Cordery in London where their focus is on compliance issues.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.