The Privacy Shield Scheme: Should Your Company Join?

The purpose of this article is to shed some light on the EU-US Privacy Shield for business. This is vital in order to enable businesses to make an informed decision on whether or not to join this scheme. We begin by highlighting the supervisory role that U.S. authorities play in enforcement. We then outline the challenges that this scheme is likely to face, and discuss whether it is challengable by regulators and courts.

We follow with a discussion of whether the EU General Data Protection Regulation (GDPR) offers protection to the scheme. This is followed by a discussion of the scheme's viability for businesses and whether if they decide to join it they would be required to change their privacy policies. We then highlight the effects of the Brexit on the scheme, provide a brief outlook of the Swiss-U.S. Privacy Shield, and conclude by offering some possible actions for businesses.

The Supervisory Role of U.S. Authorities Under the EU-US Privacy Shield

U.S. authorities will almost certainly play a strong role in terms of supervision. In fact, there is likely to be much more supervision by the U.S. authorities than there was under Safe Harbor scheme. It is not true to say there was no Safe Harbor enforcement, but those in the EU will expect a more hands-on role for the FTC if Privacy Shield is to survive. The FTC's enforcement action in Sept. 2017 against three companies that falsely claimed Privacy Shield certification is likely to be a sign of things to come.

However, the EU Commission is promising tougher enforcement. It gave an indication of this in its July 12, 2016 announcement:

Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.

Is the EU/US Privacy Shield Bulletproof?

The simple answer to this question is probably not. Penny Pritzker, the former U.S. Secretary of Commerce, said, in announcing the deal on July 12, 2016, that she thought it would “withstand scrutiny” and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner for Justice, Consumers and Gender Equality Vêra Jourová also said she was confident it would survive a court challenge. In our view, it is unlikely that the concerns about Privacy Shield will disappear so quickly. We talked about the challenges to Privacy Shield when we spoke with Max Schrems on Oct. 21, 2016. A summary of that interview is available at http://bit.ly/2itrIIe. Mr. Schrems said in that interview, “Privacy Shield is Safe Harbor with flowers on it — it will probably be killed by the European Court.”

The successful challenge to the EU — the Canada PNR data-sharing agreement in July 2017 — would suggest that the CJEU's position has not changed too much since the original Schrems decision.

As well as possible challenges from courts and regulators, it should be remembered that Privacy Shield has a one-year shelf life before being renewed — although the EU Commission has delayed the first-year review. The EU Parliament in particular is likely to be looking carefully at the scheme's first year, and may challenge its renewal. In July 2017, Claude Moraes, the Chair of the EU Parliament Committee, said, “Deficiencies still remain and must be urgently resolved to ensure that the Privacy Shield does not suffer from critical weaknesses.” The WP29 have also indicated that the first annual review, which started in February 2017, will be a critical time for Privacy Shield.

Challenging the EU-US Privacy Shield

By Regulators

This will almost certainly be the case. Reports in August 2016 suggest that Johannes Caspar, the Hamburg Data Protection Regulator who had been very critical of Safe Harbor, would like to refer the scheme to the CJEU. In fact, Caspar has petitioned the German authorities to allow data protection regulators to refer issues like this to the CJEU directly.

In November 2016, ten German data protection authorities announced that they had sent a survey to 500 organizations asking for details about their data protection strategy. The Bavarian Data Protection Commissioner sent around 150 of these questionnaires. Initially the businesses had been sent a questionnaire to complete and return to the relevant regulator. The document asks specific questions about the businesses' use of Privacy Shield and other methods of dealing with international data transfer. Additionally the questionnaire asks for details of specific data transfers to the United States, including in areas like helpdesk support, travel management, CRM, marketing, recruitment, collaboration platforms, quality management and cloud.

There are rumors that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote. It could be that Regulators from some of those countries may also take an interest, although as time passes, this makes an immediate challenge less likely. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect, its legal status is similar to Safe Harbor — an adequacy finding from the EU Commission.

By Courts

Privacy Shield faces several court challenges, and the Schrems 1 case tells us that Regulators must have more independence to investigate their concerns. In addition, there is currently a challenge to the courts over model clauses. We reported on this case, which is sometimes known as Schrems 3, in May 2016. This case is currently being heard in Dublin. Our report is available at http://bit.ly/2lccUiu.

Furthermore, an Irish group, Digital Rights Ireland, has also issued proceedings challenging Privacy Shield. And La Quadrature du Net, a Paris-based pressure group, the French Data Network and FDN Federation brought an additional case to the EU General Court in Luxembourg. The French associations claim in their case that Privacy Shield should be struck down because it violates their fundamental rights. Both the Irish group and the French groups will have to persuade the Court that they have sufficient standing to challenge the EU Commission's decision giving birth to Privacy Shield. The rules on standing are quite complicated and it is by no means certain that they will be able to persuade the Court that they have the standing to bring the case.

While a challenge does seem likely, there is no guarantee that it would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield, especially with the extra effort that both the EU and U.S. have made this time around. Whatever the result, however, there is likely to be uncertainty, since a court hearing may be unlikely before the end of 2018 on current court timetables.

The EU GDPR and the EU-US Privacy Shield

The GDPR is due to come into force in May 2018. However, it does not offer any protection to Privacy Shield. In fact, Privacy Shield is not referred to in GDPR in the first place, although the Binding Corporate Rules (BCRs), as one of the other methods of data transfers, are explicitly given attention. Commissioner Jourová said on July 12, 2016, that Privacy Shield would be reviewed prior to GDPR coming into force, since it was a clear requirement that the U.S. had 'equivalent' protection and this protection was likely to have to be improved once GDPR set the bar higher.

Is it Worth Considering for Your Business?

Privacy Shield is possibly worth considering for your business. Despite its faults, those companies that were in Safe Harbor might find Privacy Shield fairly easy to achieve. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise for those considering the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor — in part due to higher arbitration costs — but may demonstrate a level of compliance to some of your customers. Some of the former Safe Harbor arbitration schemes have also adapted themselves to manage Privacy Shield arbitrations.

Joining the EU-US Privacy Shield

Will businesses have to change their website privacy policy? The answer to this question is probably yes. Privacy Shield has some quite detailed requirements on what a privacy policy should say. The first Privacy Shield Principle deals with the notice that has to be given, but there are additional requirements in connection with information about arbitrations and other rights that individuals have with respect to their personal data. If you are joining Privacy Shield, you need to review your privacy policy to make sure it complies before you apply it.

The Effect of the Brexit on The EU-US Privacy Shield

There was a question at the July 12, 2016 press conference to Commissioner Jourová about the effects of Brexit, and any likely adequacy decision for the UK. Commissioner Jourová said it was too early to answer this question.

Due to the initial two-year time frame for the Brexit negotiations (which have yet to commence), Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU — this is unlikely to be much earlier than April 2019. Equally, GDPR will also apply.

The Swiss-US Privacy Shield

A similar Privacy Shield scheme for transfers from Switzerland to the U.S. has been operational from April 2017.

Moving Forward

In short, in order to get started, the following are possible actions or practical steps that you may wish to consider:

• Have a plan for data transfer. We have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
• Review Privacy Shield to see if it might work for you — even a system subject to a challenge may be useful for you;
• Look again at your data flows to determine the following: What information travels outside of the EU and on what basis? Is it inter-group or is it to third parties? What steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
• Consider the other options available to your business, including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in GDPR and may be more resistant to challenge. BCRs will not be the answer for everyone, however;
• Review your privacy policy. Some organizations have not reviewed their policy since the fall of Safe Harbor in October 2015. Whichever way you make your data transfers lawful, you should still be reflecting your current practices in your privacy policy.

*****
André Bywater and Jonathan Armstrong are commercial lawyers with Cordery in London, UK, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected], respectively. The authors gratefully acknowledge the assistance of Mourad Greiss in the preparation of this article.

The Privacy Shield scheme was proposed in February 2016 to replace the Safe Harbor scheme, which was struck down by the Court of Justice of the European Union (CJEU) in the first Schrems case (Schrems 1) in October 2015.

The announcement of the creation of Privacy Shield in February 2016 was premature. But an announcement had to be made at the time, as a deadline set by the Article 29 Working Party (WP29) had expired at the end of January 2016. In February of that year, the EU Commission said it hoped that Privacy Shield would be finalized by the beginning of May 2016. Even that seemed ambitious, in part because of the criticism that Privacy Shield received from WP29 in April 2016, inter alia, that it did not offer adequate protection.

The Privacy Shield scheme eventually opened for business on Aug. 1, 2016. The objective of this framework is to protect the fundamental rights of anyone in the EU whose personal data is transferred to the U.S., and to bring legal clarity for businesses relying on transatlantic data transfers. It remains to be seen if the new deal can be a lasting solution. Meanwhile, however, more than 2,300 companies have joined Privacy Shield. These include Ernst & Young, Facebook (for non HR data only), Google, Microsoft, Oracle, Rackspace, Salesforce, ServiceNow, St Jude Medical and Workday.

The purpose of this article is to shed some light on the EU-US Privacy Shield for business. This is vital in order to enable businesses to make an informed decision on whether or not to join this scheme. We begin by highlighting the supervisory role that U.S. authorities play in enforcement. We then outline the challenges that this scheme is likely to face, and discuss whether it is challengable by regulators and courts.

We follow with a discussion of whether the EU General Data Protection Regulation (GDPR) offers protection to the scheme. This is followed by a discussion of the scheme's viability for businesses and whether if they decide to join it they would be required to change their privacy policies. We then highlight the effects of the Brexit on the scheme, provide a brief outlook of the Swiss-U.S. Privacy Shield, and conclude by offering some possible actions for businesses.

The Supervisory Role of U.S. Authorities Under the EU-US Privacy Shield

U.S. authorities will almost certainly play a strong role in terms of supervision. In fact, there is likely to be much more supervision by the U.S. authorities than there was under Safe Harbor scheme. It is not true to say there was no Safe Harbor enforcement, but those in the EU will expect a more hands-on role for the FTC if Privacy Shield is to survive. The FTC's enforcement action in Sept. 2017 against three companies that falsely claimed Privacy Shield certification is likely to be a sign of things to come.

However, the EU Commission is promising tougher enforcement. It gave an indication of this in its July 12, 2016 announcement:

Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.

Is the EU/US Privacy Shield Bulletproof?

The simple answer to this question is probably not. Penny Pritzker, the former U.S. Secretary of Commerce, said, in announcing the deal on July 12, 2016, that she thought it would “withstand scrutiny” and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner for Justice, Consumers and Gender Equality Vêra Jourová also said she was confident it would survive a court challenge. In our view, it is unlikely that the concerns about Privacy Shield will disappear so quickly. We talked about the challenges to Privacy Shield when we spoke with Max Schrems on Oct. 21, 2016. A summary of that interview is available at http://bit.ly/2itrIIe. Mr. Schrems said in that interview, “Privacy Shield is Safe Harbor with flowers on it — it will probably be killed by the European Court.”

The successful challenge to the EU — the Canada PNR data-sharing agreement in July 2017 — would suggest that the CJEU's position has not changed too much since the original Schrems decision.

As well as possible challenges from courts and regulators, it should be remembered that Privacy Shield has a one-year shelf life before being renewed — although the EU Commission has delayed the first-year review. The EU Parliament in particular is likely to be looking carefully at the scheme's first year, and may challenge its renewal. In July 2017, Claude Moraes, the Chair of the EU Parliament Committee, said, “Deficiencies still remain and must be urgently resolved to ensure that the Privacy Shield does not suffer from critical weaknesses.” The WP29 have also indicated that the first annual review, which started in February 2017, will be a critical time for Privacy Shield.

Challenging the EU-US Privacy Shield

By Regulators

This will almost certainly be the case. Reports in August 2016 suggest that Johannes Caspar, the Hamburg Data Protection Regulator who had been very critical of Safe Harbor, would like to refer the scheme to the CJEU. In fact, Caspar has petitioned the German authorities to allow data protection regulators to refer issues like this to the CJEU directly.

In November 2016, ten German data protection authorities announced that they had sent a survey to 500 organizations asking for details about their data protection strategy. The Bavarian Data Protection Commissioner sent around 150 of these questionnaires. Initially the businesses had been sent a questionnaire to complete and return to the relevant regulator. The document asks specific questions about the businesses' use of Privacy Shield and other methods of dealing with international data transfer. Additionally the questionnaire asks for details of specific data transfers to the United States, including in areas like helpdesk support, travel management, CRM, marketing, recruitment, collaboration platforms, quality management and cloud.

There are rumors that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote. It could be that Regulators from some of those countries may also take an interest, although as time passes, this makes an immediate challenge less likely. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect, its legal status is similar to Safe Harbor — an adequacy finding from the EU Commission.

By Courts

Privacy Shield faces several court challenges, and the Schrems 1 case tells us that Regulators must have more independence to investigate their concerns. In addition, there is currently a challenge to the courts over model clauses. We reported on this case, which is sometimes known as Schrems 3, in May 2016. This case is currently being heard in Dublin. Our report is available at http://bit.ly/2lccUiu.

Furthermore, an Irish group, Digital Rights Ireland, has also issued proceedings challenging Privacy Shield. And La Quadrature du Net, a Paris-based pressure group, the French Data Network and FDN Federation brought an additional case to the EU General Court in Luxembourg. The French associations claim in their case that Privacy Shield should be struck down because it violates their fundamental rights. Both the Irish group and the French groups will have to persuade the Court that they have sufficient standing to challenge the EU Commission's decision giving birth to Privacy Shield. The rules on standing are quite complicated and it is by no means certain that they will be able to persuade the Court that they have the standing to bring the case.

While a challenge does seem likely, there is no guarantee that it would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield, especially with the extra effort that both the EU and U.S. have made this time around. Whatever the result, however, there is likely to be uncertainty, since a court hearing may be unlikely before the end of 2018 on current court timetables.

The EU GDPR and the EU-US Privacy Shield

The GDPR is due to come into force in May 2018. However, it does not offer any protection to Privacy Shield. In fact, Privacy Shield is not referred to in GDPR in the first place, although the Binding Corporate Rules (BCRs), as one of the other methods of data transfers, are explicitly given attention. Commissioner Jourová said on July 12, 2016, that Privacy Shield would be reviewed prior to GDPR coming into force, since it was a clear requirement that the U.S. had 'equivalent' protection and this protection was likely to have to be improved once GDPR set the bar higher.

Is it Worth Considering for Your Business?

Privacy Shield is possibly worth considering for your business. Despite its faults, those companies that were in Safe Harbor might find Privacy Shield fairly easy to achieve. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise for those considering the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor — in part due to higher arbitration costs — but may demonstrate a level of compliance to some of your customers. Some of the former Safe Harbor arbitration schemes have also adapted themselves to manage Privacy Shield arbitrations.

Joining the EU-US Privacy Shield

Will businesses have to change their website privacy policy? The answer to this question is probably yes. Privacy Shield has some quite detailed requirements on what a privacy policy should say. The first Privacy Shield Principle deals with the notice that has to be given, but there are additional requirements in connection with information about arbitrations and other rights that individuals have with respect to their personal data. If you are joining Privacy Shield, you need to review your privacy policy to make sure it complies before you apply it.

The Effect of the Brexit on The EU-US Privacy Shield

There was a question at the July 12, 2016 press conference to Commissioner Jourová about the effects of Brexit, and any likely adequacy decision for the UK. Commissioner Jourová said it was too early to answer this question.

Due to the initial two-year time frame for the Brexit negotiations (which have yet to commence), Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU — this is unlikely to be much earlier than April 2019. Equally, GDPR will also apply.

The Swiss-US Privacy Shield

A similar Privacy Shield scheme for transfers from Switzerland to the U.S. has been operational from April 2017.

Moving Forward

In short, in order to get started, the following are possible actions or practical steps that you may wish to consider:

• Have a plan for data transfer. We have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
• Review Privacy Shield to see if it might work for you — even a system subject to a challenge may be useful for you;
• Look again at your data flows to determine the following: What information travels outside of the EU and on what basis? Is it inter-group or is it to third parties? What steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
• Consider the other options available to your business, including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in GDPR and may be more resistant to challenge. BCRs will not be the answer for everyone, however;
• Review your privacy policy. Some organizations have not reviewed their policy since the fall of Safe Harbor in October 2015. Whichever way you make your data transfers lawful, you should still be reflecting your current practices in your privacy policy.

*****
André Bywater and Jonathan Armstrong are commercial lawyers with Cordery in London, UK, where they focus on regulatory compliance, processes and investigations. Reach them at [email protected] and [email protected], respectively. The authors gratefully acknowledge the assistance of Mourad Greiss in the preparation of this article.