On March 22, 2016, the International Association of Privacy Professional (IAPP) hosted a podium discussion in Brussels on the new EU-US Privacy Shield. Alston & Bird co-hosted the event, which featured two top-notch privacy luminaries from EU legislative and oversight bodies:
- Mr. Giovanni Buttarelli, the present European Data Protection Supervisor (EDPS).
- Mr. Bruno Gencarelli, Head of the Data Protection Unit within the European Commission’s Directorate-General for Justice and Consumers.
Mr. Gencarelli—who served as one of the Commission’s Privacy Shield negotiators—opened the event by speaking on the previous Safe Harbor regime and new features of the Privacy Shield. Mr. Gencarelli described Safe Harbor as a “victim of the passage of time”—having been introduced in 2000, it was ill-suited to deal with ever-increasing transatlantic data flows. He noted that the Commission began working towards fixing Safe Harbor’s shortcomings in 2012, and that the intervening Schrems decision of the European Court of Justice (ECJ) provided a roadmap for the Commission’s further talks with US negotiators.
Mr. Gencarelli then turned to the recently-released US-EU Privacy Shield and discussed what he described as Privacy Shield’s four most prominent “areas of improvement” over Safe Harbor—each of which corresponds to data-transfer requirements expressly laid down by the ECJ in Schrems:
- More stringent constraints on companies who wish to process personal data, coupled with tighter supervision of such companies through US agencies. According to Mr. Gencarelli, Safe Harbor suffered under the criticism that it contained compliance loopholes and was little more than a check-the-box system without real agency oversight. The Privacy Shield, through express Privacy Principles for processing, now creates robust processing restrictions resembling EU rules. Furthermore, US agencies have committed to monitor US companies throughout their participation in Privacy Shield, and to become more responsive to data-subject complaints.
- Clear and written limitations on access to personal data by national authorities. The Privacy Shield contains written assurances that American national-security agencies will not engage in a combination of limitless collection and limitless access to personal data transferred from the EU. According to Mr. Gencarelli, negotiating this issue “was not an easy area” (as most US observers would imagine), but doing so was essential under the Schrems decision. Key for EU negotiators was obtaining clarification on surveillance reforms introduced by the Obama administration following the Snowden revelations, combined with Privacy Shield provisions requiring regular reporting and reviews on US surveillance.
- An effective system in which complaints are heard and resolved. Mr. Gencarelli noted a common criticism of Safe Harbor was that complaints by individual data subjects were not resolved. The Privacy Shield fixes this issue by providing for a number of “accessible and affordable” avenues of redress, culminating in a Privacy Shield arbitration panel empowered to render decisions when data subjects feel US agencies have not provided an adequate remedy. Moreover, Privacy Shield’s State Department Ombudsman is a “brand new” mechanism intended to introduce redress possibilities into the national-security arena—an arena where US law traditionally provides no redress.
- Regular, ongoing, and meaningful monitoring of all aspects of the Privacy Shield. According to Mr. Gencarelli, periodic review of Privacy Shield implementation “will not be a formalistic exercise.” The Commission has set forth “clear criteria” for its reviews, and will suspend the Privacy Shield scheme it if concludes that essential aspects—such as, e.g., redress avenues—are not being implemented.
Mr. Gencarelli closed by discussing the next steps in the Privacy Shield process. The Commission plans to seek the opinions of the Article 29 Working Party and the EDPS on its draft adequacy determination, and, if it receives a “green light,” to do the same with EU member states. If all parties approve, the Commission hopes to have an adequacy decision in place by June.
Mr. Butarelli then took the floor and generally discussed the EDPS’s perspective on Privacy Shield thus far. The EDPS’s view on Privacy Shield will play a deciding role in whether The Privacy Shield is determined to provide adequate protection for data transferred to the US.
• Mr. Butarelli opened by expressing his respect for the Commission’s hard work in negotiating and drafting the Privacy Shield. Having been involved in the 1998-2000 Safe Harbor negotiations, he understood the substantial commitment needed to bring an agreement to the point where Privacy Shield now finds itself.
• Mr. Butarelli, who formerly served as a national data protection commissioner, noted that national Data Protection Authorities were never enamored by the “beauty of Safe Harbor.” He then noted that EDPS sees Privacy Shield as on the “right track,” but that further questions may well arise that require further negotiations.
• In particular, Mr. Butarelli mentioned that EDPS will be evaluating the extent to which Privacy Shield’s oversight and redress mechanisms can be considered “future proof” (e.g. after a change in presidential administrations). Relatedly, Mr. Butarelli indicated that “soft commitments,” to the extent EDPS considered them reliable, could be considered as part of the US legal order for purposes of judging the adequacy of Privacy Shield mechanisms. In coming to such a conclusion, EDPS is considering comments by NGOs and legal experts regarding the ambiguity of commitments contained in Privacy Shield’s substantial materials on national-security derogations. Also, Mr. Butarelli indicated that any adequacy opinion would be considered a “living instrument” subject to periodic review.
• Mr. Butarelli closed by stating that his office is working hard to produce an adequacy opinion immediately following that of the Article 29 Working Party.
Alston & Bird’s Brussels-based Cybersecurity and Data Privacy team is closely following negotiations surrounding Privacy Shield as they unfold. Our summary of Privacy Shield’s provisions can be found here.