EU-US Privacy Shield: A viable alternative to Safe Harbour?

In a joint guest post, Rafi Azim-Khan, the European head of data privacy, and Steven Farmer, Counsel, for Pillsbury Law set out the reasons why cloud firms and users must tread carefully around Safe Harbour’s replacement 

The European Commission and the US Department of Commerce have reached an accord on a new transatlantic data transfer protocol to replace the defunct ‘Safe Harbour’ agreement.

Known as the EU-US Privacy Shield, the new-look agreement was met with a mixed reaction from those relying on Safe Harbour (which was invalidated in October 2015) to shift EU data to the US. But, is it really the cure-all solution that industry watchers in some quarters have heralded it to be?

Although the text of the new framework is not yet available, reported key features of the Privacy Shield include:

  • Stronger obligations to be imposed on U.S. companies to protect the personal data of EU citizens, and stronger monitoring and enforcement to be carried out by the US Department of Commerce and Federal Trade Commission. It is yet to be confirmed how such activities will take shape.
  • Written assurances from the US that its government will not commit indiscriminate mass surveillance of data transferred pursuant to the Privacy Shield, and that government access to EU citizens’ data for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms.
  • Similar to Safe Harbour, US companies wishing to rely upon the Privacy Shield will have to register their commitment to do so with the US Department of Commerce.
  • Imposing a “necessary and proportionate” requirement for when the US government can snoop on EU citizens’ data that would otherwise be protected.
  • New contractual privacy protections and oversight for data transferred by participating US companies to third parties (or processed by those companies’ agents).
  • A privacy ombudsman within the US to whom EU citizens can direct data privacy complaints and, as a last resort, the Privacy Shield would offer EU citizens a no-cost, binding arbitration mechanism.
  • An annual joint review of the Shield that would also consider issues of national security access.

While adoption of the Privacy Shield is arguably preferable to the gaping hole that was left by the defunct Safe Harbour, there are several issues that may undermine its value.

With the new framework not yet finalised, it is possible the threshold for keeping tabs on EU citizen data may not be satisfactorily defined. 

This could lead to the re-establishment of a vague legal standard subject to political whims on both sides of the Atlantic. The end result being that companies relying on the Privacy Shield could be subjected to shifting policies and interpretations.

Additionally, if the annual joint review of the framework allows for it to be dismantled or substantially changed each year, then this could also diminish the certainty that US companies would seek to achieve through compliance.

All this raises the question of whether the Privacy Shield will offer a more valuable solution to those currently available to US importers of data. At this point, maybe not.

With uncertainty surrounding the Privacy Shield, other options for transatlantic data transfers – namely model contract clauses and binding corporate rules – are arguably more attractive alternatives for US companies transferring data Europe at this point.

More will be revealed as the EU and US move closer towards a binding agreement but at this stage companies might be better off considering the alternatives rather than putting all of their faith in the Privacy Shield.