The EU-US Data Privacy Framework: Is It Our Destiny or the Dark Side?

“Oh, I’m afraid the deflector shield will be quite operational when your friends arrive.” With these words, the Emperor taunted Luke Skywalker, informing him that he had set a trap for the unwitting Rebel Forces attempting to destroy the Death Star. Fortunately, the Rebels prevailed, defeating the Imperial forces and destroying the shield generator that guarded the Death Star.

This scene from Star Wars Episode VI: Return of the Jedi seems an apt analogy for the current state of cross-border data transfers that originate in Europe. With the loss of the protections afforded by the U.S.-EU Safe Harbor framework, unwary U.S. businesses that transfer the personal data of EU citizens across European borders run the risk of enforcement actions by EU data protection authorities (DPAs). Unless the EU-US Data Privacy Framework takes effect soon, it may require Jedi mind tricks to legally transfer personal data across the pond.

The Privacy Menace

Not too long ago, in a country not too far, far away, the Court of Justice of the European Union invalidated the 15-year-old U.S.-EU Safe Harbor Agreement in Schrems v. Data Protection Commissioner. The Safe Harbor allowed organizations to transfer the personal data of EU residents across EU borders to the United States, so long as they promised to protect this data. In 2000, the Safe Harbor was deemed an “adequate level of protection” for data transfers, as required by the EU’s Data Protection Directive 95/46/EC. Under the Safe Harbor, businesses could self-certify that they agreed to adhere to a series of principles to ensure that they provided adequate data protection. But in the wake of revelations by Edward Snowden about U.S. government surveillance, questions arose about how well American companies could protect personal data.

After Schrems, the Article 29 Working Party, a group of DPAs, granted U.S. organizations until the end of January 2016 to find an alternative transfer mechanism. Following that grace period, they would enforce actions against businesses that still relied on the Safe Harbor. In February, the European Commission announced a replacement framework, the EU-US Data Privacy Framework.

A New Hope: Highlights of the EU-US Data Privacy Framework

The EU-US Data Privacy Framework is intended to strengthen the protections offered by the former Safe Harbor. If adopted in its current form, organizations that want to join the EU-US Data Privacy Framework must satisfy four requirements:

  1. They must be subject to the authority of the Federal Trade Commission or another U.S. agency that can ensure compliance.
  2. They must commit to adhere to the EU-US Data Privacy Framework principles.
  3. They must implement the principles.
  4. They must publish their privacy policy.

The EU-US Data Privacy Framework also creates stronger obligations, including tighter controls over data transfers to third-party data controllers and their agents, and a robust enforcement scheme. Under the scheme, a EU-US Data Privacy Framework certified organization must even provide the Department of Commerce with relevant third party contractual provisions, and these requirements will place additional pressure on vendor selection and monitoring practices, including those in the legal services industry. The primary components of the shield include the following:

  • Certification: As under the Safe Harbor, U.S. businesses will have to register and self-certify annually with the Department of Commerce that they are adhering to the core principles: notice; choice; security; data integrity and purpose limitation; access; accountability for onward transfers; and recourse, enforcement and liability.
  • Processing and transfer requirements: Before transferring data to a third-party processor, organizations must meet a series of requirements, including limiting collection to only relevant data, requiring that it be used only for the purpose specified and ensuring that the data recipient offers the level of protection required under the EU-US Data Privacy Framework. These requirements may introduce new challenges when it comes to eDiscovery and related legal services.
  • Compliance obligations: Businesses will be subject to greater monitoring from U.S. and EU entities and will have new reporting and record keeping obligations, even if they withdraw from the EU-US Data Privacy Framework. This presents significant information governance challenges over the life of the information, including risk disclosures in merger and acquisition transactions.
  • Right of redress: EU citizens have multiple ways to rectify disputes over their privacy rights: they can complain about violations to companies that collect their data (which must respond within 45 days), a DPA or a Department of State ombudsman. Through the passage of the Judicial Redress Act of 2015, EU citizens can also now pursue claims directly against the US Government.
  • Limited access by the U.S. government: Law enforcement agencies cannot conduct mass surveillance; their access must be “necessary and proportionate” and occur under “clear conditions, limitations and oversight.”

Revenge of the Critics

Dissent over the EU-US Data Privacy Framework is percolating in the EU. In April, the Article 29 Working Party issued a 58-page Opinion criticizing the framework’s lack of clarity. Though the Working Party’s opinion is nonbinding, it encouraged the European Commission to address numerous points, such as creating a glossary of terms to ensure the provisions are applied consistently, reviewing the EU-US Data Privacy Framework once the General Data Protection Regulation (GDPR) becomes effective in 2018 and making sure that the prescribed joint annual review of the EU-US Data Privacy Framework occurs.

The next hurdle for the EU-US Data Privacy Framework is obtaining approval from the Article 31 Committee, which includes representatives from each EU member state. However, in a meeting on May 19, the Committee asked for more time to consider the agreement. If approved, the College of Commissioners must adopt the European Commission’s draft adequacy decision. In the interim, the European Commission may revisit the agreement’s terms based on the Working Party’s criticism.

Even if EU-US Data Privacy Framework surmounts the concerns of the Working Party, it will likely face court challenges which could invalidate it as well. While it includes a number of new protections, the original underlying issue which caused the invalidation of Safe Harbor – NSA surveillance – still remains a concern for Europeans.

In short, the path forward remains unclear.

Awaken the Force Within: Next Steps for Compliance

Now is the time for U.S. organizations doing business in Europe to evaluate their current privacy measures, strengthen them as necessary and establish a more rigorous posture toward data privacy. Steps that businesses can take now to prepare include the following:

  1. Establish a data privacy program. Set the tone at the top for compliance by educating executives, the board and all employees about the importance of protecting personal data. Ensure there is accountability for the privacy program, and that it is linked to metrics.
  1. Inventory your data. Learn what data you collect and find out how you use, transfer and store it. Consider whether you can limit transfers or reduce the amount of data you store.
  1. Evaluate your privacy policies. Make sure your privacy notices are specific and clear. Ensure you obtain the appropriate consent before processing personal data; provide adequate notice to data subjects; and explain the procedures for requesting access to data and filing complaints.
  1. Assess your incident response plan. Businesses must notify a DPA within 72 hours of a data breach; individuals must be notified “without undue delay” if there is a “high risk” to their rights and freedoms. If you do not already have a breach response plan, implement one now. Also, consider encrypting personal data whenever possible: organizations do not have to notify data subjects if lost personal data is encrypted, and therefore unusable by data thieves.
  1. Consider hiring a data protection officer (DPO). The GDPR will require businesses whose core activities include gathering or processing large quantities of sensitive personal data to appoint a DPO. The role is similar to that of a Chief Privacy Officer; the DPO monitors compliance, trains staff, handles data subjects’ inquiries and concerns and audits performance. This role can be fulfilled by an employee, or by an external consultant or legal counsel.

By taking these steps now, U.S. companies can put the power of the Force on their side and, as a result, be in a better position to comply with the EU-US Data Privacy Framework and the GDPR.