Privacy-Shield: To shield or not to shield
The cross-border transfer of personal information is inevitable when dealing with modern information technologies. It is driven, for example, by the need to outsource data processing operations to a third party or to centralize data processing within one entity of a group of companies. While conducting business involving electronic communications and other online technologies, companies are presented with legal challenges pertaining to the transfer of data underlying the services they provide. Such services include social media services and e-commerce, which are used by EU data subjects on a daily basis. The provision of these services would not be possible without information exchange and data processing required also for advertising purposes. Consequently, an awareness of the rules governing such transfers becomes critical for conducting international business legitimately.
The EU legal regime for transferring personal data abroad requires compliance with the adequacy level of data protection for the personal information. Under Article 25 of the Data Protection Directive and Article 45 (2) of the Data Protection Regulation, in order to ascertain the adequacy of data protection in a particular country, the following elements need to be evaluated: national legislation; international instruments (such as the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data); and self-regulatory frameworks. Alternatively, other appropriate safeguards (i.e. standard contractual clauses, binding corporate rules) can be used by private entities on an organizational level as means of authorizing cross-border transfers of data.
Due to the absence of uniform laws governing legal issues pertaining to data protection and privacy in the US, the EU did not find the US national legislation adequate for the purposes of Article 25 of the Data Protection Directive. Hence, for the transfers of EU data subjects’ personal information to the US, the EU has adopted a different approach. Initially the solution has been found in the so-called Safe Harbor framework. However, the Schrems decision by the Court of Justice of the EU declared the US-EU Safe Harbor framework invalid. As a result active negotiations were initiated between the EU and the US in order to come up with a new framework that could ensure that transfers of personal data from the EU to the US comply with EU principles of data protection and, therefore, EU data subjects’ information is adequately protected when transferred abroad. In the meantime, the Article 29 WP granted the companies involved in such transfers a grace period, during which the enforcement of EU law on data transfers was suspended. During this period, national data protection authorities of EU Member States strongly encouraged companies to use alternative safeguards (standard contractual clauses, binding corporate rules, or consent) to ensure lawful data transfers. Some of these authorities however expressed their unwillingness to consider the use of such alternatives as satisfactory and even refused to grant further authorizations for transfers. Some others (e.g. France) initiated actions against social media platform operators which continued to transfer data under the invalid Safe Harbor scheme.
Shortly after the expiration of the grace period, the three sets of documents supporting the new Privacy Shield arrangement have been released: (i) Communication from the European Commission to the European Parliament and Council, (ii) a draft adequacy decision of the European Commission, and (iii) its annexes containing various letters and assurances of US authorities’ commitments to the new arrangement. These annexes also include 7 Privacy Principles and 16 Supplemental Principles (substituting the FAQ of the Safe Harbor scheme). The Privacy Shield will become enforceable upon the formal adoption of the relevant adequacy decision of the European Commission. The opinion and recommendations of various European bodies will be issued before such adoption. The Article 29 WP, for example, has already issued an opinion expressing its dissatisfaction with the draft adequacy decision, particularly emphasizing the need to add explicit wording indicating the application of the EU Data Protection Regulation on the data processing operations of the US controllers before the transfer of data. The WP has also emphasized the lack of clarity in the assessment of the US domestic data protection regime. In the event of the adoption of the Privacy Shield, the WP will probably also revisit the validity of Standard Contractual Clauses and Binding Corporate Rules as viable alternatives.
There is little doubt regarding the need for an agreement governing data transfers from the EU to the US. However, it is yet to be decided to what extent the EU authorities are willing to sacrifice [A1] data protection principles for the sake of economic growth and uninterrupted communication of data, since it is unlikely that the EU will be able to impose an entire legal regime on the US. After all, the term “adequate protection” used in the Data Protection Regulation does not imply an identical level of data protection and has a leeway for interpretation, allowing to ignore certain discrepancies between the Privacy Shield and the Regulation.
In order to provide legal certainty and steadiness in data transfers for commercial purposes privacy seals and certification of individual organizations is arguably a better option, since the political issues influencing the Privacy Shield can be overcome by an independent commercial choice of US organizations. This can eliminate the pressure that is on the EU with respect to ensuring economic growth by compromising on some data protection principles enshrined in the Data Protection Regulation and settling on an inadequate legal framework between the EU and the US. The use of privacy seals and certification is of course without prejudice to the adoption of the Privacy Shield.
Piercing the privacy veil
Provided the Privacy Shield is adopted after lengthy negotiations and debates discussed above, it will operate through self-certification. Companies would be required to register annually with the US DoC, attesting to their compliance with the procedures and principles under the arrangement. In particular, companies should ensure that their privacy policies are in compliance with the Privacy Shield principles. However, in its representation letter the DoC did not commit to systematically checking such compliance prior to self-certification.
The possibility to present their own drafts of privacy policies gives US organizations a lot of leeway in manipulating and circumventing the vague privacy principles of the Privacy Shield. None of the major social media service providers (e.g. Facebook, Twitter, Google), previously adhering to the safe harbor framework, has joined a self-regulatory program, publishing instead their own privacy policies. The manipulation of incomplete and unclear privacy principles of the Privacy Shield could be eliminated by having the service providers adhere to a well-developed self-regulatory program. In this respect, renegotiating the terms of the Privacy Shield to require US organizations to join such programs would also provide EU data subjects with more reliable sources of the terms of the services they use.
The privacy principles constitute the core of the agreement and, apart from certain additions and details in the new principles, essentially repeat those of the US-EU Safe Harbor scheme. The essence of the new principles is not completely aligned with the text of the new Data Protection Regulation and the developed privacy vision enshrined therein.
In particular, the notice principle is more elaborate and includes new elements such as the obligation to notify of the type of information being collected, the liability for onward transfers, the data subjects’ right to access, etc. This principle, however, does not specify the timing of such notice, which is particularly relevant in scenarios where the data processing was initiated before the transfer, thus requiring an additional notice upon receiving personal data by a US organization. The lack of specific rules on the timing of notifications about the transfer will allow data controllers and processors to circumvent the notice principles, justifying it with the service of initial notice on data processing before the transfer. On the other hand, as a result of additional repetitive notifications upon transfer, the average user might not be able to distinguish from the initial notice on data processing, thus undermining the role of notice to data subjects in the authorization of data transfers.
Even if the scope of the information to be provided to data subjects under the notice principle is in accordance with the Regulation, the same cannot be said with regard to the choice principle. It continues to rely on opt-out mechanisms in post-transfer processing operations (as opposed to the transfer itself) and fails to accommodate the privacy-by-default mechanisms. The application of the choice principle is also limited to the use and disclosure of personal data and does not cover other types of processing, leaving data subjects without control over such operations and without tools to influence data processing operations. [A2]
Data minimization and retention principles of the Data Protection Regulation have also been neglected in the Privacy Shield. Instead, it sets forth that the limitations on data processing provided by the data subject’s consent should remain valid for onward transfers. The purpose limitation principle has been slightly amended to require additional consent for the use of data for purposes which are materially different (instead of being “incompatible”) from the original purpose of data collection. In order for this principle to serve its goal, the WP recommends making a clear reference to the purpose limitation in onward transfers of the EU personal data to third parties. In general, it would be useful to have the purpose limitation as a separate principle in the Privacy Shield, to ensure its uniform application in all data processing operations, including in onward data transfers. In addition, the data minimization and retention rules can be reflected in purpose limitation principle to ensure harmonized regime with the Data Protection Regulation, as well as to avoid the unnecessary collection, use, or storage of personal information even if it serves the same purpose.
Upon onward transfers the companies will also have the obligation to enter into contracts and will remain liable for such subsequent transfers if the third party is acting as their agent, unless the company proves that they are not to be responsible for damages. This presumption of liability is an improvement since the data subjects will be able to deal with only one entity in the transfers of their data. In order to achieve compliance with the data protection regime under the Regulation, the WP suggests having uniform definitions of the concepts used in the EU, including the reference to profiling activities as a form of data processing which should be covered by the Privacy Shield principles.
Overall, the privacy principles in the Privacy Shield remain unsatisfactory given their incomplete, vague, and inconsistent wording as compared with that of the EU Data Protection Regulation. The use of consistent terminology as well as due integration of all the principles enshrined in the newly adopted Regulation would significantly improve the legal regime of data transfers under the agreement between the EU and the US.
In FTC we trust (or do we?)
The Privacy Shield is on the negotiation table since February 2016 and is being scrutinized as to its compliance with the improved data protection regime under the EU Data Protection Regulation. As discussed above, the content of the Privacy Shield principles arguably remains largely unchanged in comparison with the EU-US Safe Harbor. The Privacy Shield, nevertheless, is considered to be an improvement over the US-EU Safe Harbor in terms of the enforcement mechanisms. Even though these mechanisms have been supplemented and developed, this new arrangement also raised a wave of criticism particularly in terms of its enforceability and derogations pertaining to public interest and for the purposes of national security and law enforcement, since they allow data transfer to US authorities under specific circumstances. Essentially, these exceptions to the compliance with EU privacy standards are a significant loophole in the adequacy of data protection under the Privacy Shield. The questionable value of the assurances and commitments by US authorities are at the essence of dissatisfaction with the Privacy Shield. Some consolation can be found in the provision on the annual joint review of the Privacy Shield by the EU Commission and the US authorities (DoC, FTC), allowing the EU Commission to suspend the Privacy Shield if the US authorities fail to fulfill their commitments. In this respect, the WP also recommends clarity on the elements of the annual review.
New redress mechanisms have been introduced providing data subjects with the ability to seek protection via complaint mechanisms, alternative dispute resolution, national data protection authorities, proceedings before the US FTC and DoC, and finally via judicial redress. These redress mechanisms are claimed to be time-consuming and ineffective. The multiplicity of mechanisms would have the opposite effect of redress and be inefficient given the time and effort required from consumers to invest in such mechanisms even though they come at very little or no cost. Consequently, one might wonder if these contemplated dispute resolution mechanisms would not actually hinder data subject’s access to justice.
In this respect, it is worth noting that the Privacy Shield does not provide strict requirements for the independent alternative dispute resolution bodies that are designated by companies participating in the Privacy Shield scheme: such bodies must be located in the US or the EU, provide appropriate recourse for free, be able to impose sanctions and remedies, and publish a report of their activities each year. Nonetheless, these bodies are not obligated to provide guarantees (e.g. as regards their independence) and do not need to register with any authority. The Privacy Shield could be improved by providing that these bodies must register with the relevant data protection authority or go through a certification process; the companies participating in the scheme would then have the obligation to designate a registered or certified independent alternative dispute resolution body.
In addition, it has to be noted that the companies potentially participating in the Privacy Shield scheme will have no financial incentive to be in compliance given the fact that there are no fines imposed on them by virtue of their certification. On the other hand the complaint mechanisms and the companies’ obligation to respond to the data subjects’ complaints within 45 days might encourage compliance. Companies might prefer to comply instead of dealing with paperwork and the potentially costly obligation of responding to such complaints.
Alternatively, US organizations can choose not to participate in the Privacy Shield and use other adequate safeguard for cross-border transfers, such as standard contractual clauses. The post-Schrems period has shown that this alternative is time-consuming and costly since every transfer of EU data subject’s personal information for commercial or other purposes in the previously natural course of business requires contractual arrangements. The complexity thereof is likely to encourage self-certification to Privacy Shield.
Even though the need for successful negotiations and a new arrangement between the EU and the US is indisputable, the text of the Privacy Shield requires clarification and improvement. The recent opinion of the WP has also cast doubt on the viability of the Privacy Shield at least in its current shape, recommending the European Commission to provide clarifications and solutions to the concerns raised by the WP. In particular, the WP found that the terminology used in the Privacy Shield and the privacy principles emphasized therein need to be developed to ensure consistent data protection regime for EU data subjects upon the transfer of their data to the US. In addition, the EU should insist on the inclusion of profiling activities as a special category of processing operations requiring a distinct legal regime, such as explicit consent of data subjects. Moreover, adding some new principles (data minimization, data retention, purpose limitation) to those essentially repeating the safe-harbor framework would benefit the harmonization of the Privacy Shield with new data protection regime in the EU. The largest doubts remain in the sphere of data processing by US public authorities for national security and law enforcement purposes. The ability of US authorities to request personal data collected by Internet service providers under the Privacy Shield or data subjects’ consent undermines the privacy principles and the limits to the processing of data negotiated between the EU and the US. It is quite ambitious to expect the US to disclose their motives of surveillance and data collection or to withhold from it for pure economic reasons. This would require a change in the national legal regime, which would be unrealistic to achieve under the pressure of the EU. As these issues dominate the debate, the consumer protection aspects of the Privacy Shield connected to the commercial use of EU data, are likely to be overlooked. It is thus to be seen what solution can be achieved to ensure the safe systematic transfer of personal data from the EU to the US based on an international agreement (as opposed to the organizational tools that can still be used to avoid disruptions in data transfers).
The value of an arrangement between the EU and the US may be substantially increased if the self-certification becomes acceptable only through adhering to self-regulatory programs, which, led by the industry associations, are more efficient and sector-specific, as well as diligent in their policies, as opposed to individual drafts of privacy policies of the companies taking advantage of vague terms in the Privacy Shield.
Last but not least, the enforcement mechanisms need to be clarified. A single, well-elaborated redress mechanism can be more efficient, than multiple ambiguous fora with questionable authority. This can be achieved, for example, by cooperation of EU data protection authorities with the FTC, which upon data subject’s complaint to the EU authority will initiate proceedings and take a binding decision. This procedure can of course be followed by court proceedings at the expense of the company in question, but its efficiency will not suffer since US organizations are likely to comply with the FTC’s decision instead of getting involved in lengthy judicial proceedings.
The Privacy Shield needs to provide a comprehensive legal framework for data transfers, in a way to ensure not only a matching level of data protection but also viable enforcement mechanisms. While this is largely a matter of political compromise, the real issue in the context of the commercial use of EU personal data concerns businesses and consumers. Therefore, the alternative safeguard mechanisms in the form of binding corporate rules for internal transfers and standard contractual clauses for external transfers should be favored. The contractual arrangements, however, are not always practical and are often costly. Thus, the encouragement of privacy seals and certification for individual companies should be considered as a crucial step to achieve internationally guaranteed data protection.