The U.S. Commerce Department is attempting to negotiate an agreement that would help thousands of U.S. companies comply with policies designed to protect the personal privacy of European citizens. The department, and the European Commission, an arm of the European Union (EU), have initiated discussions to resolve privacy issues raised by the EU, according to an August 10 joint statement.
The reason for the negotiations is that “Privacy Shield,” a Commerce Department program designed to protect the privacy of Europeans, has fallen apart. As a result of a legal challenge brought by Austrian privacy advocate Maximillian Schrems, an EU court ruled on July 16, 2020, that the U.S. Privacy Shield program was “invalid” because it failed to provide the requisite protection for European citizens.
Until the issues are resolved, U.S. companies will be operating in a twilight zone over how to ensure the privacy of personal data they collect and process electronically from European sources. More than 5,000 companies participate in Privacy Shield, and most of them are small or medium sized businesses.
The commercial impact of the EU decision is significant.
“Cross-border data flows between the U.S. and Europe are the largest in the world and are fundamental to the largest trading relationship in the world, valued at approximately 1.3 trillion U.S. dollars annually,” according to a joint statement issued by the U.S. Chamber of Commerce and several e-commerce associations. The termination of Privacy Shield has “disrupted these transatlantic data flows” and has created “legal uncertainty” for Privacy Shield participants, the groups said.
“Data flows are essential not just to tech companies — but to businesses of all sizes in every sector,” said U.S. Secretary of Commerce Wilbur Ross.
Why Are US Companies in a Fix?
At first glance, Privacy Shield appears to be a substantive legal framework. In reality, the relationship between the U.S. and European Economic Area (EEA) countries regarding privacy has been in a fragile state for years. The EU court decision marked the second time in five years that a U.S.-Europe privacy framework had unraveled. A prior agreement, called the Safe Harbor Act, failed in 2015.
In general, EEA countries subscribing to the EU General Data Protection Regulation (GDPR) insist that countries outside of the EU provide a similar level of protection for personal data as that provided within the EU.
Under GDPR protocols, several types of compliance are permitted for the transfer of EU data outside the EU, according to an analysis provided to the E-Commerce Times from the Better Business Bureau National Programs office. Privacy Shield enabled U.S. companies to meet one of these, based on what is known as an “adequacy determination,” which is a decision by an EU regulator that a non-EU country’s privacy laws are sufficiently robust to meet EU standards.
By signing up under this single vehicle and implementing the required privacy practices, U.S. businesses were able to process the data of EU consumers in the United States. Also, Privacy Shield differed from an alternative mechanism, known as Standard Contractual Clauses (or SCC), in that Privacy Shield provided additional transparency and accountability requirements. Privacy Shield was also a broader compliance mechanism than a contract between two businesses, the analysis noted.
The stumbling block between Europe and the U.S. was outlined by the EU Court. Europeans claim that U.S. law fails to provide European citizens the same level of due process protection as U.S. citizens regarding personal data that could be obtained by U.S. national security and law enforcement agencies.
The result is that U.S. companies are caught in a crossfire between governmental entities. The European decision to invalidate the Privacy Shield “focuses not on commercial uses of data, but on concerns over potential government access,” said U.S. Chamber of Commerce executive vice president Myron Brilliant.
Finding a Solution Poses Challenges
While government entities try to work out a solution, U.S. companies will have to deal with meeting GDPR standards as best they can. It will not be easy.
One option for U.S. companies is to use data “localization” measures. These are “regulations requiring companies to store and process data on servers physically located within national borders,” according to Albright Stonebridge Group.
A second option is for U.S. companies is to fall back on SCC agreements. But the EU decision made it more difficult to craft appropriate SCCs. Rather than use somewhat general legal templates, such agreements will now have to be much more specific depending on individual country requirements and the nature and use of collected data.
The EU decision contained “significant additional burdens,” for U.S. companies regarding both options, according to Lisa Soto, a partner at Hunton Andrews Kurth.
“The only sure bet is complete localization of data in the EEA. That is economically infeasible for most companies, so they are scrambling now to put in place alternate solutions for data transfers if they were relying on Privacy Shield certifications to legalize transfers,” Soto told the E-Commerce Times.
“If companies were relying on SCCs, they now need to conduct a transfer risk assessment and potentially put additional safeguards in place. To say this is a mess is an understatement,” she added.
Some legal experts contend that better encryption will help U.S. companies, and that the concern about national security agency access to data is somewhat constrained by U.S. law. The EU court decision has been rigorously examined by legal experts, with carefully nuanced analyses and interpretation of the ruling. But that underscores the notion that drafting SCCs puts a significant legal and compliance burden on companies.
Making matters even more risky for U.S. companies is the contention that the EU court “cast doubt” on the use of SCCs, according to the BBB National Programs analysis. In fact, a few European regulators, known as Data Protection Authorities (DPAs), have already voiced concerns about the viability of SCCs.
“Uncertainty will be the norm for data transfers between the EU and the U.S. until European regulators clarify the standards introduced by the EU Court. There is also additional uncertainty for data transfers from the UK to the U.S. because Brexit goes into full effect at the end of the year,” said Cobun Zweifel-Keegan, deputy director, Privacy Initiatives for BBB National Programs.
“The state of play after the Schrems decision is that all transfer mechanisms recognized under EU law now require additional legal, operational, and technical steps in order to even have a chance at being sufficient under the new standards,” he told the E-Commerce Times. “Until there is further clarity, businesses will continue to work to demonstrate their compliance to the best of their abilities, including by implementing the types of practices required by Privacy Shield,” he added.
While negotiations between the U.S. and Europe continue, the DoC will keep operating Privacy Shield in hopes that discussions will result in workable modifications to the program. Any of the companies in the program can drop out, but that’s not advisable, according to Soto, of Hunton Andrews Kurth.
“The Privacy Shield principles continue to serve as a strong framework for the protection of personal data. In addition, Switzerland continues to honor the Shield framework. Thus, it makes sense for companies to remain certified to the Shield.
“Of course, the hope is that diplomatic discussions will prove successful, and companies that are Shield certified ultimately will be able to again use the Shield as a mechanism by which to legally transfer personal date from the EEA to the U.S.,” Soto noted.