Currently, there are very few concrete details available to the public regarding Privacy Shield, the newly proposed EU-U.S. agreement that will replace the now-void Safe Harbor. In part one of this blog post, we sifted through the information that is currently available to highlight three elements of Privacy Shield worth noting.
Here, Jacqueline Klosek, senior counsel at Goodwin Procter LLP, lays out the potential challenges for the agreement, including how it could affect businesses and their customers.
Privacy Shield has been presented by the European Commission (EC) as a framework that deviates from Safe Harbor, which the European Court of Justice found had deficient privacy protections. But in reality, the new framework’s structure is very similar to its predecessors, at least from what can be gleaned from the details that have been made public, said Klosek (see part one of this blog post, link above).
Despite these similarities, Privacy Shield does have some notable differences that appear to address the inadequacies of Safe Harbor, including the creation of a privacy “ombudsman” role in the U.S. who will be in charge of investigating complaints of inappropriate surveillance by U.S. national security agencies. Furthermore, the EC said that for the first time, the U.S. government has provided “written assurances” that it will place limitations on surveillance programs and set up privacy safeguards.
But will these differences be sufficient enough for Privacy Shield to pass muster with the European authorities?
Right now, the answer to that question is unclear, said Klosek. Like Safe Harbor, she believes the proposal will be challenged in court.
“Ultimately, whether it succeeds will be a question for the European Court of Justice that will depend in large part upon the extent to which the finalized accord successfully addresses the deficiencies that were identified in the Schrems decision,” Klosek said.
Moreover, before U.S. companies can rely on the new framework, the EC is required to create a more detailed “adequacy decision” that can only be approved after EU data protection authorities (DPAs) determine that Privacy Shield does enough to protect EU citizens’ rights — and there is a risk that the DPAs won’t, said Klosek. “[DPAs] could bring enforcement actions against U.S. companies operating in Europe, which would greatly complicate compliance efforts,” she added.
Implications for businesses, consumers
Based on currently available information, there probably won’t be many changes ahead for business that relied on Safe Harbor before, said Klosek. However, the logistics detailing how and when Privacy Shield will be implemented have not yet been settled.
“The fact that the Privacy Shield is so similar to the Safe Harbor means it won’t provide long-term guarantees to U.S. businesses until the European Court of Justice confirms its validity under EU law,” she said.
There is good news for EU consumers whose data is being transferred to the U.S.: They may find more accessible, expanded avenues for redress, as well as more robust privacy protections.
As for businesses that don’t comply with Privacy Shield’s requirements? They could find themselves the target of an enforcement action by the FTC, particularly after allegations that the agency did not enforce Safe Harbor firmly enough in the past.
“But how that will play out on the ground remains to be seen,” Klosek said.