On January 12, 2016, the European Commission enacted a privacy shield framework for international data transfers by private companies from Europe to the United States (“US”) (the “Privacy Shield” or “the framework”).  The framework was developed jointly by the US Department of Commerce and the European Commission.^[1]  The Privacy Shield became effective for enrollment on August 1, 2016, and since then more than 1,500 companies have joined the framework.^[2]  In the US, the Privacy Shield is governed by the International Trade Administration (“ITA”) within the Department of Commerce and enforced by the Federal Trade Commission (“FTC”).^[3]  To join the Privacy Shield, a company must self-certify and publicly commit to various privacy requirements with regards to processing personal information from European data subjects.  Joining the Privacy Shield is voluntary, but once a company chooses to participate, the commitment is fully enforceable under US law.  The Privacy Shield acts as an additional layer of security over Model Contract Clauses (“MCCs”), the main alternative method for international data transfers.

Personal Data processed in the European Union and European Economic Area (“EU”) is more broadly governed by the Data Protection Directive 95/46/ EC (“DPD 95/46/EC” or “the Directive”).^[4]  This directive operates in conjunction with member state and local data protection laws.  On May 25, 2018, the DPD 95/46/EC will be replaced by the General Data Protection Regulation 2016/679 (“GDPR 2016/679”).^[5] 

This article investigates the regulatory and legal transfer mechanisms under the EU-US Privacy Shield Framework, specifically: (I) History of EU-U.S. Data Transfer Protection Prior to Privacy Shield; (II) Challenges to Model Contract Clauses; (III) Benefits of Joining the Privacy Shield; and (IV) The President Trump Effect.

1. HISTORY OF EU-US DATA TRANSFER PROTECTION PRIOR TO PRIVACY SHIELD

1. EU Data Protection History

The EU and US have significant differences in how they handle data privacy.  Originally, in 1981, data protection in Europe was regulated by the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.^[6]  This act required every signatory country to enact their own laws regulating the transfer of data.^[7]  The European Commission realized that this convention slowed data flows because each country had its own specific regulations.^[8]  The DPD 95/46/EC was passed in October 1995, which created a comprehensive EU framework governing the transfer of data.^[9]  The Directive laid out the basis on how public and private organization could store and transmit data, leaving each individual EU member state to implement and enforce the Directive through their laws.^[10]  For example, Germany uses both the Bundesdatenschutzgesetz as well as the DPD 95/46/EC to govern data transfers.  The DPD 95/46/EC and each member state data privacy law is enforced by national regulatory bodies known as Data Protection Agencies (“DPAs”).  The Directive also allows the European Commission to determine whether a country provides the “adequate level” of security.^[11]  Adequate is determined by how the data is processed, where the data originated and where it is going, the laws and security measures of the country receiving the data, the type of data being transferred, and how long the data will be processed.^[12] 

Under the Directive, each EU member state must establish their own DPAs that monitor all regulated organizations processing data.^[13]  Individuals are also granted the opportunity to access, correct and “seek remedial” measures if they claim that their data has been handled incorrectly.^[14] 

In the EU, personal data protection is a fundamental human right.^[15]  Protection of personal data was codified in the Charter of Fundamental Rights of the European Union and became binding on all EU members in the 2007 Treaty of Lisbon.^[16] 

2. US Data Protection History

In contrast to the EU, the US does not have a single “overarching data privacy policy,” but rather a patchwork of privacy and data security regulations.^[17]  There are a few statutes that govern data collected or maintained by the federal government, such as the U.S. Privacy Act of 1974 and the Communications Privacy Act of 1986.^[18]  Many of the laws governing data privacy are industry specific.  For example, the Health Insurance Portability Accountability Act, governs the transmission of protected health information by “covered entities” and “business associates” (e.g., healthcare providers and their subcontractors).^[19]  

3. The Beginning and End of Safe Harbor

Beginning in 2000, data transfers between the EU and US were governed by the “Safe Harbor” Agreement, which was developed by the Department of Commerce.^[20]  The Safe Harbor was generated around seven principles: (1) Notice, (2) Choice, (3) Onward Transfer, (4) Security, (5) Data Integrity, (6) Access, and (7) Enforcement, but it was possible to waive these principles for national security and law enforcement.^[21]  Any company that was regulated by the FTC or the Department of Transportation could self-certify under the Safe Harbor, and when it was active, approximately 4,500 companies became certified.^[22] 

The Safe Harbor was ultimately invalidated on October 6, 2015 by the EU Court of Justice’s (“CJEU”) ruling in Schrems v. Data Commissioner.^[23]  The suit arose over the Plaintiff’s concern with Facebook transferring his personal data from EU servers based in Ireland to servers in the US, on the heels of Edward Snowden’s whistle blowing revelations about US national surveillance.^[24]  Although the Plaintiff’s claim for damages was dismissed, the CJEU invalidated the Safe Harbor in that decision.  The CJEU concluded that “DPAs must be able to examine, with complete independence, any claim concerning the protection of a person’s rights and freedoms in regard to the processing of personal data relating to him.”^[25]  The Safe Harbor became invalid per Article 25 of the DPD, which requires the European Commission to examine the domestic laws of a third-party country prior to determining their data transfer practices as being adequate.^[26] 

2. CHALLENGES TO MODEL CONTRACT CLAUSES

Following the revocation of the Safe Harbor, companies continued to transfer data between the EU and third party countries legally through MCCs (also known as Standard Contractual Clauses).^[27]  MCCs allow for the transfer of data to a third-party country that is not deemed to provide adequate protection to the data.^[28]  Model Contract Clauses became the primary means of transferring data between EU and US after the invalidation of Safe Harbor and before the enactment of Privacy Shield. 

Before a company can take part in an MCC or any other data transfer agreement they must determine whether they are acting as a data controller or a data processor for a particular data transfer.^[29]  The DPD 95/46/EC requires that data controllers sign contracts known as data processing agreements with any entity with whom they transfer data, either domestically or internationally.^[30]  MCCs are typically included as part of the data processing agreement as an appendix. 

There is no uniform definition of data controllers and data processors under the various European privacy regulations, which can lead to ambiguity in how companies should be labeled in data processing agreements.  However, in general, a data controller is considered any company that dictates how a third-party will use the data.^[31]  The third party manipulating the data on the controller’s orders is generally known as a data processor.  Sometimes a company can be act as both a controller and a processor for a given data transfer.

There are three sets of contractual clauses, two different controller-to-controller clauses, and one controller-to-processor clause.  The benefit of MCCs is that they are pre-approved by EU DPAs and quick to implement.^[32]  MCCs permit data transfers from the EU to any jurisdiction, whereas the Safe Harbor was only approved for EU-US transfers.^[33]

In May 2016, Max Schrems, the same lawyer who invalidated Safe Harbor, filed suit in Ireland against Facebook over the use of MCCs.^[34]  Certified Information Privacy Processionals of Europe (“CIPP/E”) believe that the Privacy Shield provides greater protection.^[35]  Schrem’s goal is to have the case moved from the Ireland High Court to the CJEU invalidating MCCs throughout the EU.^[36]  The alternative to MCCs is binding corporate rules (“BCRs”), though stronger than MCCs, they are not practical or cost effective for most companies.^[37]

The impact of the case would not be limited to Facebook.  The holding could determine the fate of all companies using MCCs to transfer data between the EU and US.  The legal challenge is based upon a similar argument made in the Safe Harbor case.  Namely, that MCCs do not protect European data from mass surveillance by US intelligence agencies.  In particular, the Irish Data Protection Commission believes there is no legal remedy available to EU citizens whose data may be “accessed and processed by US agencies in the pursuit of national security.^[38]  The Privacy Shield allows EU citizens to seek judicial redress through the Judicial Redress Act.^[39]  The case challenging MCCs went to trial on February 7, 2017, and a decision has yet to be reached as of the publishing of this paper.^[40] 

3. BENEFITS OF JOINING THE PRIVACY SHIELD

The Privacy Shield incorporates many concepts from the Safe Harbor, including the following: (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse, Enforcement, and Liability.^[41]  However, the Privacy Shield goes a step further in judicial redress protections by requiring a right to arbitration, disclosure to public authority, and ensuring that third-party companies receiving personal data provide the same level of protection as required by the Privacy Shield Principles.^[42] 

The self-certification process is relatively straightforward; a company must update their privacy policy with fourteen points that adhere to the Privacy Shield Principles and submit a letter to the Department of Commerce outlining their intent to follow the Principles.^[43]  Once certified the process for maintaining Privacy Shield compliance is “rigorous” because it requires annual re-certification and companies must constantly ensure that they are handling data pursuant to the Shield Principles as well as evaluate their handling of the information.^[44]  Pricing for joining the Privacy Shield is based on a company’s annual income, and this certification fee is used to fund the entire framework.^[45] 

Although US companies transferring data under MCCs are currently under no legal obligation to join the Privacy Shield, joining may significantly increase their marketability as compliance-focused companies.  A disadvantage to joining the Privacy Shield is that companies must hold themselves to a higher legal standard and they then become subject to sanctions for violating Privacy Shield standards.  If an organization chooses to join, the “principles apply immediately upon certification.”^[46]  Furthermore, if a company eventually decides to leave the Privacy Shield, any data received while a Privacy Shield member must continue to comply with all regulatory requirements indefinitely.^[47]  

The Privacy Shield is not without detractors within the EU.  Specifically, Max Schrems, who led the legal charge against both Safe Harbor and MCCs, believes that the Privacy Shield is no more than “a little upgrade.”^[48]  Schrems is an Austrian lawyer and privacy activist who became aware of the data transfer implications between the EU and US after Edward Snowden infamously released classified data collected by the National Security Agency.^[49]  During the vote to enact the Privacy Shield, only four countries abstained from the vote for the framework, which suggests the influence of the Privacy Shield’s detractors is relatively minimal.^[50]  The detractors primary argument is that for there to be a comprehensive data transfer system between the EU and US, the US must overhaul its entire data privacy framework.^[51]  Schrems seems likely to challenge the Privacy Shield in the future, pointing to the lack of redress options available.^[52] 

4. THE PRESIDENT TRUMP EFFECT

President Trump’s arrival in the White House has brought a series of executive orders that have created uncertainty surrounding the long-term viability of the Privacy Shield.  One such order requires government agencies to exclude the personal data of non-US Citizens from the protections of the Privacy Act (1974).^[53]  The Privacy Act protects the personal information of individuals held by federal agencies in the US whereas Trump’s executive order removes this protection for non-US citizens living in the United States.^[54]  

Trump has also spoken out against international trade agreements and he has threatened to overturn all executive orders issued by President Obama.^[55]  This is concerning because the Privacy Shield became effective through a series of Executive orders and Presidential Directives, specifically Directive 28.^[56]  If this directive is overturned, the Privacy Shield would likely collapse.^[57] 

Fortunately, the European Commission recently issued a statement reassuring the public that the Privacy Shield is still enforceable for the time being (based upon a technical argument).^[58]  The European Commission argued that Trump’s executive order does not directly impact the Privacy Shield, because the Privacy Shield broadly protects data transferred by private entities, whereas the Privacy Act only covers the records maintained by government agencies.^[59]  Although the Privacy Shield is currently enforceable, Trump’s foreign policy agenda does create legal uncertainty for EU regulators and policymakers, which ultimately increases the risk associated with all international data transfers between the EU and US.^[60]

CONCLUSION

For the foreseeable future, there remains uncertainty surrounding the Privacy Shield’s impact on international data transfers.  The Privacy Shield is due for its first annual review this summer, which will likely help determine its long-term viability.  In joining the Privacy Shield, companies that transfer data through MCCs gain an extra layer of legal security.  But the major drawback remains that companies are obligating themselves to comply with additional regulatory obligations.

If Privacy Shield and MCCs are both invalidated, there may be no other choice for companies, but to pursue BCRs.  It is unlikely that both MCCs and Privacy Shield will be deemed invalid and BCRs are not practical for most companies.  Adding to this uncertainty is the unpredictability of President Trump, while he has never expressly stated that he has a problem with data transfer security between companies, he could aggressively pursue this under his larger concern with national security.  Regardless of the potential invalidation of MCCs, companies should actively pursue self-certifying under the Privacy Shield because it guarantees them an additional layer or security and may increase their marketability by showing that they adhere to a strict data transfer mechanism.