A snapshot of the current situation and what is to come (GDPR, Snowden revelations, Umbrella Agreement, Judicial Redress Act, Safe Harbor invalidation, Privacy Shield)
It will have escaped no one that the landscape of privacy has been overwhelmed by the potential possibilities created by the Internet and new technologies. Legislators and politicians have gradually embraced the topic, even if the vast majority of companies have as of yet not fully integrated the measures into their compliance systems, nor in their risks management procedures. All of a sudden, matters accelerated, becoming problematic to follow the many twists and turns. Given what is at stake, it is nevertheless important not to lose focus.
A European reform
European institutions, conscious of the need to adapt regulation dating back over 20 years to technological developments and new business practices, launched the broad, ambitious and substantive reform of the European Directive 95/46 on the protection of personal data.
One of the challenges is to fight against dehumanization. It is generally agreed that companies should be able to develop innovations that meet the needs and desires of individuals, whilst being allowed to pursue viable business models. The individual, in turn, should be able to benefit from innovations without; disclosing their body and soul, becoming one of a million cogs in the « big data », becoming lost in an opaque « cloud », or finding themselves permanently connected to the « matrix » and without its behavior being systematically predicted or influenced.
In addition to extensive harmonization, as well as a system of cooperation and a one stop shop solution at European level, the aim of this reform is to ensure that this regulation is effectively complied with. This should be achieved as a result of the phenomenal level of sanctioning, i.e. up 20 million and 4% of worldwide turnover, that may be imposed by Data Protection Authorities in the EU (in addition to the criminal penalties that may be ordered by the courts).
The launch of draft European Directive (for the exchange of data on criminal offences between States) and General Data Protection Regulation (“GDPR”) in 2012 set in motion a cumbersome and slow process of negotiation, lobbying and “trialogue”, the outcome of which was uncertain, when, suddenly, news hit that changed the situation.
Without having the ability to wait for the outcome of the comprehensive reform of European law, the issue of the flow of data to destinations that did not offer the same level of protection was raised in the most acute and urgent way.
Crisis between the US and the EU on data exchange in « police » matter
After the first scandal in 2006 relating to access by US intelligence to SWIFT’s transfer of monetary data, Edward Snowden’s revelations, from 2013 onwards, on the massive scale of the information collated by the US intelligence from internet companies through the PRISM program, triggered a chain reaction. We remain today in the eye of the storm.
We are faced with the need to find a balance between the fight against terrorism (which, in its new form of multiple divided factions, uses, with great efficiency, various communication tools) and, the protection of citizens’ privacy, without also dismissing the protection of corporate or even State secrets (seeing as the intelligence services do not hesitate in listening to the conversations of the political leaders of other countries).
A way out
To enable the data exchange between the two continents, in the context of cooperation in policing and criminal matters, the European and American institutions have negotiated a framework agreement called « Umbrella Agreement ».
The framework agreement will be officially signed after the change in US law, i.e. the Judicial Redress Act, to align the recourse rights of European Union citizens before the US courts with those of US citizens. Today, the Judicial Redress Act is in practice finalized, even if it is much more restrictive than initially expected. Indeed, this act does not only restrict the benefit of redress to citizens of « covered countries, » but it has also added a qualifying standard for « covered countries », which are only those European countries that “permit the transfer of personal data for commercial purposes” to the USA. This addition was made following the great shock in the last quarter of 2015 relating to, namely, the invalidation of the Safe Harbor program.
A second crisis for the US and the EU on the exchange of information for « commercial » purposes
The Safe Harbor program is a set of principles to which more than 4,000 US companies have adhered to by way of self-certification. This has enabled those US companies to receive and collect personal data from the EU and Switzerland, without having to enter into the standard model transfer clauses that were published by the European Commission or implement the full European compliance program for international data transfers called Binding Corporate Rules (“BCR”). This relatively flexible Safe Harbor program has been the subject of severe criticism since 2013 (that has been summarized in 13 points by European Commission).
Despite these criticisms, the European Court of Justice (“ECJ”)’s decision in October 2015 invalidating this program was dropped like a bombshell. This decision, decided in a case between a law student (Max Schrem) and Facebook, was particularly motivated by the revelations regarding the conduct of US intelligence. The immediate consequence of the ECJ’s decision is that many companies had, and still have to, urgently, establish alternative means of protection for the internal flow of data and, in countries such as France, carry out additional formalities before the local Data Protection Authority.
In the longer term, the question remains as to what are the tools which would allow the effectively protection of personal information against extreme actions. A solution which consists of; sharing less information, restricting the flow and storing data only in Europe (as has already been suggested in relation to “cloud”), seems unrealistic. The thought is evidently not confined to flow of data with the United States.
A possible outcome
The US Federal Trade Commission and the European Commission have just published, in extremis, on 29 February 2016, the EU-US Privacy Shield package, which is in fact a Safe Harbor V 2, on which the two Commissions have been working for 2 years.
All the stakeholders will review these documents carefully, and some predict that it will have to undergo a more than thorough validation process, as it can only be expected that, as soon as the procedures allow, it will be presented before the ECJ. Assuming that this package provides adequate protection, review of the other transfer protection tools nevertheless continues and the stakeholders are fearful of the consequences that might ensue.
However, an overly strict approach in this field could prove to be counterproductive or ineffective. It is very unlikely indeed, that the flow of data with the United States will stop or decrease significantly.
Finalization of the reform
It is in this context that European reform of data protection has suddenly become a necessity. Businesses will have to comply with the rules set by the new General Data Protection Regulation (GDPR) which requires them to implement more stringent protective measures and increase stakeholders’ accountability.
The GDPR and the Directive have been approved and are (almost) final (subject to proofreading and translation).
The GDPR will be directly applicable to all EU countries by the beginning of the second half of 2018.
This leaves relatively little time for companies to prepare. Especially as, in parallel, the reassessment on the international flow of data will continue. Given the stakes, this is a subject that would be unwise to ignore.
Should you need any assistance please do not hesitate to contact the members of the Squire Patton Boggs’s global Data Privacy & Cybersecurity
Contact : stephanie. firstname.lastname@example.org
Squire Patton Boggs, Paris