Data protection and security in the area of e-commerce can be particularly tricky. Users are constantly leaving behind traces online – regardless of whether they are making online orders or simply surfing the web. Consumer data can be of great interest to businesses. It gives them the opportunity to advertise and make offers to potential customers. But which types of data are you allowed to store? [...]
EU-US Privacy Shield: What the replacement for Safe Harbour means for us
The successor of the EU-US data transfer agreement Safe Harbour is known as the Privacy Shield, and was officially introduced in mid-2016. The new data agreement is meant to guarantee that the U.S. will adhere to European data protection standards for data transmissions as they occur, for example, in everyday use of social media platforms. However, the U.S. is unwilling to address the basic demands of data protectionists and the European Parliament in many areas. What long-term impacts will this have on transatlantic data transfer?
The concrete settlement of a convention on the protection of European data had been officially confirmed by the European Commission in early 2016. After the European Court of Justice had rejected the Safe Harbour data protection agreement at the end of 2015, the European supervisory authorities initially approved a postponement until the end of January 2016 so that no data transfers to the USA should be controlled during that time. As a result, there was a sense of misgiving and uncertainty in many companies, because unlawful data transfers could impose fines from supervisory authorities.
The Privacy Shield as a tougher successor to Safe Harbour?
The Judicial Redress Act, which was pivotal in adopting the Privacy Shield, was signed by U.S. president Barack Obama on February 25th, 2016. This law gives EU citizens the opportunity to file a lawsuit in the U.S. if U.S. companies are guilty of a breach in data protection. At the beginning of July 2016, some EU member states had already agreed on the terms of the Safe Harbour resolution.
Finally, with European recognition for this new level of data protection, a new legal basis for transatlantic data traffic was created. In practice, this means that online services such as Facebook, Amazon, and Google can legally collect their users personal data, and forward these data packets to the USA. Europe finally gave their approval for this on the basis of the Privacy Shield agreements, in which the U.S. government ensures certain standards to raise data protection levels. This means that personal data stored in the U.S. is subject to roughly the same data protection as European standards dictate.
How are the data storage standards guaranteed by the USA?
U.S. Secretary of State John Kerry assured that an autonomous Ombudsperson, independent from the intelligence services, would be established through the State Department. EU citizens would be able to turn to the Ombudsperson with any legal issues. This point of contact will address all the concerns of private individuals, and provide information in specific cases as to whether the applicable law has been complied with.
Additionally, legal rights were granted to EU citizens. The companies involved must comply with the requests within 45 days. Interestingly, a free alternative arbitration procedure is also available. All EU citizens may alternatively turn to their national data protection authorities. They will then work with the U.S. Federal Trade Commission to endeavor to address the issue. Arbitration proceedings with an enforceable decision or award shall be the last resort if no other form of agreement can be found. All companies can also act in accordance with the recommendations of European data protection authorities, however companies that process personal data are obliged to do so regardless.
Once a year, data protection labels and data access functions are to be inspected. The EU Commission and the U.S. Department of Commerce carry out this review jointly, along with a team of experts. An annual data protection plan is organised to discuss the ongoing developments in American data protection law and its impact on EU citizens. A report to the European Parliament and Council will follow, which will be accessible to the public.
Specifically, legal data may be collected in six areas with the boundaries of these being interpretable. The six permitted areas for legal mass monitoring are classified as follows:
- The fight against terrorism
- The discovery of activities of foreign powers
- The fight against the proliferation of weapons of mass destruction
- Cyber security
- The protection of U.S. and allied forces
- Combatting transnational criminal threats
EU-US Privacy Shield: Up to 1456 certified U.S. companies
U.S. companies who wish to comply with Privacy Shield regulations have been able to adhere to the principles of the Privacy Shield since August 2016 through a self-certification process. The majority of the regulations that govern the Privacy Shield were already part of the Safe Harbour agreement. However, some requirements have been stepped up and extended, which means that the Privacy Shield will result in stricter requirements for transatlantic data carriers than its predecessor.
However, compatibility with the European standards on data security cannot come into question, as compliance with EU standards is mandatory for companies that process personnel data.
A list on the Federal Trade Commission’s website states all the companies currently certified for data collection. For the sake of integrity, it must be noted that various subsidiaries (e.g. Microsoft with 20 subcontractors) are to be added in addition to the listed companies.
Privacy Shield: Pros and Cons
The Privacy Shield Agreement brings some benefits to European users. A clear example of this is the purpose-setting principle, which will be an integral part of the EU basic data protection act. This means that data may only be recorded and processed to a pre-determined, unambiguous, and legally-permissible purpose. Furthermore, the rights of EU citizens have been strengthened, as they can complain about specific data protection violations by U.S. companies through various bodies, such as an Ombudsperson.
However, to critics of the Privacy Shield, the agreement does not go far enough yet. They believe that the demands of the European Court of Justice have not been sufficiently met, while disagreements have been artificially concealed. A proper investigation of the clauses in the Privacy Shield by the European Court of Justice would subsequently not be positive. The strikingly small differences to Safe Harbour are directly denounced, and many critics speculate that the Privacy Shield has not been able to close various data protection holes.
Similarly, mass surveillance measures are not subject to a proportionality test, which is against European law. The position of the U.S. as the central controller is still intact and an investigation by national supervisory authorities does not seem to be taking place. Urgent, important controls for big U.S. online companies have not been administered either, which suggests a breakdown of the renewed resolution.
The consequences of Privacy Shield rulings
Within the EU, the EU-US Privacy Shield does not provide effective relief for many companies, since the new regulations only contribute minimally to legal security. Many online companies are dependent on the transatlantic transmission of data in the legal framework, such as in court proceedings. Even if recipients of the data packets in the U.S. can certify themselves in compliance with the regulations of the new data protection shield, they are not protected against the new concept before new judicial decisions.
Therefore, it is conceivable that many companies do not rely on the privacy shield and therefore do not use a data transmission based on the new resolution. A safer alternative would be, for example, the implementation of EU standard contract clauses. However, even in this case, no absolute legal certainty is guaranteed. The Irish data protection authority has already stated that these guidelines are also subject to legal scrutiny. The discussion about the meaning of the Privacy Shield rules is unlikely to level-off any time soon. Those companies which had hoped for an unambiguous, legally unobjectionable regulation will have to wait for the judicial review of the agreement.
When companies continue to rely on the EU standard contract clauses for data transfer, they are no safer than Safe Harbor regulations. Data protectionists emphasise that the arguments that were already being highlighted and criticised about the Safe Harbour agreement would also apply to the clauses of the regulations currently applicable under EU law – and as a result those regulations would not stand up to an exact legal scrutiny.
In the end, it is evident that personal data transfer to the U.S. will continue to be an uncertain field for companies. The transfer of data to the U.S. remains within the framework of the currently applicable regulations rather than a legal grey zone. The companies concerned are advised to closely monitor any developments in data protection law. At the beginning of 2017, the EU Justice Commission announced a more detailed examination of the Privacy Shield regulations in the wake of the formation of President Trump’s government.