In the wake of the Safe Harbor (1) invalidation by the European Court of Justice, the EU Commision and the US FTC negotiated the terms of the Privacy Shield, a new framework for protecting the personal data of EU citizens transferred to the US. With the Trump administration coming to power, and the Privacy Shield first annual evaluation approaching, questions arise as to the solidity of this new framework.
Par Constantin Pavleas et Marguerite Gaeremynck
Mrs. Falque-Pierrotin, President of the French Data Protection Authority and of the EU working group on data protection matters (the “G29”), met representatives of the Trump administration in Washington from the 29th to 31st of March 2017 in order to clarify the American position following the US elections regarding the guarantees offered by the Privacy Shield to EU citizens and discuss the effectiveness of such guarantees.
The legal framework for the transfer of personal data from the EU to the USA
The European Union (“EU”) has enacted legislation (2) to regulate the processing of personal data and implement safeguards aiming at ensuring that data transferred outside of the EU would be adequately protected. Thus, for the transfer of personal data to the USA, the transferring entity can enter into EU standard contractual clauses with the receiving entity, compelling the parties to implement security measures. Another possibility is for a group of companies established in different countries to establish binding corporate rules including security measures to be applied within such group of companies for the transfer of personal data among their entities. The transfer of personal data to a third country can also take place if such country ensures an adequate level of protection of the data. Under the new EU data protection regulation (the “GDPR”) that will enter into force in May 2018, any transfer of personal data from France to countries outside of the EU may be undertaken under the conditions described above. The EU Commission, having the authority to decide whether a third country ensures an adequate level of protection, had considered on July 26, 2000, that under the Safe Harbor, the USA ensures an adequate level of protection of the transferred data.
The invalidation of the Safe Harbor and the implementation of the Privacy Shield
Following the revelations of Edward Snowden in 2013, an Austrian Facebook user challenged the Safe Harbor before the Irish data protection authority, highlighting that the US could not be considered as ensuring an adequate level of protection as the US National Security Agency (the “NSA”) could have access to the transferred personal data through indiscriminate and bulk data collection. The case reached the European Court of Justice (the “ECJ”) which declared invalid the Safe Harbor. The ECJ noted that the US public authorities were not bound by the Safe Harbor and could proceed to massive interceptions of the transferred personal data. It emphasized that the US requirements of national security, law enforcement and public interest prevailed over the Safe Harbor rules and therefore the Safe Harbor subscribers could disobey its protective principles.
In order to replace the Safe Harbor, the US Federal Trade Commission (the “FTC”) implemented the Privacy Shield for companies to transfer individuals data from the EU to the USA. This scheme entered into force in the EU on August 1 2016, and provides for Privacy Principles. The G29 considered that significant improvements have been brought by this new framework but noted areas for improvement (3). Regarding access to personal data by public authorities, the G29 noted the US commitment to refrain from massive surveillance and the institution of an ombudsperson to handle and solve complaints from individuals. The G29 expressed the desire for more guarantees as to the independency of this ombudsperson as well as concrete safeguards aiming at ensuring that no massive surveillance will occur. The Privacy Shield includes an annual joint review mechanism to assess its operation and US commitments. It is conducted by the EU Commission and the US Department of Commerce with the participation of EU data protection authorities. The first annual assessment should be made this year.
The Trump administration’s initial actions create concerns
The recent decisions under the Trump’s administration show, as transpired during the presidential campaign, that the new government weighs in favor of facilitating access to personal data (4).
In an executive order related to illegal immigrants executed by Donald Trump in January 2017, a provision expressly stated that US privacy principles would not be extended to non-US citizens. Even though this executive order appears to be inconsistent with the Privacy Shield, the EU Commission has considered that it does not violate the application of the Privacy Shield, including because it refers to privacy principles that only apply to data collected in the US, whereas the Privacy Shield applies to data collected outside the US.
A recent token of this new policy is the US Senate resolution allowing internet service providers to sell Internet users’ data to advertisers and other third parties, without consent. This resolution overturns a rule implemented by the US Federal Communications Commission which banned the sale of Internet users’ data without their consent (5).
Considering their initial actions, the Trump administration seems to favor security over personal data protection. In this context, the new administration may question the guarantees included in the Privacy Shield or refuse to reinforce them, as requested by the G29. They may also consider that the Privacy Shield offers a practical framework faciliting US companies doing business with the EU and be inclined to hear Europeans’ requests for improvement in connection with its annual assessment. At this stage, there is a fair level of uncertainty as to the future of the Privacy Shield. EU companies and US subscribers of the Privacy Shield should be attentive to its first annual assessment and may find it wise to examine alternative legal bases for EU-US transfers of personal data. Of note, the GDPR provides for new legal grounds such as for (i) public authorities to implement binding agreements, and (ii) both data processors and data controllers to adhere to certification mechanisms or codes of conduct.
- In the wake of the Safe Harbor invalidation, the EU and the US have negotiated the Privacy Shield, a legal framework aimed at protecting Europeans’ personal data transferred across the Atlantic.
- This framework needs to be reinforced and, in its current state, is not immune from legal challenge.
- In this context, the positions under the new US administration create uncertainty as to the future of the Privacy Shield and it may be wise for US companies processing Europeans’ personal data to consider alternative legal bases.
Constantin Pavléas et Marguerite Gaeremynck