Victoria - Fotolia

Privacy Shield: Imperfect and incomplete

Adoption of Privacy Shield is unlikely before June 2016, and the scheme is likely to be challenged by national data protection authorities and individuals, writes Huw Beverley-Smith

In February 2016, the European Commission (EC) published a draft proposal for a new Privacy Shield to replace the US-EU Safe Harbour scheme.

Safe Harbour was used by more than 4,000 companies from 2000 until 2015, when the Court of Justice of the European Union decided it did not provide an adequate level of protection for EU citizens’ personal data.

The Privacy Shield draft proposal was detailed and comprehensive, although somewhat complex in its architecture. It was generally well received by businesses – many of which had vigorously lobbied the US government to agree a workable solution – as a significantly improved practical scheme.

Despite the looming threat of co-ordinated enforcement action by European privacy regulators, a replacement for the Safe Harbour was never going to be a quick fix.

The Privacy Shield is now proceeding through a committee procedure which is as intelligible to US businesses as the US presidential election system is to most Europeans. The second key stage has recently been reached – an opinion issued by the Article 29 Working Party (WP29), a body drawn from representatives from European privacy regulators.

The opinion of a highly influential, impartial, advisory body was never likely to be a rubber stamping exercise. The 58-page document is thorough and detailed and anticipates many likely objections from privacy activists.

While non-binding, the WP29’s opinion sets out changes that the EC may be obliged to adopt. While it welcomed the significant improvements brought by the Privacy Shield compared with Safe Harbour, the WP29 expressed a number of significant concerns regarding the commercial and national security surveillance aspects of the Privacy Shield.

Outstanding issues

On the commercial side, the WP29 identified several areas where the Privacy Shield does not accurately reflect some key European Union (EU) data protection principles.

For example, the rights of data subjects in respect of automated decision making, including the right to know the logic involved in the decision making process, have not been reflected.

This has important implications for any business using software to assess, for example, credit-worthiness or workplace performance.

The WP29 was concerned with the lack of an explicit data retention rule and ambiguities regarding the purposes for which personal data may be processed.

This has particular implications for the data analytics industry. It continually needs to strike a difficult balance between the commercial urge to retain large amounts of data for its potential future analytical value, and two basic principles of EU law. These are that personal data should not be kept for longer than necessary or used for different purposes for which it was originally collected.

Cross-border implications

The WP29 acknowledged that the Privacy Shield should not be seen solely as an EU to US transfer mechanism.

In practice, many US businesses will make further transfers for sub-processing in third countries, which may not necessarily have effective controls on the exercise of government powers.

The Privacy Shield strengthened Safe Harbour’s provisions relating to onward transfers to third-party processors and imposed greater accountability on US organisations.  

However, the WP29 highlighted potential loopholes in that onward transfers to third countries could allow unfettered access by public authorities in those third countries to personal data for surveillance purposes.  

It recommended that organisations signing up to the Privacy Shield should be obliged to assess the adequacy of the national laws applicable in those third countries before making a transfer. 

On the broader issue of government access, the WP29 criticised the Privacy Shield’s derogations for national security purposes – the very issue which led to the demise of Safe Harbour.

Specifically, the WP29 opinion highlighted that the US government does not rule out the massive and indiscriminate collection of personal data originating from the EU.

Next steps

The Privacy Shield is still subject to final approval from the European Commission. Over the coming weeks, further committees will offer their opinions, including those of the Article 31 Committee of Member-State Representatives.

Adoption is unlikely before June 2016 and, even then, the scheme is likely to be challenged by national data protection authorities and individuals.

In the meantime, businesses on both sides of the Atlantic are relatively powerless bystanders in what is essentially a political process.

While deliberations continue, the only practical short-term solution is signing the (somewhat clunky) model contracts for data transfers in a form mandated by the EC.  More comprehensive solutions, in the form of binding corporate rules, take far longer to get approved and implement.  

Privacy generates emotive reactions, even when it is balanced with other EU fundamental rights. The Privacy Shield may not be a perfect solution. It does, however, build on and hugely improve the Safe Harbour scheme.

Hopefully, that bigger picture will not be lost in implementing a workable solution for international data transfers. One way or another (for fundamental rights such as conducting a business, and security), those transfers simply have to happen.

Huw Beverley-Smith is a partner in the London office of US law firm, Faegre Baker Daniels.

Read more about Privacy Shield

Read more on Regulatory compliance and standard requirements