” … or, in the alternative, you can just send the damn data. Who’s going to know?”
By:
Gregory P. Bufithis, Esq.
Founder/Managing Director
31 May 2016 – It has been a doozy of a week as the new EU-US data transfer plan took several tough hits over the past 7 days. The latest attempt at an EU-U.S. deal … being mocked even by EU insiders … to protect data transfers of everything from family photos to payroll information appears to be on the same path as the last collapsed effort.
The main stumbling blocks … again … are European privacy standards, U.S. exceptions that allow for broad surveillance, and concerns about the independence and power of an ombudsman who will review complaints if Europeans feel their data are mishandled by American authorities. Yes, the very same issues that scuttled the earlier proposal, affectionately known as “safe harbor”.
The blows came in quick succession:
1. On Tuesday, European Data Protection Supervisor Giovanni Buttarelli said the shield would need “robust improvements” to withstand challenges in the courts.
2. Then on Thursday, the European Parliament passed a resolution that the latest pact, the so-called privacy shield, violates the European Union’s Charter of Fundamental Rights. And sources briefed on the talks said the U.S. has made it clear it will not budge on issues of national security.
3. Then the Article 29 Working Party reiterated that it was still concerned about the possibility of “massive and indiscriminate” bulk data collection.
4. And then the European Commission pushed back a deadline it set for itself to finalize the agreement by end of May to sometime before “this summer,” but isn’t giving up on the agreement struck with Washington in February. Ruling out any renegotiation in the wake of pushback from EU national regulators and the Parliament, EU officials say they’re going to implement the accord, knowing that court challenges are inevitable. Those challenges could take years to get through the court system.
At a corporate counsel workshop on data privacy last week in Brussels, David Hoffman, global privacy officer at Intel, probably nailed it:
“The idea that we’re going to solve the international data transfer issue, that we’re going to reach a date and from that date onwards we won’t have any more issues … well, that won’t happen. Solving the international data transfer issue with privacy shield, to me, is an incorrect assumption.”
Uncertainty around the future of trans-Atlantic data transfers leaves more than 4,000 companies on both sides of the ocean that had signed up to safe harbor in limbo. It also drives the flood of webinars and conferences and workshops to help you “prepare for the coming Privacy Shield”. Well, these folks need to make money. And “coming” can be construed very broadly.
Champions of the data pact back in the U.S. react with frustration to the latest political setbacks in Europe, blaming the EU, of course. Some gems:
> Christian Borggreen, director of the Washington, D.C.-based Computer & Communications Industry Association: “Europe risks drifting into data isolation. Its tools for data transfers to the world are increasingly challenged.”
> Julie Brill, a former commissioner of the U.S. Federal Trade Commission: “There are some big decisions that European legislators will have to make concerning the way they stand on data versus the rest of the world.”
And then the other shoe dropped. The “Plan B” measure many companies have been using for the past seven months is in jeopardy. Last week the Irish data protection commissioner said that Facebook was illegally transferring data using “model clauses” — a fallback many companies used after the European Court of Justice struck down privacy shield’s predecessor safe harbor. Such standard contractual snippets are approved by the Commission, but the Irish data protection commissioner said they also violate the EU’s rights charter because citizens can’t seek reparation in court if their data is mishandled by U.S. authorities. Ireland will ask the Irish High Court to refer the case which was brought by … yep, Max Schrems! … to the European Court of Justice (for my post on the case click here).
Despite the mounting obstacles, the European Commission and U.S. regulators are putting a happy face on all of this, contending the privacy shield will be approved and provide companies the legal cover they need. But EU insiders have confided in me that they have little doubt, should the privacy shield be enacted, that it will be challenged in court, and the ammunition is there to kill it.
The European Parliament’s resolution on the privacy shield doesn’t parse words. While it acknowledges it does have improvements over the safe harbor pact, it declares the U.S. intelligence services can still snoop at will on EU citizens’ data in ways that “does not meet the stricter criteria of necessity and proportionality as required under the Charter of Fundamental Rights” — one of the key reasons safe harbor didn’t survive the beating at the European court.
Making the changes the Commission requested is delaying the final text. The so-called Article 31 committee of national representatives across Europe is scheduled to meet June 6 and June 20 in hopes of getting the deal approved. The aim is to present it at an informal meeting of EU ministers July 7 at the start of the Slovak presidency of the EU Council.
Note: because the Article 29 Working Party, which everybody was focused on with its massive opinion in April that rejected the Privacy Shield, is not the only body involved. The Article 31 committee has to give its blessing, too. The Article 31 Committee, which like its counterpart was established by that article in the original EU Data Protection Directive, is comprised of representatives from the EU Member States to validate data transfer Adequacy Decisions.
During its recent meeting in May 2016, the Article 31 committee appears not to have reached consensus on the adoption of the Privacy Shield. The EU Commission is hopeful that agreement will be reached by the end of June but perhaps this will depend upon how quickly the Privacy Shield is modified to take into account the criticism by the Article 29 Working Party.
And that moving target is a problem for companies. Said one GC at last week’ workshop:
“Either we go for the bitter pill to swallow and choose providers that keep their data in Europe. Or we take the risk of relying on instruments that are now being challenged. Or just transfer the data and see what happens. I guess we just take the risk. It sucks.”
He did note that his company is building EU data centers with legal firewalls between their operations and the U.S. corporation, a point I made in my “model clauses” post linked above.
At the end of the day I recommend data controllers and data processors continue to evaluate and implement appropriate measures to protect data during transfers. Data controllers should make sure they have adequate safeguards in their contract terms with processors, even if that processor is a large U.S. cloud company which trades on its own terms.
Yes, yes, yes. I realize Max Schrems II is barreling down the pike. But remember, the data controller is primarily responsible under data protection legislation and will be the first one to be fined if there is a breach. If the standard terms don’t give you enough protection, look elsewhere. Keeping data inside the EU seems a bit protectionist but it is ultimately better than getting hit by a large fine, especially with France and Germany rumored to be looking to apply the new GDPR fines early of up to €20 million or four per cent of global revenue.
To the ramparts!!