These FAQs answer some basic questions on Privacy Shield. We use some technical terms which are explained in our glossary here. If you would like detailed advice on Privacy Shield we are happy to help – our contact details are at the end of these FAQs.
What is Privacy Shield?
The Privacy Shield scheme was proposed in February 2016 to replace the Safe Harbor scheme which was struck down by the European Court of Justice (ECJ) in the first Schrems case (sometimes known as Schrems 1) in October 2015. There is some background to the collapse of Safe Harbor and the announcement of Privacy Shield in our alert on 3 February 2016 here.
Why did it take so long?
As we said in February the announcement of the creation of Privacy Shield was premature. An announcement had to be made in February as a deadline set by the Article 29 Working Party (often known as WP29) had expired at the end of January. In February the European Commission said that they hoped that Privacy Shield would be finalised by the beginning of May. Even that seemed ambitious in part because of the criticism that Privacy Shield received from WP29 in April. You can see a summary of WP29’s criticisms of Privacy Shield in our alert and short film here.
When did Privacy Shield come in?
The scheme opened for business on 1 August 2016.
Who has joined so far?
Already more than 500 companies have joined Privacy Shield. The most interesting on the list so far include Ernst & Young, Facebook (for non HR data only), Google, Microsoft, Oracle, Rackspace, Salesforce, ServiceNow, St Jude Medical and Workday.
If I join Privacy Shield will the US authorities play a greater role?
Almost certainly. There is likely to be much more supervision by the US authorities than there was under Safe Harbor. It is not true to say there was no Safe Harbor enforcement (for example we looked at the investigation into TRUSTe here) but the European Commission are promising tougher enforcement. The Commission said on this in their 12 July announcement:
“under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies, to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the list.”
Is Privacy Shield bullet proof?
Probably not. Penny Pritzker, the US State Secretary of Commerce, said on 12 July 2016 in announcing the deal that she thought it would ‘withstand scrutiny’ and that she had been speaking with the chair of WP29 to try and reduce her concerns. Commissioner Jourová also said she was confident it would survive a court challenge. In our view it is unlikely that the concerns about Privacy Shield will disappear so quickly. We talked about the challenges to Privacy Shield when we spoke with Max Schrems on 21 October 2016. You can find a summary of that interview here. Max Schrems said in that interview “Privacy Shield is Safe Harbor with flowers on it – it will probably be killed by the European Court”.
As well as possible challenges from courts and regulators it should be remembered that Privacy Shield has a one-year shelf-life before being renewed. The European Parliament in particular is likely to be looking carefully at the scheme’s first year and may challenge its renewal in 2017. WP29 have also indicated that the first annual review will be a critical time for Privacy Shield.
Could it be challenged by Regulators?
Almost certainly. Reports on the 4 August 2016 suggest that Johannes Caspar, the Hamburg Data Protection Regulator who had been very critical of Safe Harbor would like to refer to the scheme to the ECJ. Caspar is petitioning the Germany authorities to allow data protection regulators to refer issues like this to the ECJ directly.
In November 2016 ten German data protection authorities announced that they had sent a survey to 500 organisations asking for details of their data protection strategy. Around 150 of these questionnaires were sent by the Bavarian Data Protection Commissioner. Initially the businesses had been sent a questionnaire for them to complete and return to the relevant regulator. The document asks specific questions about the business’ use of Privacy Shield and other methods of dealing with international data transfer. Additionally the questionnaire asks for details of specific data transfers to the USA including in areas like helpdesk support, travel management, CRM, marketing, recruitment, collaboration platforms, quality management and cloud.
In addition there are rumours that Austria, Bulgaria, Croatia and Slovenia abstained from the Article 31 vote and it could be that Regulators from some of those countries may also take an interest, although the WP29 statement on 26 July 2016 makes an immediate challenge less likely. Privacy Shield is certainly open to challenge in the same way as Safe Harbor was. In effect its legal status is similar to Safe Harbor – an adequacy finding from the European Commission.
A challenge from the Irish Data Protection Commissioner is also likely to happen through the Courts.
What about a court challenge?
Privacy Shield faces several court challenges and the Schrems 1 case tells us that Regulators must have more independence to investigate their concerns.
In addition there is currently likely to be a challenge to the ECJ over model clauses. We reported on this case here, sometimes known as Schrems 3, in May. There were court hearings in the Schrems 3 case at the end of July and we understand that counsel for the Irish Data Protection Commissioner flagged the fact that those proceedings might need to be amended to accommodate the inclusion of Privacy Shield. It seems likely that the Irish Data Protection Commissioner will apply to have Privacy Shield added at the next hearing now that Facebook have joined the scheme. In effect it seems that the intention of the Irish Data Protection Commissioner would be that the ECJ looks at the legality of the model clauses and Privacy Shield together. The Schrems 2 litigation is not immediately relevant to Privacy Shield but you can find background on that case here. The Schrems 2 litigation is also now heading for the ECJ.
In addition an Irish group, Digital Rights Ireland, has also issued proceedings challenging Privacy Shield. We understand that an additional case was brought again to the EU’s General Court in Luxembourg by La Quadrature du Net, a Paris based pressure group, the French Data Network and FDN Federation. The French associations’ claim in their case that Privacy Shield should be struck down because it violates their fundamental rights. Both the Irish group and the French groups will have to persuade the Court that they have sufficient standing to challenge the European Commission’s decision giving birth to Privacy Shield. The rules on standing are quite complicated and it is by no means certain that they will be able to persuade the Court that they have the standing to bring the case.
Whilst a challenge does seem likely – certainly in the referral from Ireland at least – there is no guarantee that would succeed. A differently constituted court on a different day may be more willing to uphold Privacy Shield especially with the extra effort that both the EU and US have made this time around. Whatever the result however there is likely to be uncertainty since a court hearing may be unlikely before the end of 2018 on current court timetables.
Will Privacy Shield be protected by GDPR?
No. Privacy Shield is not referred to in GDPR although one of the other methods of data transfer, Binding Corporate Rules (or BCRs) is. Commissioner Jourová said on 12 July 2016 that Privacy Shield would be reviewed prior to GDPR coming into force since it was a clear requirement that the US had ‘equivalent’ protection and this protection was likely to have the be improved once GDPR set the bar higher.
Should I even consider Privacy Shield for my business?
Possibly. Despite its faults those companies who were in Safe Harbor might find Privacy Shield fairly easy to achieve, although we would recommend talking this through with lawyers who understand these issues. It could have some role as part of a mix of compliance measures, although it is unlikely to provide a complete solution on its own. It would be wise for those considering the scheme to do a cost-benefit analysis. Privacy Shield is likely to be more costly than Safe Harbor – in part due to higher arbitration costs – but may demonstrate a level of compliance to some of your customers. Some of the former Safe Harbor arbitration schemes have also adapted themselves to manage Privacy Shield arbitrations. There could however be issues if Privacy Shield collapses which may outweigh the benefits.
Are there any deadlines?
No but there were concessions for businesses that signed up to Privacy Shield before the end of September 2016. That concessionary period, which applied to existing onward transfers of data has now ended.
How much will it cost to join Privacy Shield?
As well as the arbitration scheme cost an organisation must pay an annual fee to the US Department of Commerce (DoC). That fee is tiered based on the organization’s annual revenue and ranges from $250 to $3,250. Additionally there is a fall-back arbitration scheme which will be funded by a levy on Privacy Shield participants. Currently DoC has yet to set the amount of this levy. DoC seems to be currently advising that this figure may not be known until February 2017. It currently expects that this additional fee will also be tiered and that it may be around the same level as the annual joining fee. We raised this uncertainty with the Privacy Shield team in the US in August 2016 and they told us that the fund would be managed by a third party and that the fees would be reviewed at the Annual Review by the US administration and the European Commission “with the mutual understanding that there will be no excessive financial burden imposed on Privacy Shield organizations”.
What about Brexit?
There was a question at the 12 July 2016 press conference to Commissioner Jourová about the affects of Brexit and any likely adequacy decision for the UK. Commissioner Jourová said it was too early to answer this question.
Due to the initial two year time frame for the Brexit negotiations (which have yet to commence) Privacy Shield will apply to data transfers from the UK at least until any eventual withdrawal from the EU – this is unlikely to be much earlier than January 2019. Equally GDPR will also apply. There is more information on the affects of Brexit on data protection, data transfer and data security in our film here.
What can I do?
In short to get started, the following are possible actions to take:
- Have a plan for data transfer – we have seen from some of the enforcement cases that the lack of a plan is likely to cause difficulties when regulators ask questions;
- Review Privacy Shield to see if it might work for you – even a system subject to a challenge may be useful for you;
- Look again at your data flows to determine the following: what information travels outside of the EU and on what basis? Is it inter-group or is it to third parties? What steps are already in place to make those data flows lawful? You may be able to alter your current data practices to reduce your risk;
- Consider the other options available to your business including model clauses (recognizing they are also subject to challenge) and BCRs. BCRs do have a new footing in GDPR and may be more resistant to challenge. BCRs will not be the answer for everyone however;
For more information please contact Jonathan or André who are lawyers with Cordery in London where their focus is on compliance issues.
Office: +44 (0)207 075 1784
Office: +44 (0)207 075 1785