On July 5th the European Parliament (EP) took a stand against the way data is being handled in the US, calling for a suspension of the Privacy Shield framework. The decision (in the form of a Resolution) reflects the concerns about the recent data-related scandals such as the “Facebook/Cambridge Analytica leak” (both companies were certified under the Privacy Shield framework), as well as the enactment of the Clarifying Overseas Use of Data (‘CLOUD’) Act. The Parliament considered that:
Unless the US is fully compliant by 1 September 2018 […] calls on the Commission to suspend the Privacy Shield until the US authorities comply with its terms.
This decision comes with a strict deadline (requiring the US to implement sweeping privacy reforms in less than two months during summer recess), which might seem harsh on US businesses that deal with EU-based counterparts under the Privacy Shield framework. However, a deeper analysis shows how the approach of the European Parliament reflects growing discomfort with the US data protection system. At the same time it also gives insights for companies on how to achieve a competitive advantage by appropriately handling EU data.
The Privacy Shield is a framework under which a US Company can obtain a certification attesting to their respect of higher standards of protection of personal data. US companies certified within the Privacy Shield framework can transfer personal data on the same conditions as intra-EU transfers.
It is important to note that the EP has neither the power to suspend the Privacy Shield agreement, nor to set deadlines for compliance. In fact, it is the prerogative of the European Commission to decide which countries offer an adequate level of data protection, as well which countries do no longer satisfy the requirements. It is only the Commission that, as an independent body, has the power to review the compliance status on a periodic basis, as well as to assess whether the level of the data protection laws in a Country can be considered adequate. In such cases, the Commission can enter into consultation with the third country with a view to remedying the situation giving rise to the problem. As of today, no talks concerning these specific points were scheduled between the Commission and the US.
However, the Parliament’s decision still carries considerable political power. The European Parliament has, in fact, oversight over the actions of the Commission, and has the responsibility to ensure the correct application of the EU treaties. This is mainly represented by the power of voting to censure the Commission or dismissing it.
In its Resolution, the Parliament decisively complained about the Commission’s silence about the slow implementation of key provisions of the Privacy Shield framework within the US legal system and stated that “unless the US is fully compliant by 1 September 2018,” it will consider that “the Commission has failed to act in accordance with Article 45(5) GDPR.” This might indeed point to the fact that it is of primary importance for the Parliament that the Commission begins adequacy talks with the US immediately.
Nonetheless, even if a Country no longer ensures an adequate level of protection, the suspension of the framework is not an automatic decision. Even if the talks between Commission and a third country were to be unsuccessful, the suspension would not be the only and automatic solution, as the GDPR also allows for other measures, such as the amendment of the framework, to solve the problem.
Within this intricate system of checks and balances, the ball is now in the Commission’s court, and it will have to decide whether to start adequacy talks with the US in the near future or justify its silence to the Parliament.
The resolution represents an important wake up call for the Commission, the US and affected US-based companies, and as a reminder of the impact that the respect of privacy laws have on EU-US partnerships. As the Parliament correctly noted:
Privacy and data protection are legally enforceable fundamental rights […] they must be applied in a manner that does not unnecessarily hamper trade or international relations, but cannot be ‘balanced’ against commercial or political interests.
Although it is difficult to predict the outcome of this contrast, organizations relying on the Privacy Shield framework are now faced with uncertainty and possible sweeping changes to the current model.
Even so, this situation represents an interesting opportunity. As the frantic race to GDPR implementation has shown, implementation of privacy standards is a delicate and demanding task. The ability to demonstrate compliance has proven to be a strong competitive advantage for organizations of all sizes that were able to position themselves ahead of the curve and process the most complicated issues well in advance.
The Resolution contains in fact some precious insights for both US and EU companies operating within the Privacy Shield framework. A deeper analysis of the arguments used by the Parliament allows for the identification of some takeaways that can assist companies in positioning themselves ahead of the competition in case of any change in the Privacy Shield framework:
|I am a US-based Processor or Controller processing EU data||I am a EU controller dealing with US-based processors
Make sure your contracts are in check.
Why? One of the main criticisms of the Parliament pertained to the fact that there is no effective control over whether certified companies actually comply with the Privacy Shield provisions. More precisely, the Parliament has highlighted that the US Department of Commerce has not (yet) made use of the possibility to request copies of the contractual terms used by certified companies in their contracts with third parties to ensure compliance. Companies should thus ensure that their contracts with third parties (such as data processing agreements and sub-processing agreements) have been reviewed and made ready to be audited.
Can data subjects exercise their rights effectively?
Why? The Parliament also criticized the current status of the recourse procedures for EU citizens, including companies providing independent recourse mechanisms. The fear is that they may prove too complex, difficult to use and less effective when compared with European standards. Organizations should thus ensure that the recourse mechanisms offered for complaints from individuals are both in place and effective.
Reinforce international transfer agreements.
Why? Transfers with a Privacy Shield-certified organization represent only one of the possibilities to legally transfer data between EU and US. The GDPR provides for other mechanisms of transfer that can possibly be adopted, should the Privacy Shield be suspended. With the view of ensuring business continuity, companies should start securing critical international data transfers with additional legal reinforcements, such as:
Why? The Parliament expressed concern that the standards for valid consent under the Privacy Shield framework uphold a different standard from the consent requirements of the GDPR, allowing for opt-out/right to object only in very specific circumstances. In order to avoid another wave of the re-consent panic that swept throughout European mailboxes in the run up to the GDPR deadline, it is advisable for organizations to start looking into a consent model that is closer to the GDPR principles. That is, one that is based on an expressed, informed and unambiguous choice of the data subject.