The EU-U.S. Privacy Shield, a legal mechanism announced this week to facilitate the legal transfer of commercial data from Europe to the U.S., is under fire from privacy advocates and lawyers who want more details on security and consumer protections. At the same time, companies affected by the new trans-Atlantic data-sharing regime are complaining that they are in the dark about their obligations under Privacy Shield and are getting mixed messages from officials charged with enforcing the new rules.
This week, the European Commission's justice commissioner announced that a deal had been struck on how data, from sources ranging from social networks and e-commerce sites to mobile networks, must be handled stateside to protect Europeans' privacy. It was an 11th-hour pact to replace Safe Harbor, which was voided last year by Europe's high court.
But European and American officials have yet to provide full details on the new rules, and those affected have been left trying to make sense of what it means for them.
The big tech companies like Apple, Facebook and Google are remaining tight-lipped about the situation while smaller businesses are left to worry about the potential for big fines as the individual data protection authorities charged with enforcing the law seem as confused about what to do next as the companies themselves.
The uncertainty extends to the Federal Trade Commission, which took part in the negotiations. On Thursday, Commissioner Julie Brill said she understood European data authorities will not bring enforcement actions against any company continuing to use the invalid Safe Harbor mechanism, until Privacy Shield is fully in place.
"My understanding is that [the European data authorities] are holding in abeyance enforcement actions while they undergo these evaluations," Brill said Thursday.
But 24 hours earlier, a senior European official made it clear that this was not the case. If a company "is using the former Safe Harbor, this company is in an illegal situation," Isabelle Falque-Pierrotin, chairwoman of the Article 29 Working Group — which comprises the data protection authorities of each of the 28 EU member states — said Wednesday.
“There is one thing that is for sure: If these companies are using the former Safe Harbor framework, it is illegal because this has been clearly invalidated by the judge,” Falque-Pierrotin said.
The confusion dates back to last October, when the European Court of Justice ruled that the 16-year-old Safe Harbor mechanism for transferring data — everything from your Facebook posts to employee payroll information — from Europe to the U.S. was invalid, claiming that revelations by National Security Agency whistleblower Edward Snowden suggested European Union citizens' data were not safe from mass surveillance by American authorities.
On Tuesday, after months of negotiations and the official deadline of Jan. 31 having passed, the European Commission announced it had reached an agreement with U.S. negotiators. The EC said the pact calls for more transparency on how U.S. intelligence agencies access EU citizens' data, the appointment of an independent ombudsman to oversee data transfers and an annual consultation process to assess how well Privacy Shield is working.
EC Commissioner Vera Jourová called it "a strong and safe framework for the future of trans-Atlantic data flows,” adding that it will live up to the Court of Justice ruling. "We will hold the U.S. accountable on the commitments they've made," she said.
But Wednesday, Falque-Pierrotin indicated that Privacy Shield is far from the panacea some claim it to be. “[We] still need to receive these documents in order to know precisely the content and also the legal bindingness of these announcements,” she said during a press conference. “Because until now we have been told it is an exchange of letters, a unilateral act from the commission; we don’t know exactly what it covers.”
The commission has agreed to present a final document to a working group within three weeks. It will then have to be agreed on by what is known as the College of Commissioners, made up of commissioners from all 28 member states. Crucially, however, this will happen only after the commissioners obtain the advice of the Article 29 Working Party and after consulting a committee comprising representatives of the member states.
Fines and penalties for violating Privacy Shield differ depending on what country the data were transferred from, with Ireland having a maximum fine of 250,000 euros ($280,000), while Germany's data authority can fine up to 300,000 euros.
Safe Harbor was not the only mechanism for transferring data legally across the Atlantic — it was just the easiest. Companies could also use what are known as binding corporate rules (BCRs) or standard contract clauses (SCCs), but both of these are complex legal constructs and require significant time and resources to put in place. Therefore, for the majority of the 4,400 companies that relied on Safe Harbor, these alternatives were simply not an option.
So with Safe Harbor invalidated, alternatives simply too onerous to implement and the details of Privacy Shield still to be finalized, it's unclear whether thousands of companies potentially still using Safe Harbor are going to face enforcement actions.
International Business Times contacted the data protection authorities of all 28 EU member states asking if they will act against companies still using Safe Harbor. From the replies, it is clear that even those tasked with implementing these laws are unclear about what to do.
France’s Commission national de l’informatique et des liberties — of which Falque-Pterrotin is head — said it is already investigating some companies about which it has received complaints and “will decide whether or not to use its enforcement powers, according to its national law.”
Conversely, Viljar Peep, director general of the Estonian Data Protection Inspectorate, said: “I am not going to take enforcement actions against enterprises who were using invalidated Safe Harbor — until the moment when the new EU-U.S. Privacy Shield will be available for them.”
Merkel Wilander, spokesperson for the Dutch Data Protection Authority, said the body is taking a similar wait-and-see approach. “We will not take enforcement actions until we have ended our analysis.” Matthias Schmidl, deputy head of the Austrian Data Protection Authority, was more vague about what the next steps will be, saying it "is by law obliged to initiate proceedings if it finds out that data are transferred to the U.S. in violation of the Austrian Data Protection Act."
Hans-Olof Lindblom, chief legal advisor for the Swedish Data Protection Authority, was more straightforward: "The Swedish Data Protection Authority is for the moment not taking any such action." The U.K.'s regulator, the Information Commissioner's Office, pointed IBT in the direction of a blog written in October by David Smith, then deputy commissioner but who is no longer with the ICO: "Our initial message is still valid. Don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal."
'We Don't Know a Lot About This'
Aside from France, Austria, Sweden, Estonia, the UK and the Netherlands, none of the other 22 data protection authorities immediately responded to queries about its plans, suggesting there remains significant confusion among those at the center of this debate.
“The legal format of the arrangement is still unclear for us,” Falque-Pterrotin said Wednesday in a press conference in Brussels. “I heard [the term] 'exchange of letters,' but to be honest, we don’t know a lot about this.”
So why was Privacy Shield announced if there is so little concrete detail about what the new mechanism entails? “What we actually have here is a desperate PR effort to buy more time before the EU Commission and the U.S. have to face the consequences of the legal incompatibility between the EU’s Charter of Fundamental Rights and the U.S.’ commitment to mass surveillance,” Simon McGarr, an Irish lawyer specializing in internet protocol and law, said.
McGarr's assertion is backed up by Ian McEwan, head of European operations for cloud storage company Egnyte. "There had to be something put in place [because] of the economic pressures," McEwan told IBT. "The transatlantic consumer-based business is huge."
The ruling in October invalidating Safe Harbor has led to a change in the way some companies are operating. McEwan said some of his customers are already asking for data not to leave Europe, while at least one German customer has asked that its customer data don't leave the country.
Thousands of small and midsize businesses remain in limbo. They face a choice between investing considerable time and money into creating BCRs and SCCs or waiting until Privacy Shield comes online — which according to the timeline set out by Falque-Pterrotin won't be until late April at the earliest.
As well as all the smaller companies, the invalidation of Safe Harbor has had an impact on the big multinationals, particularly those whose core currency is data. Companies like Google, Apple, Amazon and Facebook all declined to comment on the situation. Microsoft pointed to tweets by its senior counsel Brad Smith — the man who last month called the negotiations "too important to fail."
We’re grateful for the difficult work by both EU and U.S. officials to address this important issue.
— Brad Smith (@BradSmi) February 2, 2016
Privacy Shield may also become the subject of litigation. "There will likely be legal challenges," said Kendall Burman, a former White House advisor and currently a data privacy counselor at the Mayer Brown law firm.
One challenge could come from the man responsible for bringing down Safe Harbor in the first place, Max Schrems. Schrems successfully sued California-based Facebook in European court, complaining the social network failed to protect his privacy. That ultimately led to the high court striking down Safe Harbor.
Responding to the Privacy Shield announcement, the Austrian Ph.D. student said it was too early for a final assessment, but he expects the whole thing could end up in court. "I am not sure if this system will stand the test before the Court of Justice. There will be clearly people that will challenge this — depending on the final text, I may well be one of them."