'No Quick Fix' After Privacy Shield
As fallout from the annulment of Privacy Shield continues, industry and regulators in the U.S. and EU are struggling to decide how to maintain trans-Atlantic personal data flows, they said. The European Commission plans to launch an “adoption process” for new data transfer mechanisms in “the coming weeks” and hopes to finalize it by the end of the year, European Commissioner for Justice Didier Reynders said Thursday, noting there won't be any "quick fix."
U.S.-EU talks on a potential Privacy Shield replacement are ongoing (see 2008100025). Possible solutions could be data localization and a global tightening of national surveillance laws, said some we spoke with. Modernization of standard contractual clauses (SCCs), the most used transfer mechanisms in Europe, is vital in light of the Schrems II decision (see 2007240031) and Wednesday’s announcement that the Irish Data Protection Commission (IDPC) is seeking to block Facebook from using SCCs for EU-U.S. transfers, Reynders told a Brookings Institution panel.
The July 16 European Court of Justice (ECJ) decision was on a challenge in Ireland by Max Schrems against Facebook's transfer of his personal data to the U.S. (see 2007160002). Since then, it has been a "very confusing time," said Covington & Burling privacy attorney David Bender in an interview.
The Department of Commerce and FTC say they will continue to enforce PS while acknowledging it's invalid, Bender noted. The main avenue for enforcing privacy law is Section 5 of the FTC Act, which prohibits "unfair" or "deceptive" trade practices; companies that certify and then fail to adhere to PS principles are engaging in a deceptive practice. The agencies say they will hold companies to their certifications, enforce them and take new applications for certification, Bender said, but he would be surprised if the FTC enforced PS now. DOC updated its FAQs Aug. 20 to say organizations should continue to participate in PS because it "demonstrates a serious commitment to protect personal information." The FTC didn't comment Friday. DOC referred to a previous statement.
The European Commission intends to ensure compliance with the judgment while giving businesses certainty, Reynders said at a Sept. 3 European Parliament Civil Liberties, Justice and Home Affairs Committee meeting. The EC will modernize SCCs to reflect the EU high court's concerns about when these provisions can be used, he said. Finalizing this work is a "top priority" that could be completed by year's end, he said.
The EU is exploring the possibility of a stronger framework with the U.S., Reynders said: There's a "common willingness" to comply with the ECJ judgment, but there "will be no quick fix" because the ruling raised sensitive national security concerns. It provided a possible way forward, such as fixing redress provisions, he said. It's possible to build on existing elements of PS, but legislative changes are also needed, he said. The U.S. domestic debate on privacy indicates there may be a better chance to make changes now than before PS, Reynders added.
DPAs
National authorities are also involved in decision-making.
The EC believes SCCs “can continue to provide companies with an easy to implement tool” to meet data protection requirements when transferring data, Reynders said. He noted EU data protection authorities (DPAs), including in Germany, already issued the first guidance document explaining requirements in light of Schrems II. The commission will work with the DPAs in the coming weeks and months, he said, as further guidance is “deadlocked.” The IDPC’s decision means the commission’s work is “even more important and urgent,” and the commission will “intensify” its work on additional guidance.
The commission is working on a “broad toolbox” for international transfers adapted to different sectors, business models and countries of destination, Reynders said at the Brookings event. It includes a modernization of SCCs. The commission has worked for the past most to fully align SCCs with the EU’s general data protection regulation and ensure they’re adapted to “today’s digital economy,” he added. Countries are adopting privacy laws with the same core principles and rights as the EU’s GDPR, and it would be good for the U.S. to do the same, he said.
The European Data Protection Board (EDPB) is preparing additional support for organizations, and is looking for a consistent approach across the European Economic Area, said Chairman Andrea Jelinek. There's no one-size-fits-all, she said: Each organization will have to evaluate its own data transfer practices and make appropriate changes.
There's no room for a new deal unless the European Charter of Human Rights is overturned or the U.S. amends its surveillance law, Schrems said. He has filed 101 identical complaints with DPAs on data controllers in several countries using Google/Facebook services that involve personal data transfers, the EDPB said. The complaints allege the two companies shift personal data to the U.S. based on PS or SCCs, but that under the ECJ judgment, the controllers are unable to ensure an adequate protection of complainants' personal data. A newly created EDPB task force will analyze the cases and make recommendations.
Enforcement
DPAs are bringing PS enforcement actions.
The IDPC, handling Schrems' original cases, may preliminarily bar Facebook from sending Europeans' personal data to the U.S. Schrems said the regulator was "again only investigating one slice of the problem -- as they have done twice already in the investigations on Safe Harbor and the SCCs."
The IDPC has “commenced an inquiry into Facebook-controlled EU-US data transfers, and has suggested that SCCs cannot in practice be used for EU-US data transfers," Facebook Vice President-Global Affairs Nick Clegg announced Wednesday. The company didn't comment for this news article.
Could data localization offer a way forward? The European Data Protection Supervisor "is looking at this as a key element" of a data strategy with "the development of common European data spaces in strategic economic sectors and domains of public interests," a spokesperson emailed. See also opinion 3/2020. One concern with data localization is that the Clarifying Lawful Overseas Use of Data Act gives U.S. authorities the ability to force a U.S.-based company to grant access to data even if it's stored abroad, limiting the usefulness of data localization, emailed Linklaters privacy attorney Tanguy Van Overstraeten. It may be too expensive for U.S. companies to export the same quality of service to Europeans as they offer in the U.S. plus store data in Europe, he added.
The Council of Europe urged governments to boost personal data protections. The human rights organization asked countries Sept. 7 to establish a new international accord on safeguards. Asked whether, given national sensitivities about intelligence surveillance, it's likely governments such as the U.S. would agree on such a treaty, Committee of Convention 108 Chair Alessandra Pierucci emailed: "We count on the role US firms can play in working with the US government for such a change in order to ensure smooth data flows between the US and EU after Schrems II. Things have considerably evolved since Schrems 1 [which overturned Safe Harbor] and in the near future political conditions in the US may be favorable for such a discussion."
During the Brookings event, Reynders was asked if EU and U.S. officials are discussing potential changes to the Foreign Intelligence Surveillance Act or executive order 12333 (see 2003300055) as part of negotiations in response to the Schrems II decision. To give concrete answers to the European Court of Justice, it’s important to “analyze possible legislative change in the U.S. about different elements” including national security and the appointment of a privacy agreement ombudsperson in the U.S. (see 1911140013), he said: “The American authorities are in the best position to analyze that and see what are the possible rules.”
After reviewing the Swiss-U.S. Privacy Shield regime and Schrems II, the Federal Data Protection and Information Commissioner said it doesn't provide adequate protection for data transfers. However, the office "has no influence on the continued existence" of the system, and organizations can use it as long as the U.S. doesn't revoke it.