EU-U.S. Privacy Shield – Its origins and the high bar it must meet

By Peter Guffin, Visiting Professor of Practice

To predict the Privacy Shield’s future, it’s helpful to recall its origins and to understand the high bar it must meet – namely, ensuring “an adequate level of protection” under the Data Protection Directive.

As to its origins, because the Commission had not recognized the U.S. as having adequate protection, in 2000 the EU and the U.S. were forced to come up with mechanisms to enable companies to continue to transfer personal data from the EU to the U.S. The Safe Harbor framework, blessed by the Commission in an adequacy decision (“Safe Harbor Decision”), was one of the mechanisms agreed upon between the EU and the U.S.

Under the Safe Harbor framework, U.S. companies were able to self-certify through the DOC that they adhered to the privacy principles set forth in the Safe Harbor Decision.Under the Safe Harbor framework, U.S. companies were able to self-certify through the DOC that they adhered to the privacy principles set forth in the Safe Harbor Decision. Before being invalidated in 2015, more than 4,000 U.S. businesses, including Facebook, had self-certified under the framework. Significantly, as of today, the U.S. has not been recognized by the Commission as having adequate protection.

Leading up to the Safe Harbor’s invalidation, in June 2013, Edward Snowden, a former National Security Agency (NSA) contractor, released to journalists a trove of classified NSA documents revealing, among other things, that the NSA was collecting internet communications from at least nine major U.S. internet companies, including Facebook, under a program called PRISM. Furthermore, it was revealed that these providers were subject to a “gag order” and were consequently forbidden from confirming or denying the data was being handed over to the NSA.

Following the Snowden revelations, Max Schrems, an Austrian citizen, filed a complaint against Facebook with the Irish Data Protection Commissioner seeking to prohibit Facebook from transferring data from Ireland to the U.S. given its alleged involvement in the PRISM program. He argued that the Safe Harbor framework would violate his fundamental right to privacy, data protection, and the right to a fair trial under the Data Protection Directive.

After working its way through the EU courts, on October 6, 2015, the Court of Justice of the European Union (CJEU) handed down its ruling, declaring the Safe Harbor Decision invalid.After working its way through the EU courts, on October 6, 2015, the Court of Justice of the European Union (CJEU) handed down its ruling, declaring the Safe Harbor Decision invalid. Acknowledging that the Data Protection Directive nowhere defines the concept of “an adequate level of protection,” the CJEU held that while a country does not have to “ensure a level of protection identical to the EU legal order,” it must ensure, by way of its domestic law or international commitments, a level of protection of fundamental rights and freedoms that is “essentially equivalent” to that guaranteed within the EU.

A critical factor in its ruling was an exception in the Safe Harbor Decision permitting self-certifying U.S. companies to disregard the Safe Harbor principles “without limitation where they conflict with [U.S. national security, public interest, or law enforcement] requirements and therefore prove incompatible with them.” The CJEU found that this exception paid no consideration to “whether the information in question relating to private life is sensitive or whether the persons concerned have suffered any adverse consequences on account of that interference.”  In addition, it found the Safe Harbor Decision did not contain any finding regarding the existence of rules adopted in the U.S. limiting the “interference with the fundamental rights” of EU citizens whose personal information was being processed in the U.S., highlighting the fact that the U.S. government is not required to comply with the Safe Harbor principles and that EU citizens are not afforded the same Fourth Amendment protections of U.S. persons. As a result, the CJEU concluded that the lack of limitation allowed the U.S. government to “process [personal data] in a way incompatible . . . with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.”

The CJEU decision stunned privacy professionals and left EU and U.S. companies relying on the Safe Harbor in a quandary as to how they could continue transatlantic data transfers critical to their businesses. Given the enormous economic stakes, the DOC and the Commission quickly commenced discussions to try to create a Schrems-proof replacement to the Safe Harbor. Thus was born the Privacy Shield.

Whether such a feat is even possible – to create a replacement to the Safe Harbor that ensures a level of protection “essentially equivalent” to the Data Protection Directive – is uncertain. The different cultures of privacy in the EU and U.S. – the EU’s emphasis on the values of respect and personal dignity and the U.S.’s emphasis on the values of liberty, especially liberty against the state – make reconciliation between the EU and U.S. privacy regimes very difficult. It will require understanding and appreciation of those differences by parties on both sides of the Atlantic, as well as acknowledgement of the many shared values and areas of common ground that continue to unite us.