CIOs should hope for the best but prepare for the worst when transferring personal information across the Atlantic. That’s the advice of experts watching the European Commission conduct its second annual review of the Privacy Shield data-sharing agreement.
Privacy Shield allows businesses to export the personal information of their customers or employees to the U.S. while still complying with the EU’s strict privacy laws, and replaced the Safe Harbor Agreement, which was invalidated by the EU’s top court in October 2015.
The Commission made 10 recommendations for improvement in its first review last October, and if it is unhappy with the response of the U.S. administration to these, it could theoretically suspend or cancel the agreement.
“That would be the worst-case scenario. There would be a lot of uncertainty regarding data transfers around the world,” said Thomas Boué, director general of policy, EMEA, at BSA The Software Alliance. BSA’s members include Adobe, Apple, Microsoft, Oracle, Salesforce and Workday, all of which rely on the processing of personal data for part of their business.
That scenario is something Aaron Tantleff, a partner at law firm Foley & Lardner, is telling his clients to prepare for. “I’m advising everyone that’s relying on Privacy Shield to make alternate arrangements, to have a backup plan — not because I suspect Privacy Shield is going to be suspended in the next 30 days but because Privacy Shield will be, in the future, modified or suspended at some point.”
The backup plan Tantleff has in mind is to adopt another legal basis for data transfers, such as binding corporate rules (BCRs) or model clauses. BCRs govern intra-company transfers, and so are ideal for businesses transferring data to or from subsidiaries for payroll processing or for other HR matters. Model clauses are standard contract terms covering personal data transfers that already have the approval of EU authorities. Some enterprises may already have these in place, or at least have studied them during the interregnum between Safe Harbor and Privacy Shield.
The U.S. has made progress on some of the recommendations contained in the first review, including the confirmation of a new chairman and additional members of the Privacy and Civil Liberties Oversight Board (PCLOB), which ensures that the U.S. executive branch weighs privacy and civil liberties concerns when developing new anti-terrorism legislation.
The Senate has still not confirmed the appointment of an independent ombudsperson to respond to questions about access by U.S. law enforcement officers to the personal information of Europeans, although an acting ombudsperson, Manisha Singh, was designated in September. Boué is unconcerned by the lack of confirmation: as he notes, the ombudsperson is backed up by a team of 200 or so staff dealing with cases, and they will continue to do that, confirmation or no confirmation.
Another area may prove trickier to resolve: possible conflicts between EU and U.S. legislation, notably the Cloud Act. This extends U.S. jurisdiction to personal information stored outside the U.S. — potentially the very same personal information that the EU’s recent General Data Protection Regulation (GDPR) is designed to protect. The fear is that, if a business hosting such data receives a request from U.S. law enforcers to turn it over, it could be damned if it does (by the GDPR), and damned if it doesn’t (by the Cloud Act).
According to Tantleff, “A number of clients are sitting there biting their nails. They don’t believe they’re compatible with one another.”
The Commission may be looking for clarity on this point, and also raising concerns that the Foreign Intelligence Surveillance Act, renewed since the last Privacy Shield review, erodes EU citizens’ fundamental privacy rights by allowing U.S. surveillance of their communications.
As for the other outstanding issues highlighted in the last review, the Commission is pragmatic. Despite a call from the European Parliament to suspend Privacy Shield if the U.S. did not address them all, it knows that EU businesses rely on the transatlantic flow of data as much as their counterparts in the U.S. do, and is likely to delay action or seek compromise rather than risk disrupting a trade relationship worth around $1.1 trillion.
The Commission said Friday that it will publish a report containing its findings on the functioning of the Privacy Shield before the end of the year.
Principles, not pragmatism, reign at another EU body, the Court of Justice. This is the court that so suddenly and unexpectedly put an end to Safe Harbor in 2015, on the grounds that the protections it provided were inadequate under EU privacy law. It has also been asked to rule on the adequacy of Privacy Shield, although its judgment will come much later than the Commission’s, probably some time next year.
Once again, enterprises can hope for the best — but they should also prepare for the worst.
And it could get a lot worse, as the Court of Justice is also deliberating another case, challenging the use of model contract clauses to protect transatlantic data transfers. This was brought by Max Schrems, the same plaintiff who triggered the ruling overturning Safe Harbor.
Boué encouraged enterprises to prepare by ensuring that they have the most appropriate data transfer mechanisms in place for their purposes. Many companies are already counting on a combination of Privacy Shield, BCRs, model clauses and customer consent to cover all bases.
“We live in this period of uncertainty about data transfers. Let’s hope all goes well but if it doesn’t, they should have a plan in place to shift and switch,” he said.