Those who are responsible for trans-Atlantic transfers of data can’t help but feel the impact Edward Snowden’s revelation of mass surveillance by the US authorities. A key fallout of this disclosure, amplified by a growing perception amongst EU regulators of company non-compliance, was the European Court of Justice’s (CJEU) decision to strike down the fifteen year old transatlantic data transfer protocol, the now defunct Safe Harbor.
Business pressure has seen the US authorities and the EU Commission quickly seek to replace it with Safe Harbor 2.0 - the highly anticipated Privacy Shield – which aims, amongst other things, to offer sufficient safeguards and redress mechanisms for individuals, something which Safe Harbor was criticised for lacking.
Despite the announcement being met with initial fanfare, serious questions have arisen with respect to Privacy Shield and its value as a long-term compliance solution for EU-based exporters of personal data, including data centres, looking to lawfully transfer data to the US.
In December 2015, the Schrems Facebook challenge saw the CJEU strike down Safe Harbor on the grounds that “legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life”.
This was a major issue for many data centre operators relying on Safe Harbor for transferring data to the United States. However, they didn’t have to wait long for a replacement, as by early February 2016, the European Commission and its US counterparts quickly announced that an accord on the new Privacy Shield had been reached.
Though initially lauded, Privacy Shield version one was in fact rejected by the Article 29 Working Party, the group composed of representatives of the EU national data protection authorities. In addition, Jan Philipp Albrecht, the MEP responsible for steering the new EU General Data Protection Regulation through the European Parliament, noted, Privacy Shield was little more than a “reheated serving of Safe Harbour”.
As such, Privacy Shield went back to the drawing board and we now have a revised, purportedly improved version.
The revised text of Privacy Shield was recently approved by the European Union, however, it still arguably fails to address what the CJEU had in mind in terms of redress for individuals and so significant question marks hang over it. While the adoption of Privacy Shield is arguably preferable to the gaping hole left by the invalidated Safe Harbor, it will almost certainly be subject to a legal challenge in the same way that Safe Harbor was.
Companies thinking about utilising Privacy Shield should therefore proceed with caution. Privacy Shield is also subject to review on a 12-month basis and, as such, will be stress tested in summer 2017. Businesses choosing to adopt compliance programmes in line with Privacy Shield could, therefore, in theory spend their valuable time and resources opting in, only to see their hard work come to nothing if a legal challenge succeeds.
As a result, the potential death knell that hangs over the future of Privacy Shield arguably diminishes its value as a long-term compliance solution and sole reliance on it for the time being is arguably only for the foolhardy. So if Privacy Shield isn’t going to be the “silver bullet” that was hoped, what are the alternatives?
The data centre industry need not panic. Whilst these critical and fundamental concerns hang over Privacy Shield, businesses could look to other solutions that have existed for some time already and offer peace of mind in terms of extra EEA data transfer solutions. Binding Corporate Rules and Model Contract Clauses, for example, remain “tried and tested” routes for businesses to follow for the time being in safeguarding the transfer of personal data.
Practically, it could be said that very little has changed as a result of Privacy Shield text being approved and the bottom line is that businesses might want to look to continue to assess and seek other compliance alternatives for the time being. In particular, why commit time, effort and costs if Privacy Shield may ultimately unravel?