Julie Brill, Hogan Lovells partner, and co-head of our global privacy and Cybersecurity practice, recently commented on the EU-US Privacy Shield for the EurActiv publication. Her comments are republished here, with permission:
The free flow of data is essential to an ever-growing segment of the global economy. Yet some policymakers and advocates, citing privacy concerns, have called for shutting off the faucet and restricting data flow, to the detriment of European consumers and European businesses, both small and large.
With cooler heads and a laser-like focus on the best interests of all European citizens, the European Commission and the US Department of Commerce have been tirelessly working to build a better framework for maintaining a seamless flow of data across the Atlantic in a manner that respects the privacy of European citizens.
After much debate, a major European court opinion, and at least one act of Congress to address the issue, a solution is at hand that will enhance real, enforceable privacy protections on both sides of the Atlantic.
Three years ago, the Snowden revelations led the Commission to sharply question the safety of at least one transatlantic data transfer mechanism, known as the US-EU Safe Harbour framework, and to call for development of a better framework.
Safe Harbour had been employed by over 4,500 companies on both sides of the Atlantic to provide online and mobile services to consumers and to transfer back-office information about customers and employees.
The Court of Justice of the European Union added fuel to the fire last October when it declared Safe Harbour invalid by questioning its ability to uphold the fundamental rights of European citizens in the face of allegations about broad US government access to their data and ineffective redress mechanisms.
Out of this complex policy web, and after intense negotiations, the Commission and the US Department of Commerce introduced the EU-US Privacy Shield to replace the Safe Harbour framework.
All eyes now turn to the upcoming EU member state vote, as well as the Commission’s final adequacy decision, promised by mid-July.
Privacy Shield increases protections with regard to both national security access and privacy protections required of companies that sign up. Recent enhancements to citizens’ protections when their data is collected and used by US intelligence services – such as the Judicial Redress Act, the USA Freedom Act and President Obama’s Policy Directive 28 – establish significant limits on signals intelligence collection and give Europeans access to US courts.
Moreover, once Privacy Shield is adopted, the State Department will create a new Ombudsperson position to process any complaints by European citizens or data protection authorities about US signals intelligence practices.
On the commercial side, companies that volunteer to join Privacy Shield will have to comply with significantly enhanced requirements, such as obtaining consent from Europeans before they share data with third parties, including affirmative express consent to share sensitive data such as health information.
Signatories must also allow Europeans to access, correct, or delete applicable data. Crucially, companies will have to require their business partners, who receive information about Europeans, to also live up to these principles. And Privacy Shield companies will have new, ongoing obligations to oversee the processing activities of their agents.
Privacy Shield also beefs up enforcement and consumer recourse. And if the Commission believes that the framework is not fulfilling its promise – because the United States government is not living up to its commitments – then the executive will be empowered to suspend Privacy Shield.
Since its debut, a number of stakeholders in Europe have analysed and critiqued Privacy Shield. Most significantly, Europe’s data protection watchdogs, collectively known as the Article 29 Working Party, welcomed “significant improvements” brought by Privacy Shield, while suggesting clarifications and expressing some continuing concerns.
Negotiators from the EU and US spent the past three months bolstering Privacy Shield to address Article 29 Working Party’s concerns, including adding restrictions on the ability of Privacy Shield companies to retain data about EU citizens, and clarifying that the Ombudsperson will operate independently.
As a Commissioner, I had long called for US consumers to have many of these same rights. Although companies that strive to lead as data stewards provide similar rights, many other companies do not. But once it is adopted and in place, Privacy Shield’s enhanced framework will propagate its robust protections beyond its company members, because it will raise the bar for all certifying companies as well as their business partners. As a result, Privacy Shield will have a profound effect on improving data protection for consumers in the EU and the US.
This article was first published on EurActiv on July 6, 2016.