U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield

Summary

Both the United States and the European Union (EU) maintain that they are committed to upholding individual privacy rights and ensuring the protection of personal data. Nevertheless, data privacy and protection issues have long been sticking points in U.S.-EU economic and security relations, in part because of differences in U.S. and EU data privacy approaches and legal regimes. In the late 1990s, the United States and the EU negotiated the Safe Harbor Agreement of 2000 to allow U.S. companies and organizations to meet EU data protection requirements and permit the legal transfer of personal data between EU member countries and the United States.

The unauthorized disclosures in June 2013 of U.S. National Security Agency (NSA) surveillance programs and subsequent allegations of other U.S. intelligence activities in Europe renewed and exacerbated European concerns about U.S. data privacy and protection standards. The alleged involvement of some U.S. Internet and telecommunications companies in the NSA programs also elevated European worries about how U.S. technology firms use personal data and the extent of U.S. government access to such data. As a result, a number of U.S.-EU data-sharing accords in both the commercial and law enforcement sectors have come under intense scrutiny in Europe.

In October 2015, the Court of Justice of the European Union (CJEU, which is also known as the European Court of Justice, or ECJ) invalidated the Safe Harbor Agreement. The CJEU essentially found that Safe Harbor failed to meet EU data protection standards, in large part because of the U.S. surveillance programs. Given that some 4,500 U.S. companies were using Safe Harbor to legitimize transatlantic data transfers, U.S. officials and business leaders were deeply dismayed by the CJEU's ruling. Companies that had been using Safe Harbor as the legal basis for U.S.-EU data transfers were required to immediately implement alternative measures. Experts claimed that the CJEU decision created legal uncertainty for many U.S. companies and feared that it could negatively impact U.S.-EU trade and investment ties.

On February 2, 2016, U.S. and EU officials announced an agreement, "in principle," on a revised Safe Harbor accord, to be known as Privacy Shield. Although the text of the new agreement is still being finalized and has not yet been released, U.S. and EU officials assert that it will address the CJEU's concerns. In particular, they stress that it will contain significantly stronger privacy protections as well as safeguards related to U.S. government access to personal data.

This report provides background on U.S. and EU data protection policies and the Safe Harbor Agreement, discusses the CJEU ruling, and reviews the key elements of the newly-proposed Privacy Shield. It also explores various issues for Congress, including implications for U.S. firms of Safe Harbor's invalidation and the role of the proposed Judicial Redress Act in helping to ameliorate U.S.-EU tensions on data privacy and protection issues.

Introduction

On October 6, 2015, the Court of Justice of the European Union (CJEU) delivered a judgment¹ that invalidated the Safe Harbor Agreement between the United States and the 28-member European Union (EU).² Safe Harbor was a 15-year-old accord, under which personal data could legally be transferred between EU member countries and the United States for commercial purposes. The negotiation of Safe Harbor was largely driven by the EU's 1995 Data Protection Directive (DPD) and European concerns that the U.S. approach to data privacy did not guarantee a sufficient level of protection for European citizens' personal data. The Safe Harbor Agreement applied to a wide range of businesses and organizations that collect and hold personal data. When the parties concluded the Safe Harbor Agreement in 2000, however, the Internet was still in its infancy, and the range of public and private actors engaged in the mass processing of personal data, including across borders, was much more limited than today.

The CJEU's decision gave added impetus to U.S.-EU negotiations underway since late 2013 aimed at "making Safe Harbor safer." These discussions were part of several initiatives seeking to restore transatlantic trust in the security of U.S.-EU data flows following the so-called "Snowden leaks." On February 2, 2016, U.S. and EU officials announced an agreement, "in principle," on a replacement to Safe Harbor—the U.S.-EU Privacy Shield, which if approved by the European Commission, would allow companies to continue to transfer EU citizen's personal data to the United States while complying with the requirements outlined by the CJEU when it declared Safe Harbor invalid in October 2015. The text of the new agreement is being finalized and has not yet been released.

U.S. and EU officials claim that Privacy Shield will contain significantly stronger privacy protections and oversight mechanisms, multiple redress possibilities, and new safeguards related to U.S. government access to personal data. Nevertheless, questions exist about whether Privacy Shield will go far enough in addressing broader EU data privacy and protection concerns, and whether it will be able to stand up to future legal challenges against it that will likely be brought before the CJEU. Many U.S. officials and business leaders hope that the recently concluded (but not yet finalized) U.S.-EU Data Privacy and Protection Agreement (DPPA)—an "umbrella" accord aimed at better protecting personal information exchanged in a law enforcement context—and the proposed U.S. Judicial Redress Act (H.R. 1428 and S. 1600)—which would extend the core of the judicial redress provisions in the U.S. Privacy Act of 1974 to EU citizens—could help ameliorate European concerns about U.S. data protection standards and bolster confidence in the newly proposed Privacy Shield Agreement.

Both the United States and EU assert that they are committed to upholding individual privacy rights and ensuring the protection of personal data, including electronic data. Nevertheless, data privacy and data protection issues have long been sticking points in U.S.-EU economic and security relations, in large part due to fundamental differences between the United States and EU in their approaches to data protection and data privacy laws. For instance, in the United States, what the European Commission (the EU's executive) refers to as the "collecting and processing of personal data" is allowed unless it causes harm or is expressly limited by U.S. law.³ In Europe, by contrast, processing of personal data is prohibited unless there is an explicit legal basis that allows it.⁴

The EU considers the privacy of communications and the protection of personal data to be fundamental human rights, as incorporated into Articles 7 and 8 of the 2000 Charter of Fundamental Rights of the European Union⁵ and made binding on all EU members through the 2007 Treaty of Lisbon (which took effect in 2009).⁶ Europe's past history with fascist and totalitarian regimes clearly informs its views on data protection and contributes to the demands from European politicians and publics for strict data privacy controls.

In October 1995, the EU agreed on a Data Protection Directive (DPD) to harmonize differing national legislation on data privacy protection and establish a comprehensive EU-wide framework.⁷ The DPD sets out common rules for public and private entities in all EU member states that hold or transmit personal data. The DPD governs how information about European citizens may be collected and used across all industries, with each EU member state responsible for implementing the Directive through its own national laws. The EU hoped that the DPD would facilitate information flows within the EU, strengthen the EU's internal market, and foster the development of an information-based economy. EU member states were given three years to implement the DPD.

The DPD provides that the transfer of personal data to a country outside of the EU may occur only if the European Commission determines that the country provides an adequate level of protection of personal data. The adequacy of the level of protection is assessed in the light of all the circumstances surrounding the data transfer; with particular consideration given to the nature of the data, the purpose and duration of the proposed processing operations, the countries of origin, and final destination of the data, and that country's laws, rules, and security measures.⁸

The DPD applies to all organizations, public and private, operating in the EU, including affiliates of U.S. corporations. It covers the processing of all personal data, whether done automatically or manually. There is no exception for public records, such as telephone directory listings. Only information compiled for private, personal household use is excluded. Under the DPD, data may be collected and used only for specified, explicit, and legitimate purposes. Security and accuracy must be guaranteed. Individuals not only have the right to access their personal information and the right to correct errors, but also the right to seek remedial measures and compensation, if necessary. The transfer of data to third parties may occur only under similarly strict requirements. More stringent rules apply to the processing of sensitive data, including data relating to race; ethnic origin; political, religious, or philosophical beliefs; and health status or sex life. The DPD requires the creation of "Data Protection Agencies" (DPAs) in each EU member state, registration of databases with these authorities, and, sometimes, prior DPA approval before organizations or firms may begin data processing.

Although the 1995 Data Protection Directive has since been complemented by other EU legal instruments (such as the 2002 "e-Privacy" Directive for the communications sector), the DPD currently remains the EU's main data protection instrument. In 2012, the European Commission proposed a new legislative package aimed at modernizing the DPD and introducing other data protection reforms in order to take into account the changes in data processing brought about by the widespread use of the Internet. In December 2015, EU member states (acting in the Council of the European Union) and the directly-elected European Parliament (which represents the citizens of the EU) reached political agreement on new data protection rules, which are expected to receive final approval in early 2016.⁹

Many U.S. officials and industry representatives maintain that the U.S. approach to data privacy is more nimble than what they view as the EU's "one-size-fits-all" approach. They also contend that the U.S. approach helps to promote and sustain U.S. technological innovation.¹⁴ Nevertheless, some U.S. privacy advocates argue that there are significant gaps in this "patchwork" approach, especially in terms of data collection online, and have long urged Congress to enact comprehensive data protection legislation.

The transatlantic flow of data is a form of international trade and is of critical importance for the U.S. and European economies. The United States and the EU remain each other's largest trade and investment partners. In 2013, total U.S.-EU trade in goods and services amounted to $1 trillion and U.S. FDI in EU totaled $2.4 trillion (or about 56%) of total U.S. direct investment abroad. Conversely, EU companies accounted for $1.7 trillion (or about 62%) of direct investment in the United States.¹⁵ According to a 2014 study, cross-border data flows between the United States and Europe are the highest in the world—almost double the data flows between the United States and Latin America and 50% higher than data flows between the United States and Asia.¹⁶

Reports indicate that data protection standards are not part of the ongoing negotiations for the Transatlantic Trade and Investment Partnership (T-TIP), because the EU views its data privacy laws and protection standards as fundamental rights that are nonnegotiable. However, both U.S. and European officials recognize that a successful T-TIP agreement requires the ability to transfer data between the United States and EU member countries in a legally sound and cost-effective manner. As noted by U.S. Under Secretary for Economic Growth, Energy, and the Environment Catherine A. Novelli:

The U.S. and the EU are the two largest net exporters of digital goods and services to the rest of the world. In 2012, the United States' $151 billion trade surplus in digital services was surpassed only by the EU's $168 billion surplus.¹⁷

Many observers expect the negotiations to address digital trade issues. U.S. business interests have reportedly been advocating for measures in T-TIP that would prevent restrictions on cross-border data flows, and for new mechanisms that would provide alternative ways for U.S. companies to comply with EU data privacy rules beyond those that already exist.¹⁸ This issue could become even more important in T-TIP negotiations in light of the CJEU's judgment on Safe Harbor.

As discussed above, the European Union and the United States have fundamentally different attitudes towards the protection of personal data. EU and U.S. officials recognized that, following the passage of the DPD in 1995, the substantial differences between the U.S. and EU data protection regimes threatened to disrupt or prevent the transfer of personal data between the EU and the United States. They worried that these differences in approach could negatively affect many businesses and industries on both sides of the Atlantic, and potentially impact the U.S.-EU trade and investment relationship.

Following negotiations between the United States and the EU, the parties agreed on a mechanism that would allow U.S. companies to meet the "adequate level of protection" required by the DPD. In 2000, the U.S. Department of Commerce issued the Safe Harbor Privacy Principles,¹⁹ which were subsequently recognized by the European Commission.²⁰ However, according to the Commission's Decision, the Safe Harbor principles could be limited to the extent necessary for national security, public interest, or law enforcement requirements.

Under Safe Harbor, a U.S. company could self-certify annually to the Department of Commerce that it had complied with the seven basic principles and related requirements that have been deemed to meet the data privacy adequacy standard of the EU. The seven basic principles, in edited and abridged form, were as follows.

The October 6, 2015, decision issued several findings.²² Foremost, perhaps, the CJEU found that the existence of the Commission Decision on the Safe Harbor Agreement does not eliminate or reduce the powers available to the national DPAs. The CJEU found that national DPAs "must be able to examine, with complete independence, any claim concerning the protection of a person's rights and freedoms in regard to the processing of personal data relating to him" and assess their compliance with the DPD and the EU's Charter of Fundamental Rights. Turning to the Safe Harbor Agreement specifically, the CJEU found Safe Harbor to be invalid. The CJEU found that according to Article 25 of the DPD, the European Commission is required to examine the domestic laws or international commitments of a third country prior to making a determination on the adequacy of their data privacy protection. Since the 2000 Commission Decision recognizing the Safe Harbor Agreement did not make any such finding, that Decision is now invalid. Safe Harbor no longer provides a legal basis for U.S.-EU data transfers, although other methods such as Standard Contractual Clauses or Binding Corporate Rules (see below) can be used.

In addition, the CJEU ruling found that U.S. national security, public interest, and law enforcement requirements have "primacy" over the Safe Harbor principles, and that U.S. undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. Consequently, the CJEU concluded that the Safe Harbor scheme "enables interference" by U.S. authorities "with the fundamental rights of the persons whose personal data is or could be transferred from the European Union to the United States." Furthermore, the CJEU noted that the 2000 Commission's Decision on Safe Harbor does not refer to either the existence of U.S. rules or effective U.S. legal protections intended to limit such interference, such as the possibility of judicial redress.

The Court of Justice of the European Union (CJEU)

The Court of Justice of the European Union (also commonly referred to as the European Court of Justice, or the ECJ) is the highest court in the EU in matters of EU law. Established in 1952 and based in Luxembourg, the CJEU reviews the legality of the acts of the EU institutions, ensures that EU member states comply with their obligations under the EU treaties, and interprets EU law at the request of national courts and tribunals. In doing so, the CJEU seeks to ensure that EU legislation is interpreted and applied uniformly in all EU countries. The CJEU has the power to settle legal disputes between EU national governments and EU institutions. In some instances, the CJEU can also be used by individuals, companies, and organizations to take action against an EU institution if, in their view, their rights have been violated. The CJEU's rulings are binding on the EU's member states and the EU institutions. The CJEU is divided into three bodies:

In an October 6, 2015, press release, Secretary of Commerce Penny Pritzker said the Obama Administration was "deeply disappointed" in the CJEU decision and that it "necessitates release of the updated Safe Harbor Framework as soon as possible."²³ Since late 2013, the European Commission and U.S. officials had been working on revising the Safe Harbor Agreement to take into account European concerns about U.S. data privacy and protection standards, especially in the wake of the so-called "Snowden leaks." Following the CJEU ruling, European Commission officials echoed U.S. calls to conclude a new and improved Safe Harbor Agreement and announced three broad priorities for managing U.S.-EU data flows in the meantime: (1) protecting personal data transferred across the Atlantic; (2) ensuring the continuation of transatlantic data flows (using other mechanisms available under the DPD); and (3) working with the national data protection authorities to deliver a coordinated response on alternative ways to transfer data to the United States (deemed by many as crucial to avoid potentially contradictory decisions by national authorities and provide predictability for citizens and businesses alike).²⁴

Following the CJEU decision, a working party of EU DPAs (the Article 29 Working Party) reaffirmed that data transfers taking place under Safe Harbor were now unlawful and expressed broad concern about the impact of the CJEU's findings on other data-sharing "transfer tools" such as Standard Contractual Clauses or Binding Corporate Rules. The Article 29 Working Party called on the EU to "open discussions with U.S. authorities in order to find political, legal, and technical solutions" to enable data transfers to the United States "that respect fundamental rights," and noted that a re-negotiated and revised Safe Harbor Agreement "could be a part of the solution." According to their press release:

If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.²⁵

Thus, the Article 29 Working Party effectively set a deadline of January 31, 2016 for U.S. and EU negotiators to reach agreement on a revised Safe Harbor Agreement.

U.S.-EU discussions on revising and updating the Safe Harbor Agreement began in late 2013 in response to growing European concerns about the NSA surveillance programs and subsequent allegations of other U.S. intelligence collection operations in Europe. Even preceding the so-called "Snowden leaks," some European privacy advocates had long contended that the Safe Harbor Agreement contained significant data protection loopholes. Those of this view asserted, for example, that some companies did not fully implement the Safe Harbor requirements because annual compliance checks were not mandatory, and that hundreds of companies over the years had made false claims about belonging to the accord. Others characterized U.S. enforcement of Safe Harbor as meager, pointing out that the FTC brought action against only ten companies during the first 13 years of the agreement's existence.²⁶ In addition, critics argued that Safe Harbor, negotiated in the late 1990s when the Internet was in its infancy, was long over-due for re-evaluation.

In light of such existing criticisms and amid allegations that some U.S. companies such as Google and Microsoft (among others that participated in Safe Harbor) may have been involved in U.S. surveillance activities, some European data protection officials and Members of the European Parliament (MEPs) called on the European Commission to suspend Safe Harbor. The European Commission rejected doing so because of concerns that suspending Safe Harbor would adversely affect EU business interests and the transatlantic economy. The European Commission agreed, however, that there were a number of weaknesses in the Safe Harbor scheme. In November 2013, the European Commission issued 13 recommendations to "make Safe Harbor safer," centered on four broad priorities: enhancing transparency; ensuring redress; strengthening enforcement; and limiting the access of U.S. authorities to data transferred under Safe Harbor.²⁷ Throughout the negotiations (both before and after the CJEU judgment), the Safe Harbor Agreement's national security exemptions and EU demands to ensure only limited access to Safe Harbor data for national security purposes were reportedly key sticking points.

On February 2, 2016, two days after the January 31 deadline established by the Article 29 Working Group, U.S. and EU officials announced their agreement, "in principle," on a replacement to Safe Harbor—the EU-U.S. Privacy Shield, which if approved by the European Commission, would allow companies to continue to transfer EU citizen's personal data to the United States while complying with the requirements outlined by the CJEU when it declared Safe Harbor invalid in October 2015.²⁸

The text of the agreement is being finalized and has not yet been released. Like the now-invalidated Safe Harbor Agreement, the Privacy Shield Agreement would, if finalized and approved, take the form of an exchange of letters between U.S. and EU officials. EU officials have stated that they expect that the text of the Privacy Shield will be finalized and released by the end of February.

Following the new agreement, the Article 29 Working Group will issue an opinion, after which the agreement will be considered for formal approval by the European Commission. The Article 29 Working Group has announced that it will assess the new EU-U.S. Privacy Shield data-sharing agreement against four criteria for the processing of data flows for intelligence activities.²⁹ These are:

• 1. Data processing should be based on clear, precise and accessible rules;
• 2. Data protections should be in place to ensure that processing of personal data is necessary and proportionate;
• 3. An independent and impartial oversight mechanism should exist; and
• 4. Effective remedies should be available to any individual.

Although the text of the agreement is not yet available, EU and U.S. press materials state that the Privacy Shield would address the concerns raised by the CJEU through:

• Enhanced commitments and enforcement. U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and European data subject rights are guaranteed. The Department of Commerce will monitor compliance pursuant to FTC enforcement. Stronger sanctions may also be introduced. At the present time, it is uncertain what these "robust obligations" will be, or what precise data subject rights will have to be complied with by U.S. firms.
• Clear safeguards and transparency obligations. The United States has reportedly given written assurances that the access of U.S. authorities to EU personal data will be subject to clear limitations, safeguards and oversight mechanisms. U.S. authorities have also, reportedly, ruled out indiscriminate mass surveillance on the personal data transferred to the United States under the new arrangement. There will be an annual joint review, which will also include the issue of national security access, to regularly monitor the functioning of the arrangement. The European Commission and the Department of Commerce will conduct the review and invite national intelligence experts from the United States and European DPAs to participate.
• Effective protection of EU citizens' rights with several redress possibilities. Any citizen who considers that their data has been compromised under the new arrangement will have multiple redress possibilities, beginning with deadlines for companies to respond to individual complaints. European DPAs will also be able to refer unresolved complaints to the FTC. Furthermore, claimants would be provided with a free alternative dispute resolution mechanism in the event that the FTC does not pursue an individual's case. For complaints on possible access by national intelligence agencies, a new special ombudsman will be created in the U.S. State Department. This office will be independent of the intelligence agencies, but will have clearance to review issues on the referral of EU DPAs.

The Article 29 Working Group has asked the European Commission to present the formal text of the Privacy Shield Agreement by the end of February 2016. After receiving the text, they will need to issue guidance in relation to the Privacy Shield Agreement and the acceptability of other transfer mechanisms, such as model contract clauses or binding corporate rules (discussed below). The Article 29 Working Group has indicated that the model contract clauses and binding corporate rules can still be used for personal data transfers while they are assessing the Privacy Shield Agreement.

European Commission officials must draft an adequacy decision, which would approve the U.S.-EU Privacy Shield as a valid data transfer mechanism under the existing European Data Protection Directive. The adequacy decision will need to be adopted by the full European Commission (the so-called College of Commissioners) following consultations with representatives of the EU member states and with the advice of the Article 29 Working Party.

In the United States, officials are expected to make the necessary arrangements to appoint the new Ombudsman at the State Department and put in place the new framework and monitoring mechanisms. The Privacy Shield Agreement, like the original Safe Harbor Agreement, is not a treaty and thus requires no special congressional consideration. Instead, the agreement would be reached by letters of commitment between U.S. and EU officials.

It is expected that the Privacy Shield would operate in a similar way to the Safe Harbor Agreement, with companies registering their commitment to the agreement with the Department of Commerce.

U.S. and EU officials claim that Privacy Shield will contain significantly stronger privacy protections and oversight mechanisms, multiple redress possibilities, and new safeguards related to U.S. government access to personal data. Secretary of Commerce Pritzker asserted that "this historic agreement is a major achievement for privacy and for businesses...it provides certainty that will help grow the digital economy" and "underscores the strength of the U.S.-EU relationship."³⁰ Business groups, technology firms, and industry leaders on both sides of the Atlantic have welcomed the substantial progress made by the United States and the EU toward finalizing and concluding the Privacy Shield Agreement.³¹

Nevertheless, concerns exist about whether Privacy Shield goes far enough in addressing EU data privacy and protection concerns, and specifically whether it will be able to stand up to future legal challenges that will likely be brought before the CJEU. Following the announcement of Privacy Shield, the Article 29 Working Party asserted that it still has concerns about the current U.S. legal framework on privacy protections and intelligence activities, especially regarding scope and remedies.³² Some critics of the proposed Privacy Shield Agreement claim that the privacy guarantees are largely based on U.S. promises rather than legal enforcement mechanisms; Jan Philipp Albrecht, a leading Member of the European Parliament on data privacy issues, reportedly asserted that "The proposal foresees no legally binding improvements. Instead, it merely relies on a declaration by the U.S. authorities on their interpretation of the legal situation regarding surveillance by U.S. secret services."³³

Many U.S. officials and industry leaders hope that recent Congressional efforts to provide a limited right of judicial redress to EU citizens—undertaken initially to help conclude a separate U.S.-EU umbrella accord for law enforcement, known as the Data Privacy and Protection Agreement (DPPA)³⁴—could help ease at least some European concerns about U.S. data protection standards and the new Privacy Shield agreement as well. In March 2015, Representative Jim Sensenbrenner and Representative John Conyers introduced H.R. 1428, known as the "Judicial Redress Act" in order to help meet EU demands for U.S. judicial redress in the DPPA negotiations. An identical measure, S. 1600 was introduced by Senator Chris Murphy and Senator Orrin Hatch in June 2015.

As introduced, both H.R. 1428 and S. 1600 essentially sought to extend the core of the judicial redress provisions in the U.S. Privacy Act of 1974 to citizens of covered countries or regional organizations (such as the EU) with whom the United States has entered into an agreement "that provides for appropriate privacy protections for information shared for the purpose of preventing, investigating, detecting, or prosecuting criminal offenses" (such as the DPPA). H.R. 1428 passed the House on October 20, 2015, and was approved by the Senate Judiciary Committee on January 28, 2016, with an amendment introduced by Senator John Cornyn. The Cornyn amendment included additional provisions mandating that the Judicial Redress Act would be applicable only to citizens of countries or regional organizations that also permit the transfer of personal data for commercial purposes to the United States and whose data transfer policies "do not materially impede the national security interests of the United States." The amended H.R. 1428 passed the Senate on February 9, 2015, and the House on February 10, 2016.

Many U.S. officials and industry leaders hope that if enacted, the Judicial Redress Act would be a concrete indication of the U.S. commitment to addressing EU data protection concerns, restore trust in U.S.-EU data flows, and as a result, boost confidence in the new Privacy Shield accord. Others note that it remains unclear to what extent the Judicial Redress Act might help the United States meet EU data protection "adequacy" standards more broadly or ease concerns about U.S. government access to personal data in the commercial sector. They point out that the scope of the judicial redress in the proposed U.S. legislation is not exactly equivalent to what U.S. persons and residents enjoy under the Privacy Act, is relatively limited, and relates specifically to information transferred in a law enforcement context. As such, many experts doubt that the Judicial Redress Act will be considered an overall "fix" to the concerns about U.S. data protection standards raised by EU authorities and the CJEU.³⁵

Until the new U.S.-EU Privacy Shield Agreement is formally concluded and implemented, companies engaged in transatlantic data transfers must employ other means to legitimize such transfers. As noted above, Safe Harbor was one of several mechanisms used as a legal basis for U.S.-EU data transfers. Furthermore, Safe Harbor was limited to FTC-regulated sectors. Others, such as financial services, were never covered by Safe Harbor. None of the alternative available mechanisms, however, are viewed as a complete alternative to a comprehensive transatlantic accord like Safe Harbor or the envisioned Privacy Shield.³⁶ For example:

• Model Contract Clauses. The European Commission has decided that certain standard contractual clauses offer sufficient data protection. These require organizations to have a data processing agreement based on the model clauses in place with any entity with which data is exchanged. This can be time consuming and expensive for many companies. While many large corporations such has Salesforce, Microsoft, and Google are employing model contract clauses, they may be challenging for small- and medium-sized enterprises (SMEs), which make up around 60% of Safe Harbor companies.
• Binding Corporate Rules (BCRs). These are a set of rules, based on European data standards, which a company can implement and have approved by national DPAs. A constraint with BCRs is that they only cover intra-company data transfers. Furthermore, implementing BCRs is a complex and time-consuming process that can take up to two years.
• Consent. Explicit consent agreements are another option, which may be useful in some business-to-consumer situations. Under the DPD, for a business to rely on consent as a valid ground for processing personal data, the consent must have been unambiguously given, 'freely' given and not given under compulsion or as a result of an act of deceit, and constitute a 'specific and informed indication' of a person's wishes for data to be processed. This may be a high threshold for many companies to meet for each data transaction, especially human resources-related companies, which comprise 50% of the Safe Harbor companies.³⁷

The CJEU's invalidation of Safe Harbor and the newly proposed EU-U.S. Privacy Shield Agreement raise issues for Members of Congress. These include implications for the following:

• U.S. and EU Economies. As noted earlier, the United States and the EU remain each other's largest trade and investment partners and the transatlantic flow of data is of critical importance for the U.S. and European economies. Members may further explore the economic costs of a prolonged disruption of transatlantic data flows.
• T-TIP Negotiations. Although negotiations on a revised Safe Harbor agreement have been progressing on a track separate from the T-TIP negotiations, the CJEU decision may influence the ongoing T-TIP negotiations. U.S. companies have been advocating for measures in T-TIP that would prevent restrictions on cross-border data flows and for new mechanisms that would provide alternative ways for U.S. companies to comply with EU data privacy rules beyond those that already exist. There may also be resistance in Europe to any T-TIP outcome perceived to adversely affect EU data protection and consumer privacy rules.
• U.S. Judicial Redress Legislation. Members may also wish to explore the European response to the passage of U.S. legislation (H.R. 1428). There remains debate whether the U.S. redress legislation will be sufficient to satisfy European critics. For example, the current legislation does not provide citizens of EU countries with redress that is exactly on par with that which U.S. persons enjoy under the Privacy Act. One area of particular concern is that the legislation currently being discussed does not extend privacy protections to records pertaining to non-U.S. persons collected by all U.S. agencies. Personal information collected by non-law enforcement agencies (such as the Department of Health and Human Services, for example) would not be covered.
• Other U.S.-EU Information-sharing Agreements. Some analysts contend that the sweeping nature of the CJEU's decision could have implications for other U.S.-EU data-sharing arrangements, especially in the law enforcement field. These include the U.S.-EU Passenger Name Record (PNR) agreement on sharing airline data, the U.S.-EU accord on tracking financial data (often referred to as the SWIFT agreement) as part of the U.S. Treasury Department's Terrorist Finance Tracking Program (TFTP), and the proposed "umbrella" Data Privacy and Protection Agreement. Congress has strongly supported the PNR and SWIFT agreements as key U.S. counterterrorism tools. Like Safe Harbor, however, both the PNR and SWIFT agreements have received increased scrutiny in the EU since the "Snowden leaks," and some Members of the European Parliament have raised questions about the security of PNR data and called for the suspension of the SWIFT agreement. Many U.S. officials hope that the intelligence safeguards proposed in the new Privacy Shield Agreement (along with the DPPA and the Judicial Redress Act, if enacted) will help to assuage some of the broader EU concerns about U.S. data protection standards and data sharing for law enforcement purposes.³⁸

Author Contact Information