EC Makes Unilateral Decision on Adequacy of Trans-Atlantic Data Transfers, Experts Say

Several legal experts over the past couple of days said there's no actual agreement right now and details won't emerge until at least the end of February (see 1602080008). They also said the European Commission is making the sole decision on whether the U.S. is providing adequate assurances that European citizens' data would be protected when transferred across the Atlantic, and the EC would have the ability to review the arrangement annually and scuttle it if unworkable.

“In other words it is a unilateral decision by the EC," Bruce Heiman, a lead partner in K&L Gates' policy and regulatory practice, wrote in an email. "The question then is whether the commitments made by the US, including those in letters to the EU from the US, persuade the EC that an adequate level of protection will be provided. So in making its decision, the EC may well say yes provided that the US complies with certain conditions and/or meets certain conditions.”

If the U.S. doesn't provide that adequate level of protection, the EC can change that determination, Heiman added. But even if the EC does decide that Privacy Shield provides adequate protections, he said Max Schrems, the Austrian citizen who successfully challenged the original safe harbor framework that resulted in the European Court of Justice's nullifying it in October, and other EU citizens likely will challenge Privacy Shield in court, possibly before the national data protection authorities (DPAs) and ECJ have a chance to evaluate it. "This is perhaps the most significant part of the previous ECJ decision -- it is the Court that ultimately gets to decide," Heiman wrote.

The ability of the Europeans to review and suspend the arrangement amounts to a "strong process and device to ensure commitments are kept. This is very important," said Akin Gump's David Turetsky, who co-leads the firm's cybersecurity, privacy and data protection practice, in an email. He also said there are provisions in the proposed ombudsman post in the State Department that would look into concerns from European citizens about their personal data used by the intelligence community (see 1602020040). "And there are different laws in the US relating to intelligence now than at the time of the [NSA document leaker Edward] Snowden revelations, which are part of what contributed to the invalidation of safe harbor," he wrote.

“The binding nature of exchanges of letters is established as a custom in general international law," Ronan Tigner, a Brussels-based privacy and data security lawyer with Morrison & Foerster, emailed us. "Of course, this can’t trump requirements to make the commitments in the letters binding internally, within each part[y]’[s] own legal system." But he said the actual content of the Privacy Shield documents needs to be examined "to assess the extent of such binding nature. It could contain all sorts of caveats or carve outs," which is what the Article 29 Working Party, the group comprising the DPAs, wants to see. The group has said it would hold off enforcing any data transfers until it sees the text of the new arrangement.

Jonathan Armstrong, an attorney with London-based Cordery, said the exchange of letters could be "problematical" for both sides. He said it's unlikely the next executive branch would feel bound by such an exchange of letters from the Obama administration. He also said the original criticism from the Schrems case was that the EC "was doing stuff unilaterally and I don't really see how you cure that by doing something else unilaterally ... repeating the same problem doesn't seem to be a great idea." He said the only "court proof" deal would be to pass legislation in the U.S. and the EU. "Anything else is going to be risky," he said, but expressed doubt that would happen any time soon.

“I suppose there's a parallel to other types of ... bilateral arrangements that the incoming administration can change policy and say we are no longer going to stick by these commitments and we're going to make changes," Jens-Henrik Jeppesen, Center for Democracy & Technology European affairs director, told us during the group's press briefing Tuesday. In that case, the EC has said it could revoke the adequacy decision during its annual review process, he said. The old safe harbor arrangement was an EC decision in its legal form that lasted for 15 years through various administrations "even though many had criticized the way it was set up and the way that it was enforced," he added. "So it's hard to say how [the Privacy Shield] is going to pan out and how solid the new system would be.”

“It is way too early to pop the champagne cork and to toast each other's health," said privacy consultant Tim Sparapani, who was Facebook's first public policy director, in an interview. The Privacy Shield must go through the European process for ratification and will probably be modified by "political forces, particularly in Europe," he said. Plus, he said DPAs have become more emboldened to perhaps start enforcing practices that they feel are out of bounds and possibly go after other data-transfer mechanisms such as binding corporate rules and standard contractual clauses.

In the meantime, companies face uncertainty, Sparapani said. "There will be a protracted period of limbo in which even if the companies believe that they have an agreement that they can start to architect their systems around -- from the business side, from the engineering side, from the legal side -- they will probably be reticent to invest fully in doing so unless and until this thing holds up to legal scrutiny," he said. "Because the cost of making and unmaking data systems, turning them on and off, is far more difficult than we would normally believe.”