EU data protection law places formal requirements on flows of personal data about EU residents beyond the EU’s borders. The concern is laudable: to assure that the principles of data protection available in the EU, in effect, travel with the data. The laws rely on a variety of defined legal mechanisms to extend that protection. Recent concerns, particularly about surveillance practices of the US government, have resulted in continuing legal uncertainty about the validity of two primary mechanisms for transatlantic flows, the new US Department of Commerce Privacy Shield Program and the Standard (or Model) Contractual Clauses. Many EU companies rely upon either or both to share data with corporate affiliates and vendor service companies located in the US.
The Shield Program became effective in August 2016. It was established by agreement negotiated between the US and the EU Commission after its predecessor, the US Safe Harbor Program, was invalidated by the Court of Justice of the European Union in October 2015. The CJEU’s decision, sparked by a consumer challenge, reflected two legal concerns, first, that US laws limiting government surveillance of people were not sufficiently tight to afford protection to EU citizens whose data was stored or processed in the US and second, that the Safe Harbor Program was neither sufficiently robust in its requirements nor adequately enforced. The new Shield Program included additional, strengthened requirements for protecting personal data, a cooperative regime for increasing enforcement and clarifications about US government surveillance. The Shield was accepted by the EU Commission with participation from EU stakeholders. The best overview of Shield Program requirements can be found on the US DOC website, https://www.privacyshield.gov/Program-Overview. The EU Commission’s view at the time of initial adoption are here, http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-shield/index_en.htm.
The Shield Program and Standard Contractual Clauses are but two mechanisms to legitimize transatlantic transfers. Underlying EU laws on transferring personal data beyond the borders of the EU (or more technically, the borders of the countries in the European Economic Area) are complex, recognizing limited exceptions and allowing five means of lawful transfer: The EU can declare a country’s law “adequate” to provide sufficient levels of data protection. The entity transferring the data can seek legally sufficient consent of the individuals. Companies can use the Standard (or Model) Contractual Clauses to cover transfers of particular data sets for particular purposes. US companies that receive or access personal data can file under the Shield Program to certify their recognition and acceptance of the principles of EU law. Finally, companies with complex and often global flows of personal data can create and receive EU regulatory approval of a set of legally binding internal policies and procedures, Binding Corporate Rules, to assure protections similar to those in EU data protection law. The rules for transborder data flows are found in national laws enacted under the EU General Directive 95/46/EC but will remain largely unchanged in the new European Data Protection Regulation, the GDPR, enacted May 5, 2016. (It is widely expected that the UK will continue to honor the transfer requirements of the GDPR or ultimately enact similar provisions to ensure continued free flows or personal data between the UK and the Continent.)
Yet these two common mechanisms of transatlantic data flows remain under a cloud of legal certainty. The new Shield Program will be reviewed by the CJEU, the same court that invalidated the Safe Harbor Program, against the concerns of the October 2015 decision. The CJEU is also set to review the use of Standard Contractual Clauses as a legitimate transfer mechanism.
A small but rapidly growing number of companies in the US have elected to complete the necessary internal reviews to file for a Shield, despite legal uncertainties. Government officials in the EU and US continue to express strong confidence that the redesigned requirements and governmental promises of the Shield Program are sufficiently tailored to meet the earlier concerns expressed by the CJEU. The underlying work of charting transatlantic data flows, assuring internal processes and policies to meet the Shield’s standards and filing for a Shield may reassure EU clients and consumers. The need to Identify, secure and manage EU personal data within an organization is common to both a Shield filing and meeting the promises of Standard Contractual Clauses. Taking basic steps can pave the way for company action once the CJEU has had its say and, in the interim, may provide a better answer to regulators than simply relying on legal uncertainties to justify a failure to protect personal data about EU residents.
Compliments of DeVore & DeMarco – a member of the EACCNY