Emerging tech companies take note – if you collect the personal data of European citizens from the United States, or otherwise transfer that data to the U.S., recent developments mean your legal obligations may change soon.
Citizens of EU member states have an explicit right to privacy. In practice, this means companies can transfer EU citizens’ personal data out of the EU only if the destination country has an adequate level of protection.
Historically, it has not been a problem to store EU citizen data in the United States. Under an agreement between U.S. and EU regulators, which is often referred to as the “Safe Harbor,” a U.S. company could transfer that data to the U.S. by certifying to the U.S. Department of Commerce that it would adhere to European privacy principles. The U.S. Federal Trade Commission, in turn, could bring enforcement actions against the company if it failed to comply. More than 4,000 companies took advantage of the Safe Harbor to transfer data to the U.S., from Amazon and Google to emerging tech companies in the upper Midwest.
After Edward Snowden revealed that the US government may have indiscriminately conducted mass surveillance of EU citizens’ personal data, an Austrian Facebook user complained to EU authorities that the U.S. lacked adequate protections. On October 6, 2015, the Court of Justice of the European Union ultimately agreed and invalidated the Safe Harbor framework.
The ruling had an immediate impact on businesses of all stripes that relied on the Safe Harbor, particularly emerging tech companies. They were left with a handful of bad alternatives –
- keep the data in the EU – potentially expensive or unworkable;
- obtain user consent or use model contract provisions – also potentially expensive or unworkable, especially for companies already processing data on behalf of existing business customers with an EU presence; or
- leverage binding corporate rules – a time-consuming process ultimately requiring approval of EU data authorities.
Worse still, the Court of Justice of the European Union ruling implicitly called into question some of these alternatives. Recognizing the problem, EU regulators gave themselves and their U.S. counterparts until January 31, 2016 to find an alternative. This set off intense negotiations among regulators.
On January 28, 2016 the U.S. Senate Judiciary Committee approved a bill that would allow EU citizens to sue the U.S. government for privacy violations. Just a few days ago, on February 2, the European Commission and the U.S. Department of Commerce announced the outline of a potential Safe Harbor replacement, dubbed the “Privacy Shield.” According to the releases:
- U.S. companies will have stronger obligations to protect personal data of EU member state citizens. Among other things, they will be required to comply with the decisions of the EU data protection authorities regarding personnel data.
- U.S. companies will remain subject to enforcement actions for privacy violations by the FTC, and EU privacy regulators will have the ability to refer complaints of EU member state citizens to the FTC.
- If an EU citizen lodges a complaint regarding inappropriate activity by U.S. authorities, a new Ombudsperson at the U.S. State Department will review it.
- Alternative dispute resolution for certain complaints will be made available for free.
- The U.S. will commit not to indiscriminately conduct mass surveillance of EU citizens. S. guarantees regarding limits and oversight will be reviewed annually by the European Commission and the U.S. Department of Commerce. U.S. national security agencies will be invited to participate in those reviews.
To Be Determined
The outline lacks many details that will prove vital to providing a meaningful and lasting legal alternative for U.S. technology companies. Important outstanding questions include:
- Will free alternative dispute resolution result in an increased number of complaints?
- Will U.S. security agencies take up invitations to participate in annual reviews, and will those reviews be meaningful? If not, will the Court of Justice ultimately invalidate the Privacy Shield as it did the Safe Harbor?
- Will the Privacy Shield be suspended if EU authorities conclude that the U.S. failed to comply with the Privacy Shield’s limits?
- By when will the EU and U.S. finalize these and other Privacy Shield details? EU regulators suggested that final approval could take up to 3 months, but some EU lawmakers and privacy advocates are already arguing the Privacy Shield is not enough.
In The Meantime
While the Privacy Shield winds its way through the EU legislative process, the chair of the group composed of EU data protection agencies said the group will not take enforcement action against U.S. companies that continue to use existing legal alternatives like model contract clauses and binding corporate rules. While these alternatives may be difficult for many emerging technology companies, they currently remain likely the only legal way to collect data from the U.S. of EU citizens or otherwise transfer EU personal data to the U.S.