Alert
Source: Linkedin
Alert
By Andrew Caplan,
02.04.16
On February 2, 2016, the European Commission and the U.S. Department of Commerce reached an accord on a new transatlantic data transfer protocol. Nicknamed the EU-U.S. Privacy Shield, the framework would replace the 15-year-old Safe Harbor, which was invalidated by the European Court of Justice on October 6, 2015.1 Clocking in at the thirteenth hour (two days after the European Commission’s internal January 31st deadline), the announcement may elicit an initial sigh of relief from executives of the several thousand U.S. companies that had relied upon the now-defunct Safe Harbor. But is it the silver bullet some think it might be?
Although the text of the new framework is not yet available, certain reported key features of the Privacy Shield include the following:
While the adoption of a new EU-U.S. data transfer protocol is arguably preferable to the gaping hole that the invalidated Safe Harbor left in place, the announcement leaves the door open on several important issues that may undermine its efficacy.
Without the text of the framework available, it is possible that the “necessary and proportionate” threshold for surveilling EU citizen data may not be carefully defined, which could reestablish a vague legal standard. As such, this standard could be subject to political whims on both sides of the ocean, and it is possible that U.S. companies that comply with the Privacy Shield will need to live under the uncertainty of shifting governmental policies and interpretations.
Additionally, if the annual joint EU-U.S. review of the framework allows for it to be dismantled or substantially changed each year, then this could also diminish the certainty that U.S. companies would seek to achieve by complying with the Privacy Shield. This raises the question—will the Privacy Shield offer a more valuable solution to those currently available to U.S. importers of data? Perhaps not.
Although the U.S. Department of Commerce is expressing optimism over the Privacy Shield framework, Jan Philipp Albrecht, the European Parliament Member responsible for steering the new EU General Data Protection Regulation, has been one of the first out of the blocks in publically criticizing the Privacy Shield, calling it little more than a “reheated serving of Safe Harbor” and suggesting it would likely not withstand further European Court of Justice scrutiny. Albrecht is not alone in his skeptical view and there has been significant criticism from other quarters in the EU.
With these types of uncertainties potentially on the table, it is argued that model contract clauses and binding corporate rules (two other options U.S. companies presently have for transatlantic data transfers) may remain safer alternatives to opting into the new framework.
We will be monitoring and analyzing next steps closely, as the EU and United States move closer towards a binding agreement. In any event, U.S. companies would be best advised to consider all their options rather than placing too much faith for the moment in the Privacy Shield.
Download: EU and U.S. Reach Data Transfer Agreement: Perhaps a Shield, But No Silver Bullet