What is EU-US Privacy Shield?
A look at the current framework US companies rely on to transfer data to and from the European Union
Privacy Shield is a regulatory framework that governs the transfer of data between the European Union and the United States. Its principal purpose is to act as a mechanism for US companies to receive data from the EU, thereby ensuring smooth data transfers despite the fact that the two countries operate in separate data protection jurisdictions.
In effect, Privacy Shield fulfils the same purpose as an adequacy agreement, required by any third status country that is outside of the regulatory reach of the EU's General Data Protection Regulation (GDPR). Such an agreement signals that the EU recognises the data protection laws of the third country as being robust enough to protect the data of EU citizens, and therefore eligible to receive EU data.
However, Privacy Shield has faced constant criticism for failing to provide adequate enough protections for EU individuals' data. Even during its early development, the framework was regarded as inadequate by many, particularly in the context of US intelligence gathering. It's very likely that the EU will revisit Privacy Shield in the coming years, though it's unclear how or when an agreement would be reached between the two powers.
Where did Privacy Shield come from?
Privacy Shield is the second attempt to harmonise data flows between the US and the EU -- itself being a replacement to the now-defunct 'International Safe Harbour Privacy Principles', known commonly as Safe Harbour (not to be confused with the Safe Harbor provision related to the non-violation of statute).
However, the history of both Privacy Shield and Safe Harbour frameworks dates back to the mid-1980s, when the European Union began pursuing policies aimed at enhancing the protections offered to data subjects throughout member states. In order to do that, it was important to ensure that European data subjects could expect the same levels of protection wherever their data was sent.
In 1995, the EU signed the Data Protection Directive, the first piece of legislation that would eventually evolve into the General Data Protection Regulation that is in force today. Despite covering a range of data protection issues, one of its chief purposes was to prevent companies operating in the EU from sending data to third countries (those outside of the European Economic Area) unless some guarantee exists to ensure adequate levels of protection.
This increase in user protections did not align with US policy, particularly given the far-reaching powers that intelligence agencies such as the NSA have had over user data. However, given the commercial importance of data transfers to the US, it was deemed necessary to provide an additional mechanism beyond a formal adequacy agreement, standard contractual clauses, or binding corporate rules, that would make it easier for US companies to legally receive data.
Developed between 1998 and 2000, the Safe Harbour Privacy Principles were initially designed to prevent organisations in the US and the EU from accidentally disclosing personal information by providing clear guidelines on how to collect and manage data. These principles incorporated some of the requirements set out by the Data Protection Directive, including the need for better security, relevant data collection, and the restrictions on third-country transfers, only these were voluntary for US companies. However, by July 2000, it was decided that any US company that was able to demonstrate its commitment to these Safe Harbor Principles would be permitted to send and receive data from the EU -- known as the "Safe Harbor Decision".
US companies operated under the provisions of the Safe Harbor Decision for over 15 years but in October 2015, the European Court of Justice ruled that the process of the Safe Harbour Decision was invalid. The reason for this ruling was mainly because the act of giving public authorities access to EU individuals' data through the adherence of general principles was in direct conflict with the right to privacy as enshrined in Article 8 of the European Convention on Human Rights (ECHR). In essence, the ECJ found that the Safe Harbour Principles were incompatible with EU data laws given that the framework lacked any operational oversight from US or EU agencies.Enter Privacy Shield
Privacy Shield, introduced in early 2016, was an attempt to rectify these issues, promising to enforce tougher obligations on US companies -- namely the requirement to monitor and enforce data protections more robustly, and cooperate with European data protection authorities.
As with Safe Harbor, it is a voluntary mechanism that US companies can use to legally send and receive data from the EU. Those that agree to process data under Privacy Shield are required to publicly advertise their compliance -- a notice that says they are committed to providing higher standards of data protection and that they are liable to strict fines if found to be in breach of them.
As part of this compliance, organisations are required to give European users a means to opt out of having their data sold to third parties, as well as rigorously protect any data they do collect. EU data subjects are also protected from any misuse of data beyond its originally advertised processing purpose and have the right to access, correct, amend or delete any data that an organisation holds on them, provided it is inaccurate or has been used in a way that breaches Privacy Shield principles.
It is important to note that these protections only exist for EU citizens -- US citizens are only protected by federal or state US laws.
Privacy Shield fines & sanctions
The US Federal Trade Commission, the agency overseeing Privacy Shield enforcement, has the power to bring fines against any company found to be in breach of Privacy Shield standards.
Any US organisation that fails to abide by their commitments to upholding Privacy Shield principles can face a number of different penalties. Firstly, the FTC can issue administrative or court orders to compel an organisation to fix any violations. Failure to abide by these orders can result in civil penalties of up to $40,000 for each violation, or $40,000 per day for ongoing violations.
Any organisation found to be in persistent violation of Privacy Shield standards will have its eligibility revoked, which prevents it from using the mechanism for data transfers. This includes any company that has been found to be in regular breach of the standards even if those breaches are unrelated. The Department of Commerce will then remove the company's name from the Privacy Shield List.What does Privacy Shield require of US businesses?
Privacy Shield is voluntary for US businesses, however, it is strongly advised that organisations sign up to the laws, particularly if they plan to expand into Europe in the future.
Those that sign up are required to do the following:
- Present a detailed public facing statement showing its commitment to the Privacy Shield Principles and how it is ensuring its processes are compliant.
- Ensure that mechanisms are in place to restrict data sharing with third parties where a user has opted-out. All third parties that receive such data must also publicly display their commitment to Privacy Shield.
- Respond to all access and deletion requests from users, and provide a means for users to change their data, provided the request is feasible.
- Ensure that all systems are maintained and are protected from unauthorised access.
Criticisms of Privacy Shield
Both Safe Harbour and Privacy Shield highlight an ongoing clash between the US and the EU over data protection rights.
The European Union has worked to increase protections, and now operates one of the world's most robust data laws in the world. Data processing is heavily scrutinised under GDPR, with companies facing the prospect of crippling fines for any loss of data.
The US, meanwhile, has increased the surveillance powers of its intelligence agencies over the years, particularly following the introduction of the US Patriot Act in 2001. Intelligence agencies are able to use programmes such as PRISM to collect data from US internet companies, as well as the Foreign Intelligence Surveillance Act (FISA) to gather data on US citizens. Perhaps most importantly for EU authorities, the US has yet to work towards a centralised federal data protection regime, let alone one that begins to mirror GDPR. Aside from states such as California, there have been few attempts to expand data protection rights.
Privacy Shield is, therefore, a compromise on the part of the EU to overcome this ongoing contradiction -- a mechanism that allows US companies to prove they can operate under GDPR-like controls.
Not everyone agrees that the EU's good faith is reciprocated, however. Most notably, as part of the relationship, the US has the duty of appointing an ombudsperson to act as an additional point of redress for any EU citizens raising complaints against a company. This position sat vacant until June 2019 when Keith Krach was confirmed as the US' first permanent Privacy Shield Ombudsperson, leaving many to question whether the country was taking its role seriously enough.
Concerns have also been raised over the years about the framework's ability to protect EU data. In 2016, European data protection supervisor, Giovanni Buttarelli, argued that "significant improvements" were needed and that, as it stood, Privacy Shield was simply "not robust enough to withstand future legal scrutiny before the court". He also added that it was "time to develop a longer term solution in the transatlantic dialogue".
Max Schrems, the Austrian legal activist that was a key player in the downfall of the Safe Harbour agreement, argued recently that Privacy Shield was hastily put together in order to fill the gap left by the previous framework and that those behind it
"Sometimes I call it Safe Harbour 1.0.1 because basically most of the text is exactly the same, most of the structure is exactly the same," said Schrems, speaking at a data protection summit in London in June, adding that he often referred to it instead as "lipstick on a pig".
Speaking on the speed at which it was negotiated, he said: "There was a deadline on January 31. What happened was that they failed to come to any kind of agreement. I was asking later and apparently the Europeans stood off the table and said there was no way we're ever going to get it. 48 hours later and there was [suddenly] a deal. Another 24 hours later and we got this logo."
What is the future of Privacy Shield?
Given the criticism the framework faces, and the introduction of even tougher data protection laws in Europe in the form of GDPR, the future of Privacy Shield is uncertain.
The European Court of Justice is currently reviewing a case that could see standard contractual clauses invalidated as a transfer mechanism, which could further weaken the Privacy Shield framework.
There's also the issue of US surveillance, which has been raised in another case being reviewed by the ECJ. Essentially, privacy groups continue to argue that the way the US handles individuals' data is at odds with the EU's approach and as such, Privacy Shield simply isn't enough to square that circle. To make matters worse, one of President Trump's first acts was to sign the "Enhancing Public Safety" executive order, which states that US privacy protections will not be extended beyond US citizens -- meaning any federal or state privacy laws will not apply to EU citizen data.
It's highly likely, therefore, that a new framework will be developed in the coming years, although it's going to require agreement from both the US and the EU to make a reality.