After 20 years of relative calm regarding the handling of personal data of EU citizens by U.S. companies, events over the past six months have instigated widespread reform. While the resolution is yet to be confirmed, the building blocks for a modern, cross-border data privacy agreement have begun to take shape.
The before
In 1995, the European Commission issued the EU Data Protection Directive, which at the time revolutionized the concept of personal information data protection. While components of the directive have demonstrated strong foresight, the need to update several of the directive’s provisions has grown glaringly apparent.
Perhaps the greatest deficiency of the directive is that it is only advisory legislation and does not require adoption by all EU member states. As a result, the application of privacy rules varies widely from one EU country to the next.
The possibility of having 28 separate versions of privacy law within the EU chilled the prospect of many U.S. companies conducting commercial transactions with EU citizens. This motivated the “Safe Harbor” provision, which permitted U.S. companies to, in effect, conduct “one-stop shopping” in guaranteeing the safe handling of personal information of EU citizens. This review process was done through self-certification.
This lack of oversight became widely exposed when Max Schrems won his case on Oct. 6, 2015 in the Court of Justice, which held that no EU provision had the outright authority to divest a member state’s Data Protection Commissioner of the ability to investigate a citizen’s complaint. The court took the matter one step further by ruling that the Safe Harbor agreement be permanently invalidated.
[ ALSO: Doom or delight? Court ruling on Safe Harbor brings uncertainty to privacy dealings ]
The Schrems ruling elicited great concern for those U.S. companies. The directive does provide alternative means of complying with protecting data, but none of them are universally practical for all businesses.
The now
On Feb. 2, 2016, a few days past the deadline set by the Article 29 Working Party, it was announced that the U.S. Department of Commerce and the EU Commission had reached agreement to a version of “Safe Harbor 2.0” called the EU-U.S. Privacy Shield. On Feb. 29, 2016, the initial draft of the proposed Privacy Shield was publicly released.
It might be premature to dissect the minutia of the proposal, as it still must undergo several levels of review before it actually goes into effect. Nevertheless, the current draft provides insight into what the Department of Commerce and the EU Commission have already determined to be an acceptable compromise.
Many elements of the Privacy Shield were included to counter deficiencies the EU Court of Justice mentioned in Schrems. For example, the Shield requires each U.S. company possessing data of an EU citizen to establish an internal and readily-available method to receive and process complaints free of charge to EU citizens. There is also a precise timeline for complaint response. To counter one of the greatest concerns raised in Schrems, U.S. law enforcement seeking access to such data must give EU citizens a method of legal redress, as is presently underway with amendments to the Judiciary Redress Act proposed by the Obama Administration on Feb. 24, 2016, and forwarded to Congress.
The self-certification process appears likely to continue after approval of the Shield, but under much stricter oversight. The U.S. Department of Commerce will be required to conduct yearly review of the efficiency of the Shield’s operation and verify the applications of U.S. companies claiming compliance. The U.S. Federal Trade Commission will also participate in this overview process. EU citizens cannot complain directly to these agencies, but can file a complaint with their local Data Protection Authority who can then approach the U.S. agencies on the citizen’s behalf.
New processes will be created to further ensure EU citizen protection. The U.S. State Department must create an Ombudsperson mechanism, independent of any U.S. federal agency, to also handle complaints from EU citizens, to advise such citizens as to their legal remedies, and to publicly publish the results of its investigations in the Federal Register. Complaints incapable of being resolved by any of the aforementioned methods will be forwarded to binding arbitration, paid from a fund to be established intended to minimize or eliminate any cost to complaining citizens.
Until the formal adoption of the Privacy Shield, however, U.S. companies continue to be at increased risk of privacy violations while handling and/or processing EU citizens’ personal data during the period between the abolition of Safe Harbor and the passage of the Shield and should, therefore, tread carefully. Adding to the uncertainty is the current consideration of the proposed General Data Protection Regulation, intended to supersede the directive, now pending before the EU Parliament. And how privacy versus security concerns over such terrorist incidents as the one that occurred in Brussels might influence the pending decisions of EU government officials is impossible to accurately factor into this mix.