EU-U.S. Privacy Shield Finalized

The FAQs below look at our initial thoughts on Privacy Shield. We use some technical terms that are explained in our glossary at http://bit.ly/2b6ybTQ.

Why Did It Take So Long to Agree to a New Deal?

Some might say that the announcement of the creation of Privacy Shield was premature. It became apparent soon after the announcement that the February deal was, at best, a deal to do a deal. An announcement had to be made in February as a deadline set by the Article 29 Working Party (often known as WP29) had expired at the end of January. In February, the European Commission said that it hoped Privacy Shield would be finalized by the beginning of May. Even that seemed ambitious, in part because of the criticism that Privacy Shield received from WP29 in April.

Is There Still Opposition to Privacy Shield?

Yes. While we are yet to see whether WP29 are any happier with the extra concessions the Commission say they have secured from the U.S. Government the Privacy Shield deal will still have its critics. There seems to be confusion as to whether the U.S. administration can deliver its side of the bargain, especially when recent court cases in the U.S. are perceived to have undermined the rights of individuals. Since some of the U.S. side of the deal relies on instructions from the current administration there is also uncertainty as to what a change of administration in the U.S. in January 2017 will bring.

Will Privacy Shield Be Protected By the GDPR?

No. Privacy Shield is not referred to in the General Data Protection Regulation (GDPR) although one of the other methods of data transfer, Binding Corporate Rules (or BCRs) is. The European Commissioner promoting Safe Harbor, Ve?ra Jourov', said in August that Privacy Shield would be reviewed prior to GDPR coming into force, since it was a clear requirement that the U.S. had “equivalent” protection and this protection was likely to have the be improved once the GDPR sets the bar higher.

When Does Privacy Shield Come In?

The European Commission said they intended to have it come in Aug. 1. Companies were able to join the scheme from that date.

Will the U.S. Authorities Play a Greater Role?

Almost certainly. If your company joins Privacy Shield, there is likely to be much more supervision by the U.S. authorities than there was under Safe Harbor. It is not true to say there was no Safe Harbor enforcement (for example the FTC's investigation into TRUSTe), but the European Commission is promising tougher enforcement. On July 12, the Commission said:

' under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.

Is Privacy Shield Bullet Proof?

Probably not. Penny Pritzker, the U.S. State Secretary of Commerce, said in announcing the deal on July 12 that she thought it would “withstand scrutiny” and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner Jourov' also said she was confident it would survive a court challenge.

In our view, it is unlikely that the concerns about Privacy Shield will disappear so quickly. In addition, there are rumors that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote and it could be that regulators from some of those countries may also take an interest. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect, its legal status is similar to Safe Harbor ' an adequacy finding from the European Commission. There have been indications of likely court challenges already and the Schrems 1 case tells us that regulators must have more independence to investigate their concerns. We are likely to see investigations from some of the German Regulators, who have already taken Safe Harbor enforcement action.

In addition, there is likely to be a challenge to the European Court of Justice (the ECJ) over model clauses. This case is already in Ireland, and is a proposed referral to the European Court by the Irish Data Protection Commissioner of Mr Schrems' additional complaints about the way in which Facebook uses model clauses. There have been court hearings in the Schrems 3 case already, and we understand that counsel for the Irish Data Protection Commissioner flagged the fact that those proceedings might need to be amended to accommodate the inclusion of Privacy Shield.

In effect, it seems that the intention from the Irish Data Protection Commissioner would be that the ECJ looks at the legality of the model clauses and Privacy Shield together. We mention in passing that the Schrems 2 litigation is not directly relevant to Privacy Shield, but rather concerns potential civil damages claims relating to Facebook's alleged data transfer practices.

While a challenge to Privacy Shield does seem likely, there is no guarantee that would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield, especially with the extra effort that both the EU and U.S. have made this time around. Whatever the result, however, there is likely to be uncertainty, since a court hearing may still be two years away.

As well as possible challenges from courts and regulators, it should be remembered that Privacy Shield has a one-year shelf life before being renewed. The European Parliament in particular is likely to be looking carefully at the scheme's first year and may challenge its renewal in 2017.

Should I Even Consider Privacy Shield for My Business?

Probably. Despite its faults, those companies who were in Safe Harbor might find Privacy Shield fairly easy to achieve. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise to look at the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor ' in part due to higher arbitration costs ' but may demonstrate a level of compliance to some of your customers.

What About Brexit?

There was a question at the July 12 press conference to Commissioner Jourov' about the effects of Brexit and any likely adequacy decision for the UK. Commissioner Jourov' said it was too early to answer this question.

Due to the initial two-year time frame for the Brexit negotiations (which have yet to begin), Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU. GDPR will also apply.

What Can I Do?

Clearly, the exact list of actions you will need to take will vary from corporation to corporation. Among the possible actions you could consider would be:

1. Have a plan for data transfer ' we have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;

2. Review Privacy Shield to see if it might work for you, even a system subject to a challenge may be useful for you;

3. Look again at your data flows to determine the following: what information travels from the EU to the U.S. and on what basis? Is it inter-group or is it to third parties? What steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;

4. Consider the other options available to your business including model clauses (recognizing that they are also subject to challenge) and BCRs. The latter do have a new footing in GDPR, and may be more resistant to challenge. BCRs will not be the answer for everyone, however;

5. Review your privacy policy. Some organizations have not reviewed their policy since the fall of Safe Harbor in October 2015. Whichever way you make your data transfers lawful, you should still be reflecting your current practices in your privacy policy.

Jonathan Armstrong and Andr' Bywater, a member of this newsletter's Board of Editors, are lawyers with Cordery in London, where their focus is on compliance issues.