Opinion: The triumph of Privacy Shield
For the second time in less than a month, Europe stands on the threshold of history. As听many Europeans are still trying to wrap their heads around the idea of a union without Britain,听the European Commission has been moving toward ratification of a landmark data-protection听agreement with the US.
The agreement, known as Privacy Shield, will provide European citizens with unprecedented听protections for their personal and commercial data. It will also make Europe a vital hub in the听global flow of digital information.
On Tuesday, European Commissioner for Justice Ve虒ra Jourov谩 and Secretary of听Commerce Penny Pritzker signed the Privacy Shield agreement, marking its final approval and听opening the door on a new era of safe, secure digital commerce for European citizens and听businesses.
But immediately following this historic step, Privacy Shield is certain to face legal challenges,听leaving the courts to decide its fate. These decisions will have a monumental impact on the听future of Europe, and on the European Union鈥檚 place in the global economic hierarchy.
The EU and US have an opportunity to embrace our shared belief in free market听economic principles and, more essentially, the democratic process. To quote听President Obama, "What binds us together is greater than what drives us apart."
I believe that听the Privacy Shield agreement captures these common values, and that鈥檚 why I support its听ratification and implementation.听I do not take lightly notions of privacy. In the sometimes-pitched battle between the听machinery of the free market and consumers鈥 rights, I have staked my career on defending the听latter.
Back in 2000, the Department of Commerce and the European Commission听finalized a privacy framework called Safe Harbor.听It was designed to protect the rights of听European citizens as their data traveled across the Atlantic. American companies that adhered听to Safe Harbor were allowed to collect and use data about European consumers and听employees, and store the data on US servers.
By October of last year, some 4,500 U.S.听companies, large and small, were relying on Safe Harbor to handle the data of tens of听thousands of European and American employees and to do business with millions of European
citizens.
Then, in October, the Court of Justice of the EU invalidated Safe Harbor,听holding that it didn鈥檛 provide Europeans with the levels of protection to which they were听entitled as EU citizens.
But while the Court of Justice鈥檚 decision in Schrems v. Data Protection Commissioner听sounded the death knell for Safe Harbor, negotiations on an updated data security framework听between the US and the EU had already begun, two years before Schrems, after Edward听Snowden revealed that US intelligence agencies had been collecting personal consumer data听held by American companies.
The Schrems decision certainly added urgency to these听negotiations, but the writing had been on the wall since Snowden: European policy makers and听privacy advocates believed that Safe Harbor鈥檚 protections were no longer adequate.
Privacy Shield is the result of the negotiations that began in 2014, a new framework听designed to replace and improve upon Safe Harbor. It is the framework that听Europeans deserve today. Privacy Shield strengthens consumer protections with regard to both听government and commercial access to data.
In doing so, it addressees the European Court of听Justice鈥檚 two major concerns about Safe Harbor. First, it outlines the fortifications to existing听safeguards against government access to personal data for the purposes of national security听surveillance. Second, it provides clear, inexpensive avenues of redress for individuals concerned听that their data is being used improperly. These provisions are designed to meet the court鈥檚听demands that the protections governing any transfer of Europeans鈥 data out of the EU be听鈥渆ssentially equivalent鈥 to those found in European law.
To understand Privacy Shield, and why its protections are adequate, it is important to听understand the requirements that businesses and government agencies face under the current听regime of American privacy law. It鈥檚 true that the US has no single law like the baseline data听protections found in most EU member states. But taken as a whole, US laws and regulations听do provide a layered assemblage of strong consumer safeguards.
Indeed, US law was clearly听the inspiration for many of the guiding principles that informed the drafting of the European听General Data Protection Regulation, including an emphasis on data security and breach
notifications, a focus on heightened protections for children鈥檚 data, and a prioritization of听deidentification of sensitive data.
Where government collection of personal data is concerned, the idea of a fundamental,听constitutional right to privacy is a cornerstone of American law, deeply woven into our social听and legal fabrics. Recently the right to privacy has been extended through the courts to include听new technologies and new forms of communication. The Judicial Redress Act, the USA听Freedom Act and President Obama鈥檚 Policy Directive 28, all adopted in the wake of the听Snowden revelations, honor and strengthen this tradition by providing new limitations on the听way data is collected and used by US intelligence services.
The Judicial Redress Act, which听explicitly extends the protections of the Privacy Act to foreign citizens, is particularly听noteworthy in this discussion.
Other individual statutes protect information about children,听finances,听medical data,听and student data,听as well as information used to make decisions about consumers鈥 credit,听insurance, employment and housing. At the state level, approximately 60 privacy laws were听passed last year alone. The Attorneys General of each of the 50 states, as well as a legion of听federal agencies 鈥 led by the Federal Trade Commission 鈥 each have broad imperatives to enforce these laws and听bring to account those whose actions do harm to consumers.
Privacy Shield clarifies this amalgam of restrictions already governing data flows in the听US. With respect to government surveillance, the Office of the Director of National听Intelligence and the Department of Justice have provided letters describing the limitations on听government access to data for intelligence and law enforcement purposes. These letters are听significant on two levels. First, they lay out the US government鈥檚 binding commitments to听apply the same protections to European citizen data that it applies to its own citizens鈥 data.
These commitments include the government鈥檚 fortification of citizens鈥 protections in the USA听Freedom Act and the US Foreign Intelligence Surveillance Act, and the improvements in the听operation of the Foreign Intelligence Surveillance Court. Second, these letters demonstrate听that the US, and in particular the intelligence and law enforcement communities,听take the European Court of Justice鈥檚 concerns seriously.
Of course, such assurances are only as good as one鈥檚 capacity to enforce them. To that end,听Privacy Shield mandates the creation and appointment of an ombudsperson, within the State听Department, who will operate independently of the national security agencies and be available听exclusively to Europeans.
Any European citizen with concerns about US surveillance of his or听her data may file a complaint to the ombudsperson, who will in turn verify that any surveillance听measure has been implemented in accordance with law, and correct any anomalies or听violations of the citizen鈥檚 rights. It is worth noting that the ombudsperson bears a striking听resemblance to the National Oversight Commission 鈥 France鈥檚 own solution to the balancing of
individual rights and national security.
On the commercial side, Privacy Shield significantly enhances protections that had been听built into Safe Harbor. For instance, Privacy Shield requires data controllers to obtain consent听from Europeans before they share data with third parties, including affirmative, express听consent to share sensitive data such as health information. Privacy Shield also compels data听controllers to allow Europeans to access, correct, or delete their transferred data.听Crucially,听data controllers will have to require their business partners who receive information about听Europeans to live up to these principles, as well.
Finally, a raft of new procedural safeguards will make it easier 鈥 and a lot less expensive 鈥 for European consumers to pursue justice when they have been wronged by a participating听company. For instance, US companies that sign onto Privacy Shield must agree to provide听independent recourse mechanisms at no cost to the complainant. Should this measure fail,听individuals can then take the company to binding arbitration 鈥 once again at no cost to the听individual 鈥 or to court.
Since Privacy Shield鈥檚 debut, in draft form, three months ago, a number of stakeholders in听Europe have analyzed and critiqued it. Most significantly, Europe鈥檚 data protection watchdogs,听collectively known as the Article 29 Working Party, welcomed Privacy Shield鈥檚 鈥渟ignificant听improvements,鈥 while suggesting some clarifications and expressing other continuing听concerns.
The negotiating parties have spent the past three months enhancing Privacy Shield听to address the Article 29 Working Party鈥檚 concerns. The resulting improvements include added听restrictions on the ability of Privacy Shield companies to retain data about EU citizens, and a听clearer articulation of the extent of the ombudsperson鈥檚 independence.
As I have traveled across Europe over the past months, I have heard various stakeholders听voice an additional concern. They point out that, because Privacy Shield does not have the听status of a treaty, a new US administration could water down Privacy Shield鈥檚 protections.
They are correct that Privacy Shield is not a treaty. The commitments of its signatories,听however, are binding 鈥 on the part of both the US government and companies that voluntarily听sign up. It is hard to conceive of a US administration that would not eagerly embrace Privacy听Shield and work hard to implement its highest levels of protection. But if such an anomaly听occurs, there is a failsafe.
The new framework requires Europeans and Americans to consult at听least annually on the framework鈥檚 operation. And if the European Commission believes that听the US is violating its commitments, it is empowered to suspend Privacy听Shield.
Privacy Shield is not perfect 鈥 no large-scale regulatory framework is, especially not on the听first pass. But perfection is not what the moment calls for. Instead, we should view Privacy听Shield as a living framework. As I noted, the US Department of Commerce and EU Commission听will engage in ongoing consultations about its effectiveness, and about whether the parties are听living up to their commitments. The European Data Protection Authorities and the FTC听will also hold continual discussions about enforcement issues under the听framework.
The ultimate test of Privacy Shield鈥檚 effectiveness will be how well it works in听practice in the months and years to come.听As for today, I am confident in saying that the protections provided to European citizens听under Privacy Shield are 鈥渆ssentially equivalent鈥 to those they enjoy on their own soil.
The final听decision about Privacy Shield鈥檚 adequacy will be made by the European Court of Justice. I am听hopeful that the court will provide itself with the means to appreciate the full spectrum of听protections built into Privacy Shield听听as they adjudicate the near-certain challenges to come.
Julie Brill is a听partner at the Washington law firm Hogan Lovells and is a former听Commissioner of Federal Trade Commission. Follow her on Twitter听.
听
