Executive summary:  The EU’s standard contractual clauses may be on the fast track to invalidation, putting a vast number of personal data transfers from the EEA at risk.  A case brought by Maximilian Schrems (whose first complaint resulted in the invalidation of Safe Harbor) has been referred to the EU’s highest court, via a 153-page Irish High Court decision that provides ample ammunition to those who would like to see the standard contractual clauses struck down.  Although aimed at Facebook, the consequences of the decision are virtually certain to affect all US companies that rely on the standard contractual clauses.

Many companies around the world rely on the EU’s standard contractual clauses (also known as the model clauses, and referred to in this article as the “SCCs”) as the legal basis for transferring personal data from the European Economic Area (EEA) to countries whose privacy laws have not been found adequate by the EU Commission.  The SCCs are private contracts, and while some EEA countries require that parties that enter into SCCs deposit a copy, other countries do not, so no one knows for sure how many companies rely on the SCCs.  But the answer is probably “an awful lot of companies.”  Given the data flows between the EEA and US, and the fact that, as of today, only around 2,500 companies rely on Privacy Shield as the legal basis for the data transfers, it’s safe to assume that for US companies, the standard contractual clauses are the primary mechanism for transferring personal data to the US.

The SCCs have been subject to a legal challenge by Maximillian Schrems (often called the Schrems II case) that has just reached a critical inflection point: The Irish High Court has just issued a decision referring to the Court of Justice of the EU (CJEU) the question of whether the SCCs are invalid.  The main thrust of the invalidity argument is the assertion that US national security laws do not offer adequate levels of protection for the rights of EU residents.  In particular, the argument runs, EU residents lack a meaningful remedy before US courts for uses of their personal data by US national security agencies that are inconsistent with those persons’ rights under EU law. Continue Reading Will the EU box itself in?  Fate of Standard Contractual Clauses (aka the Model Clauses) for personal data transfers is now in the hands of the EU’s highest court

Even president-elect Donald Trump has been the victim of a data breach. Several times actually. The payment card system for his Trump Hotel Collection was infected by malware in May 2014 and 70,000 credit card numbers were compromised by the time the hack was discovered several months later.  The hotel chain paid a penalty to the State of New York for its handling of that incident.  The hotel chain also experienced at least two additional breaches during this past year affecting various properties. From a business perspective, Mr. Trump certainly understands the high costs of cybersecurity in dollars and distraction. But from the Oval Office, it is far less clear what the Trump Administration might do to secure our country’s digital infrastructure and prosecute cybercriminals. Equally uncertain are Mr. Trump’s views on privacy rights and how his presidency might affect federal protections for personal information and cross-border transfers of data. We do not have a crystal ball, but offer some thoughts. Continue Reading The Cyber President? What To Expect From the Trump Administration On Cybersecurity And Privacy

The Article 29 Working Party (WP29) has released a brief updated statement on the final form of the Privacy Shield adequacy decision and supporting annexes.  WP29 is an important advisory group made up of representatives of each of the EU’s national data protection authorities.   In a nutshell, WP29 has said that Privacy Shield isn’t perfect, but it will wait until the first annual review to raise specific objections, which gives the Privacy Shield program enough time to get up and running.  The WP29 statement promises  that, during the first annual review of Privacy Shield, “the national representatives of the WP29 will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”  WP29 goes on to say that “[t]he results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses.”

While WP29’s statement has been interpreted by at least one legal news source as a one-year moratorium on Privacy Shield litigation,  that seems rather unlikely.  The WP29 does not have  the legal power to deprive any EU data subject of his or her right to challenge Privacy Shield on human rights grounds, or to materially delay such a challenge.  If a national DPA refused to hear a complaint on the basis of the putative WP29 moratorium, the national courts would most likely find against the DPA.

A more modest — and realistic- – interpretation of the WP29 opinion would be that the DPAs themselves won’t seek to scupper Privacy Shield during its first year.  Instead, they will leave that to Max Schrems and other individuals who remain skeptical of the EU-US privacy deal.

The EU Commission has formally adopted Privacy Shield and the US Department of Commerce will go live with a new Privacy Shield registration website on August 1.  US companies that had been registered under Safe Harbor will need to complete a new internal review, self-certification and registration to take advantage of Privacy Shield.

Much of the negotiation of Privacy Shield has focused on enforcement and oversight of the program by US authorities (as well as on the US intelligence agencies’ own collection and use of EU personal data).  Companies that are already familiar with Safe Harbor will find Privacy Shield’s general privacy principles to be very similar.  However, companies will want to take note of the more stringent conditions for onward transfers to third parties, which are likely to require companies to review their contracts with service providers and business partners.  Companies will also need to scrutinize their data retention practices carefully.  Overall, annual data protection reviews will be necessary as part of continued self-certification. The Department of Commerce is expected to take a more active role in proactively monitoring compliance, so companies will need to be prepared for inspections even if no complaints have been made.

The final version of Privacy Shield and its appendices, along with a press release and FAQ, are available here.

 

The final version of Privacy Shield (which has not yet been officially published) passed the Article 31 Committee vote on July 8th and is being presented today to the LIBE committee of the European Parliament.  LIBE’s vote is advisory, but it may provide some early indications as to how well Privacy Shield will survive anticipated legal attacks once it is formally adopted and implemented.

Formal adoption of Privacy Shield is widely expected to happen this week.  Once that happens, the US Department of Commerce or FTC  should publish the final text and start processing registrations.  Companies considering certifying under Privacy Shield should note that it requires a greater degree of internal scrutiny and documentation than Safe Harbor did.

Companies that have put standard clauses in place following the demise of Safe Harbor will want to consider the pros and cons of participating in Privacy Shield rather than continuing to rely on the standard clauses.  Neither approach is guaranteed to be risk-free: The standard clauses have been sent to the Court of Justice of the EU for review under the second round of the Schrems case in Ireland, and Privacy Shield is virtually certain to end up before the Court of Justice at some point within the next year or two.

According to several news reports, the Commission has sent a revised draft of the Privacy Shield adequacy decision to the Article 31 Committee.  One tech industry news source, Ars Technica, has made available a purportedly leaked draft of the version of Privacy Shield that is being reviewed by the Article 31 Committee.  The Commission has reportedly asked  the Committee to vote to adopt Privacy Shield on Monday.  Whether or not the Article 31 Committee will act swiftly remains to be seen, but we expect further news early next week.

While it’s making few headlines, the European Commission is still working to finalize Privacy Shield, and it’s even possible that Privacy Shield will pass a key hurdle by the end of this month.  The Commission is still scrambling to address the concerns raised by the Article 29 Working Party and the European Data Protection Supervisor concerning the Privacy Shield arrangements that the Commission had negotiated with the US.  (The European Parliament has also criticized Privacy Shield.)  Some of the concerns raised so far have made it necessary for the Commission to negotiate further with the U.S. State Department.  And now the Commission is shortly to present a proposed final version of Privacy Shield to the Article 31 Committee, which represents the Member States.

If the Art. 31 Committee agrees with the Commission, Privacy Shield will be submitted to the College of the Commission for  formal adoption.  If the Art. 31 Committee does not endorse the Privacy Shield arrangements, the Commission will need to consider further how to proceed.  Also, the Council or Commission could intervene as permitted by the comitology procedure (which could result in more pressure on the Commission to negotiate further with the US).

News sources have speculated as to the status of the Article 31 negotiations (see here and here (scroll down)), but given the lack of specific information from the Commission on this point, it’s tough to tell what the real status is.  In any event, while we expect to have some more concrete news by the end of June as to the progress of Privacy Shield, it is unlikely that Privacy Shield will be formally adopted by then.

And it’s important to keep in mind that, as soon as Privacy Shield limps over the finish line (assuming it doesn’t succumb to death by a thousand objections), it will almost certainly face immediate litigation seeking to have the Court of Justice of the EU invalidate it.

PS – for those who’ve been wondering, Brexit (should it occur) is unlikely to result in the UK taking a divergent path from the EU on general data protection rules.

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

UPDATE: The Article 29 Working Party has released surprisingly brief comments on Privacy Shield, available here.  Consistent with the press briefing held earlier today (see below), WP29 has concluded that Privacy Shield falls short without providing specific guidance as to what, exactly, an acceptable version of Privacy Shield would look like.

Earlier today, the Article 29 Working Party (“WP29”) held a press conference to give a preview of its assessment of the proposed EU-US Privacy Shield arrangements that were slated to replace the struck-down Safe Harbor program and bring much-needed certainty to companies that transfer personal data from the EU to the US.

While full comments will be available later today, we know now that WP29 has declined to give Privacy Shield its support.  It appears that WP29 has serious concerns about the limitations of US national security agencies to conduct mass surveillance.  WP29 is also skeptical about the rights of redress for EU residents and would prefer that EU residents be able to bring complaints immediately via their local EU data protection authorities.    We will cover the WP29 assessment more fully during our webinar on Thursday, April 14.  Register here.  In the meantime, for those who would like to listen to the press briefing, an audio recording is available here:  https://scic.ec.europa.eu/streaming/article-29-working-party

Now that the EU Commission has published the complete version of its draft decision adopting the EU-US Privacy Shield program, it’s time for the key reviewers to dig in.   I don’t mean the lawyers, or EU privacy advocates, or US businesses, although their views will no doubt be wide-ranging and illuminating.  But no, the really important reviewers are the members of the Article 29 Working Party.

Regular readers of this blog will know that the Art. 29 WP is made up of representatives of the EU’s national data protection authorities and that the group has a major advisory role as mandated by Art. 29 of the Data Protection Directive (hence the catchy name).  The reason that that Art. 29 WP’s views will be particularly important for Privacy Shield is that the national DPAs will be the arbiters of the initial attacks that are almost certain to be made on Privacy Shield once it is adopted.  In terms of legal action, the first step EU privacy advocates who are not satisfied with Privacy Shield (which Max Schrems has already characterized as “lipstick on a pig“)  will take is to file complaints with their local DPAs. The DPAs will then need to consider whether Privacy Shield protects the “fundamental rights and freedoms” of the complainants.  The DPAs will then issue decisions that can be appealed to the local courts.  The local courts would then need to refer questions of European law (such as the validity of the Commission decision to adopt Privacy Shield) to the Court of Justice of the EU, which is the only court authorized to strike down a Commission decision.  But it all starts with the DPAs.

The Art. 29 WP has promised to publish its comments after a plenary meeting on April 12-13.  If the Art. 29 WP comes out in favor of Privacy Shield prior to its adoption, it will be a lot tougher for the DPAs to turn around later and agree with complainants that Privacy Shield is, after all, inadequate and should be struck down.  So Art. 29 WP has compelling incentives to scrutinize the draft Privacy Shield decision very carefully over the next six weeks.  It will be interesting to see whether the Commission draft survives the review without any vulnerabilities being identified that would lead the Commission to reopen negotiations with the US.