Privacy Shield a Done Deal; Certification Process Opens Aug. 1

The Department of Commerce and the EC worked hard to develop a framework that protects privacy for consumers and gives legal certainty to businesses on both sides of the Atlantic, said Commerce Secretary Penny Pritzker at a media briefing. Privacy Shield is a "milestone for privacy" because data-sharing is driving growth in every sector, she said. The arrangement increases the cooperation between the FTC and national data protection authorities to ensure "vigorous enforcement," she said. "It's quite unusual how transparent we're being" in terms of how the U.S. intelligence community operates, Pritzker said. She and Justice Commissioner Vera Jourová said they believe the system will withstand a court challenge. Privacy Shield was designed based on the European Court of Justice (ECJ) judgment in Schrems, Jourová added.

"The FTC has a strong track record of protecting consumer privacy, and we will remain vigilant as we enforce the new framework," said Chairwoman Edith Ramirez. She promised to work closely with European counterparts to provide "robust privacy and data security protections for consumers in the United States and Europe." Adoption of the agreement "highlights the successful approach that the FTC has taken towards privacy and security," said House Commerce Committee Chairman Fred Upton, R-Mich., Commerce, Manufacturing and Trade Subcommittee Chairman Michael Burgess, R-Texas, and Communications and Technology Subcommittee Chairman Greg Walden, R-Ore.

Legal 'Pitfalls'

"We can assume that with the new Privacy Shield there is a bit more certainty around international data transfers but the situation is still pretty dynamic," said Hogan Lovells (London) data protection attorney Eduardo Ustaran. The new arrangement is subject to challenge and the validity of model contract clauses -- another mechanism used by companies for data transfers -- "is very much subject to the validity of" Privacy Shield itself, he emailed. Hogan Lovells issued a client note advising how to self-certify to Privacy Shield. Companies must show they can comply with seven principles: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability, the note said.

The path ahead of U.S. companies that want to use Privacy Shield "contains a number of pitfalls," said Squire Patton Boggs data protection and cybersecurity attorney Ann LaFrance in a statement. Aside from the possible legal challenge, there's a controversial U.S. bill (S-3017), awaiting Senate action, which would limit the scope of the Privacy and Civil Liberties Oversight Board to the protection of the privacy and civil liberties of U.S. persons only, she said. The bill could affect the mechanisms in Privacy Shield to protect the rights of European residents whose personal data have been sent to the U.S., she said. The new pact has several substantive and procedural requirements that are more rigorous than those in safe harbor, and the promise of tougher oversight and enforcement on both sides of the Atlantic, said LaFrance. "Eyes wide open," she advised.

That Privacy Shield addresses data transfer issues at the political level is alone "reason to applaud" it, said Morrison & Foerster attorneys Miriam Wugmeister (New York) and Lokke Moerel (Berlin) in a statement. By the time the ECJ decides any challenge to Privacy Shield, "we will also have more clear guidance" from the European Court of Human Rights on what the limitations, safeguards and redress should be for EU citizens regarding generic surveillance for national security, they said. That will provide more clarity on how countries should balance privacy and security "and may lead to a more level playing field between the EU and US."

Privacy Shield, from the U.S. side, is based on letters and other assurances from various federal agencies and officials, rather than on legislation. That rankled some members of the European Parliament Civil Liberties, Justice and Home Affairs (LIBE) Committee during a webcast meeting Monday with Jourová. She reviewed the final changes to the arrangements, saying it's a "very different and much stronger framework" than safe harbor. She said it's "dynamic process" that will be actively monitored on both sides of the Atlantic, and can be canceled if the U.S. or American companies fail to live up to their commitments.

Some lawmakers told Jourová they remain concerned the agreement will be challenged in court and just isn't good enough. There was concern that Privacy Shield isn't underpinned by any U.S. legislation. "It would be better if we had a law, I admit it," but U.S. agencies have committed to the arrangements and the EC expects them to keep their commitments after the presidential election, Jourová said.

Industry Reaction

Industry groups and a U.S. lawmaker praised the conclusion of talks. Approval "is a watershed moment for transatlantic relations and online data privacy," said Sen. Orrin Hatch, R-Utah. He said he "led the legislative battle in Congress to enact the Judicial Redress Act" that offered "much-needed assurances to European leaders" negotiating the final terms.

The pact "sets a new high standard for EU-U.S. data transfers, said Computer and Communications Industry Association Europe Director Christian Borggreen. It will ensure that companies can "continue to build upon and strengthen" the data-driven global economy, said Digital Marketing Association Vice President-Advocacy Christopher Oswald.

Many "obvious" questions remain unanswered, such as how the EC can claim there will be no access to data on a generalized basis despite the U.S. excepting six cases where it permits bulk collection, Schrems said at a news-media event Tuesday hosted by MEP Jan Philipp Albrecht, of the Greens/European Free Alliance and Germany. The pact "is the product of pressure by the U.S. and the IT industry -- not of rational or reasonable considerations," he said, predicting it would fail at the ECJ.