What businesses need to know about Privacy Shield

It may not stand up in European court, one policy expert warns

The European Commission headquarters in Brussels (8)
Flags in front of the European Commission headquarters in Brussels on June 17, 2015 Credit: Loek Essers

U.S. businesses may take some comfort from the fact that a successor to the Safe Harbor agreement has finally been named, but at this point, they shouldn't get too comfortable.

Since it was first announced on Tuesday, the EU-U.S. Privacy Shield agreement governing trans-Atlantic data transfers has elicited considerable concern, not least because it remains largely unwritten and unclear. Privacy watchdogs in Europe have cautioned that it can't be relied upon for legal protection for several months; some say it won't be enough even then.

The old Safe Harbor agreement that provided cover to companies transferring data was declared invalid by an EU court last year.

So what's a business to do?

Julie Brill, commissioner of the U.S. Federal Trade Commission, offered some insight Thursday in a webcast discussion hosted by the Information Technology and Innovation Foundation (ITIF).

First, realize that it's going to take some time for Privacy Shield to be usable, Brill warned. 

"The immediate next step is to write up the details so that everyone can see it," Brill said.

That's going to take longer this time than it did back in 2000, when the original Safe Harbor agreement was approved, however. The European Parliament is playing an advisory role this time, with the ability to review the agreement and vote on it, she noted. EU Member States will also have to approve it.

April is the soonest Europe's data-protection authorities are likely to be able to finish their legal analysis, according to the Article 29 Working Party, the EU body representing those DPAs.

In the meantime, businesses hoping the original Safe Harbor agreement will protect them in the interim will continue to be held accountable by the FTC, Brill said.

"If companies are continuing to make promises that they're abiding by Safe Harbor, we will enforce that," she said.

Assuming Privacy Shield is ultimately approved by European authorities, companies will have to examine the tougher requirements it involves carefully to make sure they can abide by them once they agree to support it.

"I want companies to be sure that when they self-certify, they know what they're getting into," Brill said.

For example, what's known as "onward transfer," when data is exported from Europe to the United States and then again to a third party, will gain heightened attention under the new rules, Brill said.

"Onward transfer will be more strongly protected," she said. "There will have to be more assurances that the entity receiving the data will protect it as well."

Brill didn't rule out the possibility that Europe's DPAs will begin retroactively enforcing Privacy Shield once it's approved.

"In this evaluation time there is uncertainty," she said. "My hope would be that they would understand that everyone is being very respectful of their evaluation and waiting to give them time."

Timothy Edgar, who served under President Obama from 2009 to 2010 as the first director of privacy and civil liberties for the White House National Security Staff, had advice of his own for businesses.

"Companies that were part of Safe Harbor should continue to honor the privacy commitments they made under that agreement, because the Privacy Shield, at least as it has been described so far, is very similar," said Edgar, who is now a senior fellow in international and public affairs at Brown University's Watson Institute for International Studies.

"We don't have all the details yet on the Privacy Shield, so over the next few months it would be prudent for companies to check back with their privacy lawyers to make sure they are doing everything they are required to do under this new arrangement," he added via email.

Companies should consider ways to avoid unnecessary transfers of personal data, Edgar advised: "This is a good practice both for security and privacy reasons," he said.

Those that transfer personal data from the EU to the U.S. would also do well to encrypt the data before it leaves the EU, he added, since EU data-protection regulations only concern transfers of data that are in personally identifiable form.

Looking further ahead, though, Edgar has a big caveat: Privacy Shield may not stand up in European court.

"One thing we know for certain is that it does not change U.S. surveillance law," he explained, and the Court of Justice of the European Union has already determined that that law does not adequately protect EU personal data.

"EU data-protection commissioners are holding off on threats of enforcement for now, but over the next month or so they will be asking tough questions about whether the Privacy Shield is good enough," Edgar added. "The European Commission may be satisfied with the U.S. government's assurances about how EU citizens' data will be treated by American intelligence agencies, but that doesn't mean EU data-protection commissioners -- or European courts -- will agree."