Privacy Shield review: prepare for the worst
CIOs should hope for the best but prepare for the worst when transferring personal information across the Atlantic. That is the advice of experts watching the European Commission conduct its second annual review of the Privacy Shield data-sharing agreement.
Privacy Shield allows businesses to export the personal information of their customers or employees to the US while still complying with the EU’s strict privacy laws, and replaced the Safe Harbor Agreement, which was invalidated by the EU’s top court in October 2015.
“A number of clients are sitting there biting their nails. They don’t believe they’re compatible with one another — GDPR and the Cloud Act,” Aaron Tantleff, Foley & Lardner
The Commission made 10 recommendations for improvement in its first review last October, and if it is unhappy with the response of the US administration to these, it could theoretically suspend or cancel the agreement.
“That would be the worst-case scenario. There would be a lot of uncertainty regarding data transfers around the world,” said Thomas Boué, director general of policy, EMEA, Business Software Alliance. BSA’s members include Adobe, Apple, Microsoft, Oracle, Salesforce and Workday, all of which rely on the processing of personal data for part of their business.
That scenario is something Aaron Tantleff, a partner at Belgian law firm Foley & Lardner, is telling his clients to prepare for. “I’m advising everyone that’s relying on Privacy Shield to make alternate arrangements, to have a back-up plan — not because I suspect Privacy Shield is going to be suspended in the next 30 days but because Privacy Shield will be, in the future, modified or suspended at some point.”
The back-up plan Tantleff has in mind is to adopt another legal basis for data transfers, such as binding corporate rules (BCRs) or model clauses. BCRs govern intra-company transfers, and so are ideal for businesses transferring data to or from subsidiaries for payroll processing or for other HR matters. Model clauses are standard contract terms covering personal data transfers that already have the approval of EU authorities. Some enterprises may already have these in place, or at least have studied them during the interregnum between Safe Harbor and Privacy Shield.
The US has made progress on some of the recommendations contained in the first review, including the confirmation of a new chairman and additional members of the Privacy and Civil Liberties Oversight Board (PCLOB), which ensures that the US executive branch weighs privacy and civil liberties concerns when developing new anti-terrorism legislation.
The Senate has still not confirmed the appointment of an independent ombudsperson to respond to questions about access by US law enforcement officers to the personal information of Europeans, although an acting ombudsperson, Manisha Singh, was designated in September. Boué is unconcerned by the lack of confirmation: as he notes, the ombudsperson is backed up by a team of 200 or so staff dealing with cases, and they will continue to do that, confirmation or no confirmation.
Another area may prove trickier to resolve is possible conflicts between EU and US legislation, notably the Cloud Act. This extends US jurisdiction to personal information stored outside the US — potentially the very same personal information that the EU’s recent General Data Protection Regulation (GDPR) is designed to protect. The fear is that, if a business hosting such data receives a request from US law enforcers to turn it over, it could be damned if it does (by the GDPR), and damned if it doesn’t (by the Cloud Act).
According to Tantleff, “A number of clients are sitting there biting their nails. They don’t believe they’re compatible with one another.”
The Commission may be looking for clarity on this point, and also raising concerns that the Foreign Intelligence Surveillance Act, renewed since the last Privacy Shield review, erodes EU citizens’ fundamental privacy rights by allowing US surveillance of their communications.
As for the other outstanding issues highlighted in the last review, the Commission is pragmatic. Despite a call from the European Parliament to suspend Privacy Shield if the US did not address them all, it knows that EU businesses rely on the transatlantic flow of data as much as their counterparts in the US do, and is likely to delay action or seek compromise rather than risk disrupting a trade relationship worth around $1.1 trillion (€959 billion).
But it is principles, not pragmatism, that reign at another EU body, the Court of Justice. This is the court that so suddenly and unexpectedly put an end to Safe Harbor in 2015, on the grounds that the protections it provided were inadequate under EU privacy law. It has also been asked to rule on the adequacy of Privacy Shield, although its judgment will come much later than the Commission’s, probably sometime next year.
Once again, enterprises can hope for the best — but they should also prepare for the worst.
And it could get a lot worse, as the Court of Justice is also deliberating another case, challenging the use of model contract clauses to protect transatlantic data transfers. This was brought by Max Schrems, the same plaintiff who triggered the ruling overturning Safe Harbor.
Boué encouraged enterprises to prepare by ensuring that they have the most appropriate data transfer mechanisms in place for their purposes. Many companies are already counting on a combination of Privacy Shield, BCRs, model clauses and customer consent to cover all bases.
“We live in this period of uncertainty about data transfers. Let’s hope all goes well but if it doesn’t, they should have a plan in place to shift and switch,” he said.
IDG News Service