At the Democratic National Convention in Chicago in 1932, as America seemed endlessly trapped within the depths of its Great Depression, Governor Franklin D. Roosevelt accepted his party's nomination to run for President and promised the American people this:
"I pledge you, I pledge myself, to a new deal for the American people."
This pledge - to lift the American people out of the economic troughs they had endured for years - helped Governor Roosevelt achieve office and become the next President of the United States. Over the coming years, measures taken by Roosevelt under his "New Deal" program helped take the United States out of the Great Depression and restore it to economic glory.
This piece of history has obvious parallels with the news announced by the European Commission today that it has agreed a "new framework" (admittedly, not quite as catchy as a "New Deal") with the United States for transatlantic data flows: US data exports have been in crisis since the Snowden revelations, the new framework promises to significantly benefit 'the man on the street', and this agreement is widely perceived as critical to US businesses and the US economy.
The effort taken to achieve this new framework has been simply monumental and, taken at face value, it's cause for celebration. But, as any lawyer will tell you, the devil is in the detail and today is only really part of the story...
What does the new framework provide?
To begin with, the EU and US have agreed a rebrand - Safe Harbor 2.0 will instead be called the "EU-US Privacy Shield." Critics will undoubtedly say that a "rose by any other name..." (or perhaps, less poetically, that "if it walks like a duck and talks like a duck..."), but the Commission has been eager to emphasize that the new framework has significant differences from the existing Safe Harbor.
In fact, the Commission takes great care in its press release not to even mention Safe Harbor, except to reference it very briefly for historical context purposes. Announcing the EU-US Privacy Shield, Justice Commissioner Jourová said:
"The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies. For the first time ever, the United States has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments."
Like Roosevelt's New Deal which was built upon the "three Rs" (relief, recovery, and reform), so too is the EU-US Privacy Shield built upon three core goals:
"1. Strong obligations on companies handling Europeans' personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.
2. Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. These exceptions must be used only to the extent necessary and proportionate. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.
3. Effective protection of EU citizens' rights with several redress possibilities: Any citizen who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created."
But what does this mean in practice?
Well, don't break out the champagne just yet!
Reacting to today's news, Jan Albrecht, the German MEP who fronted the European Parliament's negotiations on the new General Data Protection Regulation was quick to criticize on Twitter:
"Listen carefully: @EU_Commission and US side will need 'some' weeks to get this into concrete legal wording. This is no 'deal'! #safeharbor" (Tweet available here: https://twitter.com/JanAlbrecht/status/694552682116321281)
Even Edward Snowden weighed in:
"It's not a 'Privacy Shield,' it's an accountability shield. Never seen a policy agreement so universally criticized." (Tweet available here: https://twitter.com/Snowden/status/694571566990921728)
Grumbling from critics aside, the bigger point to note is this: before any data transfers can take place under the new EU-US Privacy Shield, the European Commission first has to adopt a formal 'adequacy' decision (as it has done in the past for the old Safe Harbor and for model clauses). It's working on that now but, even before that can happen, it has to take advice from the Article 29 Working Party - and it's probably a fair assumption that some members of the Working Party are less than charitably disposed towards any kind of US data transfers.
What also remains unclear is the status of current Safe Harbor certified companies - will they automatically be transitioned into the new EU-US Privacy Shield? The commercial will to see this happen will be strong but, if the scheme is to succeed in achieving any kind of credibility, it's difficult to see how this can really happen in practice - grandfathering in businesses under a discredited data transfer framework won't do wonders to win over critics of the new framework.
Put simply: you're not going to be able to rely on the EU-US Privacy Shield for data transfers for some time yet. So don't plan to do so.
Should we build our future data export strategy on the new Privacy Shield?
This really is a tough question to answer. While a political and legal solution may have been found, at the end of the day that matters little if no one uses it.
And that's the single biggest problem the EU-US Privacy Shield has to overcome. Given that detail about the new Privacy Shield is scarce (limited pretty much to what's been explained above); given that civil liberties group are almost certainly bound to challenge the EU-US Privacy Shield pretty much straightaway; and given that the CJEU Schrems ruling handed national DPAs the ability to investigate the 'adequacy' of data transfers made under any new Commission adequacy findings - including this new kid on the block - then you have to ask the question: why would anyone want to use it?
Over the past 4 months, US companies have invested huge amounts of time and effort to transition their data exports over to model clauses from Safe Harbor. Typically, the pressure to do so has been customer-led, with EU customers insisting that their US suppliers use model clauses if those suppliers want their business. The reality is that the way businesses use data hasn't changed, whether EU or US based; only the paperwork under which they use it. The concern hasn't been about surveillance, or better protection for data, or anything like that - it's been about keeping the wheels of commerce turning.
With that in mind, and having invested all this effort to transition over to a new data export model (often necessitating securing significant budget from senior managers), why would US businesses wish to transition over again to the new EU-US Privacy Shield? Especially if, after doing so, EU customers still refuse to accept it due to concerns that it may be challenged by data subjects or DPAs? Ask yourself this: as an EU customer, would you accept a US supplier using the EU-US Privacy Shield without also providing some kind of 'backup' solution in the form of model clauses?
So no matter how much effort has been put into agreeing this framework for the EU-US Privacy Shield, the biggest challenge is yet to come: market acceptance, and there's a real 'hearts and minds' campaign that needs to be staged here to win over the doubters. Without this, the EU-US Privacy Shield may find itself consigned to become nothing more than an interesting footnote in data export history.
But, to end on an optimistic note, there is one positive development: the Privacy Shield at least has the same spelling in the EU and the US. EU privacy lawyers who have spent years cursing at their computers as their word processing software automatically corrects their spelling of "harbor" to "harbour" can at last breathe a sign of relief...
At the Democratic National Convention in Chicago in 1932, as America seemed endlessly trapped within the depths of its Great Depression, Governor Franklin D. Roosevelt accepted his party's nomination