On April 13, 2016, the Article 29 Working Party (WP29), an influential group of European data protection authorities, issued a non-binding opinion that criticized certain elements of the fledgling Privacy Shield framework. Although the Privacy Shield remains in limbo at this time, a flurry of speculation and Shield-adjacent legal maneuvers have colored the landscape and heightened concerns about its long-term viability.
The Privacy Shield was proposed in early February as a replacement for the EU-U.S. Safe Harbor framework following the Safe Harbor's demise in October 2015. The invalidation of the Safe Harbor left thousands of companies in search of alternatives to meet their cross-border data transfer needs, and introduced new uncertainty regarding the long-term sustainability of other mechanisms such as binding corporate rules and model clauses.
While declaring the Privacy Shield to be a significant improvement over the Safe Harbor framework, the WP29 found that the European Commission's draft adequacy decision concerning the Privacy Shield lacked clarity and was inconsistent. The opinion urged the Commission to clarify the text and to evaluate its provisions in light of the recently approved EU General Data Protection Regulation (GDPR).
Below we provide an overview of the proposed Privacy Shield, including a brief history, a summary of developments since the WP29's opinion was issued in April, and what to expect in the coming weeks and months.
Pursuant to European law, certain conditions must be met to lawfully transfer European citizens' personal data outside of the EU. Specifically, the Data Protection Directive of 1995 (as well as the forthcoming GDPR) prohibits transfer of EU citizens' personal data outside of the EU unless the recipient country ensures an "adequate" level of protection for the data. The U.S. has never been deemed adequate for these purposes, due in large part to the "patchwork" nature of state and federal privacy and security laws and lack of a comprehensive data protection framework.
In 2000, to address the concerns of companies doing business across the Atlantic, the U.S. Department of Commerce and the European Commission created the Safe Harbor framework, a self-certification mechanism by which a company could lawfully transfer personal data to the U.S. from the EU. Over the years, various constituencies expressed concerns about the actual level of data protection provided by the Safe Harbor; these concerns were amplified in 2013 following revelations regarding the U.S. government's surveillance activities.
In this context, in June 2014, an Austrian student named Max Schrems lodged a complaint with the Irish Data Protection Authority regarding Facebook's transfer of his personal data from its Irish subsidiary to servers located in the United States. This complaint ultimately led to the October 6, 2015 decision by the Court of Justice of the European Union (CJEU), which held that the Safe Harbor framework was invalid, citing flaws in the European Commission's original adequacy opinion that had approved the Safe Harbor.
Following the Schrems decision, the WP29 indicated that it would allow EU and U.S. authorities until the end of January 2016 to come up with a replacement data transfer mechanism before pursuing enforcement actions against companies that had relied on the Safe Harbor. In an effort to move the ball forward in the United States, Congress passed the Judicial Redress Act, which was signed into law on February 24, 2016. The Act extends certain rights to non-U.S. citizens under the Privacy Act of 1974 with respect to unlawful disclosure of their personal information, as well as the right to access and correct U.S. government records about themselves. The Act's passage addressed some of the CJEU's concerns expressed in the Schrems decision regarding the lack of legal recourse for EU citizens whose personal data may be collected by U.S. government agencies, but it generally has been viewed as a first step down a longer road.
Privacy Shield: Key Components
On February 2, 2016...