The Digital Post speaks with FTC Commissioner Julie Brill about the new ‘Safe Harbour’, the implications of the EU privacy reform, and privacy issues arising from the boom of the Internet of Thing.
The Digital Post: The European Union and the United States of America have reached an agreement on a new Safe Harbour data treaty. What are in your view the main achievements of the deal? What would have been the concrete risks if an agreement weren’t signed?
Julie Brill: The main achievement of Privacy Shield is that it provides strong privacy protections for European consumers and creates a framework for more parties to engage in active supervision and stronger enforcement cooperation. With respect to commercial data practices, Privacy Shield will provide stronger privacy protections than Safe Harbor did – through beefed up onward transfer requirements, and in other ways.
Privacy Shield will also establish more active supervision of the program in practice, so that the Department of Commerce, the European Commission, European data protection authorities (DPAs), and the FTC can detect and address any issues that come up. Privacy Shield will also provide a well-defined process for consumers to complain about the data practices of Privacy Shield companies.
The FTC will remain committed to giving priority to complaint referrals from DPAs, and there will be a better process in place for following up on these complaints. And even in the absence of referrals from DPAs, the FTC will continue to aggressively look for violations of the Privacy Shield principles.
Finally, in the area of national security, the United States agreed to take the unprecedented step of designating an ombudsperson to take complaints about surveillance activities that relate to Privacy Shield. This is in addition to the significant reforms that Congress and President Obama have made to surveillance practices in the past few years.
The risks if Privacy Shield hadn’t been agreed upon would have been that consumers and businesses would have continued in the limbo in which we currently exist, where some mechanisms to transfer personal data from the EU to the U.S. are still allowed, but they are expensive, opaque, and much more difficult for the FTC to enforce.
Of course, Privacy Shield still has many steps to take before it receives approval. If it were not approved, then companies – particularly small and medium enterprises – would lose out because of the time and resources that they have to put into alternative arrangements for data transfers.
But consumers also would lose out because they would have far less transparency into which companies are handling their data, the rules governing data transfers, and where to go to complain if they believe their rights are not being respected.
TDP: According to some observers, the new agreement won’t be sufficient to meet the concerns of the European Court of Justice. What is your opinion?
JB: It’s important to remember that the CJEU’s Schrems decision did not address national security surveillance practices in the United States. Rather, the case was based on the court’s concern that the European Commission’s adequacy decision in the year 2000 did not address U.S. privacy protections relating to national security surveillance.
It is hard to say how the CJEU would have assessed a full, accurate record concerning surveillance practices and privacy protections in the United States, had those facts been before the court. In any event, the U.S. has enacted significant reforms since the Schrems case was referred to the CJEU, and the U.S. is making further commitments through Privacy Shield.
On the whole, I believe these protections meet the CJEU’s standard of “essential equivalence to the EU legal order”, but we will have to wait to see if Privacy Shield is challenged to know whether the CJEU agrees.
TDP: Is the GDPR going to widen the chasm between EU and US regulatory approaches to data protection? How the FTC is working on this issue?
JB: The GDPR incorporates several provisions that either appeared first in the United States or are by now very familiar to companies and enforcers in the U.S. Examples include a focus on reasonable data security through a continuing process of risk assessment and mitigation, a general security breach notification requirement, heightened protections for children, privacy by design, and a recognition that deidentification can reduce privacy and security risks.
There are some differences between the European and U.S. versions of these provisions, but overall they show how developments in the U.S. can influence the direction that Europe takes.
On the other hand, some provisions of the GDPR move further away from the U.S. approach. A prime example is the GDPR’s right to be forgotten article, which extends to all data controllers. This expansion is a sharp contrast to the very targeted and specific provisions of U.S. law that help individuals keep some information about themselves obscure.
Companies and regulators on both sides of the Atlantic need to start working out answers to the many questions that the GDPR raises. That’s one reason that I think it’s so important for us to move beyond the issues surrounding mechanisms for data transfers that have dominated the discussion for the past several months.
With the announcement of an agreement on Privacy Shield in the past several weeks, I hope we now can begin to discuss the GDPR and issues like big data and the Internet of Things in a more sustained and meaningful way.
TDP: The FTC has been focusing on privacy issues related to the booming sectors of Internet of Things and Big Data. What are the risks? How regulators should deal with this very sensitive issue?
JB: There are important roles for enforcement, policy development, and business and consumer guidance in the Internet of Things and Big Data ecosystems. On the policy and guidance front, the FTC has been taking a close look at the potential benefits and risks of the Internet of Things and big data.
We have hosted public workshops, taken public comments, and written key reports on the broad range of technical and economic concerns that arise from having many more connected devices, huge volumes of personal data, and rapidly improving analytics.
We heard a lot about the exciting possibilities to solve problems in health care, transportation, the environment, education, and other areas; but we also learned about significant risks. Security is a huge challenge with the Internet of Things.
Not only are many devices being offered by companies that do not have long track records with data security, but these devices are also being used in ways that collect highly sensitive information and create physical risks to consumers.
With respect to big data, we found that there is a potential for unfairness or discrimination to enter through biases in data collection and analysis. Some of these issues could get companies into trouble under fair lending, credit reporting, or other laws. Other issues arise in settings that these laws do not cover, but companies still need to be aware of them because they may be deceptive or unfair.
Enforcement also plays an important role in the FTC’s approach. We have already brought enforcement actions relating to privacy and security violations with IoT devices. We have the authority to stop unfair or deceptive practices – whether or not they involve new technologies and business practices – and we will use it in appropriate cases.
Picture Credits: g4ll4is
An in-depth look at the legal scenarios arising from the EU landmark ruling that declared invalid the EU-US Safe Harbor agreement on the transfer of personal data.
On October 6, 2015, the European Court of Justice (“ECJ”) ruled in the “Schrems” case that the U.S.-EU Safe Harbor framework on the transfer of personal data from Europe to the United States, was invalid.
For the past 15 years, this Safe Harbor framework gave privileged status to U.S. companies, allowing for such entities to “self-certify” that they complied with privacy standards negotiated between the European Commission and the United States Department of Commerce under the Clinton Administration in 1999, and were viewed as “adequate” by the EU.
Effective immediately, today’s ruling may force all of the 4,400 U.S. entities that currently rely on the Safe Harbor to access the data of their EU partners and subsidiaries, to seek alternate modes of data transfer or risk non-compliance with EU data protection requirements.
Austrian privacy campaigner Maximilian Schrems originally formed his complaint before the Irish Data Protection Authority (“DPA”) against Facebook’s use of his data, and the transfer of data occurring between Facebook’s Ireland entity and its U.S. parent company.
According to the complainant, and based on Edward Snowden’s revelations on mass surveillance, Facebook and other U.S. multinationals were, directly or indirectly, allowing U.S. national security agencies unrestricted access to EU citizens’ data.
Such unrestricted access could be construed as being in violation of the fundamental rights granted under the EU Data Protection Directive 95/46 (the “Data Directive”), currently under revision in the EU.
After the Irish DPA declined to investigate such concerns on the basis that the Safe Harbor implemented between the U.S. and Irish entities was exclusively overseen by the European Commission, the complaint was elevated before Europe’s highest Court.
The ECJ disagreed with the Irish DPA’s interpretation, by stating that the existing provision “does not prevent a supervisory authority of a Member State … from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection”.
In essence, this means that each EU member state DPA has the authority to hear complaints about the level of protection for personal data that other countries offer, and potentially to second guess any determinations that the European Commission has made that those countries offer adequate protection.
In addition, the Court noted that “legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, compromises the essence of the fundamental right to effective judicial protection, the existence of such a possibility being inherent in the existence of the rule of law”.
Following the September 23 opinion of Yves Bot, the ECJ’s Advocate General for the case, which notably stated that “once personal data is transferred to the United States, the National Security Agency and other United States security agencies such as the Federal Bureau of Investigation are able to access it in the course of a mass and indiscriminate surveillance and interception of such data”, the Court invalidated the EU Commission decision 2000/520/EC of 26 July 2000 on the adequacy of the Safe Harbor framework to EU privacy standards.
THE REACTIONS OF THE EU INSTITUTIONS
The EC promptly reacted to the decision of the ECJ. In a press conference on the same day of the ruling, the First Vice-President of the EC, Frans Timmermans, and the Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, explained how the EC is planning to tackle the issues raised by the Court.
In particular, they clarified that the Commission has now three priorities, in light of the ECJ’s ruling: (i) guaranteeing that the data of EU citizens are protected when transferred across the Atlantic, (ii) ensuring that data flow continues, and (iii) ensuring the uniform response on alternative ways to transfer data across the EU.
According to Commissioner Jourová, the data flow can continue under EU data protection rules which provide for other safeguard mechanisms for international transfers of personal data (e.g. standard data protection clauses in contracts between companies exchanging data across the Atlantic or corporate rules for transfers within a corporate group) and the derogations under which data can be transferred (i.e. performance of a contract, important public interest grounds, vital interest of the data subject, or consent of the individual).
The EC is planning to provide clear guidance to national data protection authorities on how to deal with data transfer requests to the US, in light of the ruling, and will put relevant information and contact points on its website.
The guidance should guarantee a uniform enforcement of the ruling and more legal certainty for citizens and businesses.
The Chair of the European Parliament Civil Liberties Committee, Claude Moraes, has called for the immediate suspension of the Safe Harbor agreement, following the decision of the ECJ, and for its replacement by the Commission with a new framework for transfers of personal data to the US in compliance with EU law. The European Parliament had already advanced those requests more than once in the past.
THE REACTION OF THE UNITED STATES DEPARTMENT OF COMMERCE
The Secretary of the U.S. Department of Commerce, Penny Pritzker, promptly released a press release in response to the decision that expressed deep disappointment with the decision. The statement indicates that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.” It further calls for the release of an updated Safe Harbor Framework “as soon as possible.”
Secretary Pritzker’s statement also indicates that the U.S. is prepared to work with the European Commission to address the uncertainty that this decision causes for U.S. and EU businesses so that businesses that “have complied in good faith with the Safe Harbor and provided robust protection of EU citizens’ privacy in accordance with the Framework’s principles can continue to grow the world’s digital economy.”
IMMEDIATE IMPACTS AND LONG-TERM CONSEQUENCES
The ECJ decision will now be sent to the High Court in Dublin, in order for the national judge to use this new interpretative framework as a basis for deciding Schrems’ legal challenge for Facebook to be audited.
While the ECJ decision is of immediate application, the practical effect in a B2C setting will actually depend on the actions of the DPAs in each European Union member state, and others.
Meanwhile, public outrage may lead to a wave of complaints and possible requests for interim action, such as injunctions before national courts. Such initiatives may notably be undertaken by the likes of complainant and privacy activist Mr. Schrems, and others who follow his lead.
Strictly speaking, only a decision from the European Commission has been invalidated — the Safe Harbor remains a voluntary mechanism adopted by the United States under the supervision of the U.S. Federal Trade Commission (“FTC”) or Department of Transportation (“DoT”).
Accordingly, companies that have certified as compliant with the Safe Harbor are still subject to FTC or DoT jurisdiction, but compliance with the Safe Harbor Framework will no longer be assumed by European authorities to offer an adequate level of protection.
The consequence of this ECJ decision lies in the fact that each national DPA now has the power to control the conformity of a data transfer not only to the Data Directive, but also to the Safe Harbor framework.
Therefore, the compliance of the U.S. data importer with the Safe Harbor Framework may now be scrutinized by both the FTC and DoT (as before), and each local DPA.
From a B2B point of view, this decision will, without doubt, disrupt the ongoing negotiations with European business customers, who might threaten to interrupt the delivery of goods or services and seek redress for noncompliance until their providers establish alternative grounds to transfer data to the United States in accordance with the requirements of the Data Directive.
While the Safe Harbor certification of each U.S. entity may now be scrutinized by each local EU DPA, from an EU law perspective, alternate modes of data transfers, such as Data Transfer Agreements based on the EU Commission Model Clauses (a fixed contractual template regulating the transfer of data from one EU data exporter (or more) to a non-EU data importer (or more) or Binding Corporate Rules (“BCR”, an ad-hoc set of rules governing the processing of personal data within the various entities of a given group of companies), may still be relied upon.
The BCR approach involves potential risks to both U.S. companies and European corporate affiliates, including the following:
– If the Safe Harbor certification of a U.S. company is deemed invalid by a DPA, this European DPA may initiate sanctions against any EU exporter making data available to this U.S. data importer. If this U.S. data importer has no physical or commercial presence in EU territory, no sanction may be enforced against it by an EU DPA.
– If, for the security of their data transfers from Europe, the U.S. importers execute Data Transfer Agreements with their EU counterparts, the joint-liability regime of the European Model Clauses will make the EU data exporter bear the whole of the actual liability.
On the one hand, Model Clauses are easily executable, but do not provide much flexibility. In addition, their adoption involves legal risk due to their pass-through liability and audit requirements, and is not always feasible due to the need to execute clauses with any sub-processors that will have access to the personal data transferred.
On the other hand, BCR are time consuming and potentially expensive to implement, but may offer a tailor-made solution for a given group of entities.
U.S. companies should carefully explore the risks and benefits that data transfers using the Model Clause and BCR approaches offer, and may also wish to re-examine business practices to avoid exposure to the legal risks that transfers of personal data outside of the EU involves.
A re-examination and change in data transfer practices could help mitigate the risks that the Model Clause and BCR approaches have under EU law, as well as potential risks that agreeing to European-style data protection expectations might have if tested in litigation in U.S. courts.
The draft Data Protection Regulation currently being discussed in the EU appears to maintain both the Model Clause and BCR mechanisms, which also offer the advantage of regulating data transfers worldwide and not solely to the United States.
We may reasonably doubt that the ECJ’s intention was to sanction EU companies that transfer data outside of the EU under the Safe Harbor framework. Notwithstanding, this may be the final outcome of its decision.
There is little doubt that this decision will have a political impact, should the Obama administration elect to carry this issue forward within the Trans-Atlantic talks notably surrounding the adoption of the TTIP, once the draft Data Protection Regulation is adopted in the EU before the end of 2015.