Alan Charles Raul is a partner in the Privacy, Data Security and Information Law practice of Sidley Austin LLP. You can follow his group at datamatters.sidley.com.
When the Court of Justice of the European Union (CJEU) struck down Safe Harbor last year, it did so on the basis that the European Commission had not determined whether European data transferred to the United States enjoyed the same protections as in the European Union. Despite the fact a recent Sidley Austin report found that many U.S. privacy protections are essentially equivalent—if not stronger—than the European Union’s in national security matters and comparable in other areas, the Commission clearly needed to replace Safe Harbor with something else to satisfy the CJEU and domestic privacy activists.
In early February, the Commission and the U.S. Department of Commerce concluded negotiations on a new framework dubbed the Privacy Shield and the text of the agreement was released yesterday. The deal constitutes an impressive array of findings, commitments and obligations to help get EU-U.S. data transfers flowing smoothly again. This is really good news, and should go a long way toward ameliorating the transatlantic digital tension that was exacerbated by the Edward Snowden disclosures in 2013.
The Commission has now determined, subject to further review and approval by other EU bodies, that the U.S. legal system for protecting personal information is "adequate." In other words, the Commission believes that the new Privacy Shield will provide EU citizens essentially equivalent protections in the United States to those they enjoy in the European Union.
The new principles of the Privacy Shield will require companies that choose to sign up to provide additional redress rights to EU individuals whose data was transferred to the United States, such as mandatory conflict resolution including arbitration at no cost to the complainant. Companies joining the Privacy Shield will also have to cooperate with EU privacy regulators, known as data protection authorities, with regard to human resources data that is transferred to the United States. U.S. companies will also have to provide expanded "access" rights to EU individuals, and expressly obligate their own data processors and other third-party service providers to which they forward EU data to agree to the Privacy Shield principles by entering into "onward transfer" contracts. The Federal Trade Commission, Department of Commerce and European data protection authorities all have increased monitoring and enforcement responsibilities under the agreement.
For companies that choose not to join the Privacy Shield, they will still be able to use other EU-approved mechanisms like binding corporate rules or contractual clauses for data transfers, at least unless and until EU privacy regulators assess later this year whether these methods are sufficiently robust. Hopefully they will not strike down these alternatives because that would represent another setback in digital trade across the Atlantic and raise real issues about whether U.S. companies are being discriminated against.
It is also significant that the U.S. intelligence community has provided the Commission with written assurances that data transferred to the United States under the Privacy Shield will not be subject to mass or indiscriminate surveillance. Although this does not actually represent a change in practice by U.S. national security agencies, the fact they were willing to communicate this in writing to another international jurisdiction demonstrates the importance to the United States of abating Europe’s surveillance concerns, and engaging in a broader and more informed international discussion of surveillance norms. Moreover, the United States agreed to establish an ombudsperson in the State Department to monitor and resolve any EU complaints about the nature and extent of U.S. surveillance conducted on data transferred under the Privacy Shield or other EU-approved mechanisms.
It is also important that President Obama recently signed the Judicial Redress Act into law. This will allow EU citizens to sue federal agencies if they believe their rights have been violated under the Privacy Act, just as U.S. citizens may now. This provision is subject to an important caveat: EU citizens can only bring suit provided the Attorney General determines the European Union is cooperating with the United States on commercial data transfers and is not impeding U.S. data collection for national security purposes—hopefully a manageable bar to clear if the Privacy Shield takes effect and the other transfer mechanisms remain valid. In essence, the Attorney General’s determination is a reciprocal "adequacy" determination, which should help maintain some balance and oversight of Europe’s actions. Of course, it leaves to be seen whether EU members states will ever apply to themselves the national security safeguards, checks and balances, and redress mechanisms that are in effect in the United States.
In all, the Department of Commerce and the EU Commission have demonstrated that both sides can be reasonable when it comes to something as important as preserving access to the digital information that is necessary to serve the best interests of consumers and businesses on both sides of the Atlantic. And they also showed they can cooperate even where important national security and law enforcement issues and exigencies are at stake. Substantive convergence on data privacy is actually closer than the rhetoric would suggest, and it is good to see mutual investment in working problems out in favor of international trade, political harmony and citizen rights.