July 25 marks the end of the second month since the General Data Protection Regulation (GDPR) went into effect. Following recent revelations regarding certain data practices, and as data privacy and protection issues become mainstream concerns, legislators and regulators are increasingly keen to demonstrate their data protection credentials. This month the European Parliament turned its attention to international data transfers, passing a non-binding resolution that Privacy Shield should be suspended unless the U.S. is fully compliant with EU data protection laws by September 1, 2018.
International Data Transfers
International data transfers have been (and in many cases remain) close to the top of the list of priorities for many organizations in their GDPR compliance programs. This is one of the areas where the GDPR made relatively few substantive changes to the previous 1995 Data Protection Directive. However, the potential for increased penalties for (among others) non-compliant transfers under the GDPR has made data transfer compliance a top priority. The basic principle on international transfers is easy to state, but difficult to apply in practice. Simply put, personal data must not be transferred from the European Economic Area (EEA) — the EU member states, plus Iceland, Norway and Liechtenstein — without adequate safeguards being implemented. In essence, this requires importing organizations to apply EU levels of protection to personal data they receive from the EEA.
Article 46 of the GDPR permits transfers of personal data from the EEA, subject to appropriate safeguards. Such safeguards include an approved certification mechanism such as the EU-U.S. Privacy Shield Framework. The Privacy Shield is a data-sharing agreement between the U.S. Department of Commerce (DoC) and the European Commission. It aims to give companies on both sides of the Atlantic a mechanism to comply with data protection requirements when transferring personal data from the EU to the U.S., so as to support transatlantic commerce. The Privacy Shield was set up as a replacement to the Safe Harbor scheme that was invalidated by a decision of the Court of Justice of the European Union in 2015.
The European Parliament (which is made up of directly elected representatives) has taken the view that the current Privacy Shield does not provide the “adequate” level of protection required by data protection law within the EU. It therefore passed a resolution on June 26, 2018, stating that the Privacy Shield should be suspended unless the U.S. is fully compliant with EU data protection laws by September 1, 2018. The Resolution provides a useful summary of the troubled path towards a framework for EU-U.S. data transfers since the Safe Harbor Scheme was invalidated.
Responsibility for the Privacy Shield lies with the European Commission (the EU’s executive arm). Therefore the European Parliament’s Resolution is purely advisory and symbolic. The European Commission has not indicated that it will accept the Resolution. However, the Resolution raises commercial and national security issues that have surfaced during the operation of the Privacy Shield.
Questions About DoC’s Ability to Ensure Compliance
The Resolution noted that the DoC should take a stronger hand in monitoring how companies represent their Privacy Shield certification. Namely, in order to ensure transparency, the DoC should not permit U.S. companies wishing to operate under the Privacy Shield to make public representations about their certification under Privacy Shield, until such certification has officially been finalized.
There has been concern that the DoC has not been using its powers to request copies of contractual terms used by certified companies in their contracts with third parties, resulting in a lack of effective control. There have also been calls on the DoC to proactively, and frequently, undertake compliance reviews, so as to monitor the compliance of certified companies with the rules and regulations of the Privacy Shield.
Recourse for EU Citizens
The Resolution raised concerns that the various recourse procedures available to EU citizens for breaches of the Privacy Shield may be too complex and difficult to navigate, thus undermining their effectiveness. The Resolution also suggested that the U.S. authorities should offer more concrete and accessible information on individuals’ rights and remedies.
Reaction to Companies in Breach of the Privacy Shield’s Requirements
The Resolution noted that the FTC should act more quickly on incidents of data misuse by Privacy Shield certified companies. The European Parliament points in particular to recent revelations of misuse of personal data by certified companies — such as Facebook and the recent revelations regarding the data practices of it and Cambridge Analytica.
National Security Issues
The balance between privacy rights and access to data based on national security has always been difficult. The European Parliament notes that the term “national security” is not sufficiently defined, therefore making it difficult to review effectively what is necessary and proportionate in the interest of national security. The United States’ wide use of Executive Orders permitting the National Security Agency to share private data with other agencies without warrants, court orders or congressional authorization is another source of concern.
Practical Steps for Businesses
These issues are largely out of the control of commercial businesses and are a matter for inter-governmental agreement. Most businesses rely on the Privacy Shield or Standard Contractual Clauses to satisfy the requirements of the GDPR (as was the case with the substantially similar requirements under the previous Data Protection Directive). Many businesses have re-negotiated data transfer agreements which require adherence to both mechanisms, where appropriate, together with safety net provisions requiring alternative arrangements to be put in place if either (or both) mechanisms are invalidated.
The second annual review of the Privacy Shield is due in September. While political and economic realities mean that that the scheme should survive, businesses are likely to face increased scrutiny of their data handling practices.
Increased Regulatory Oversight
Recent revelations relating to data sharing by social media sites featured prominently in the Resolution. According to the European Parliament, incidents like those involving Facebook and Cambridge Analytica highlighted the need for proactive oversight and enforcement action based on systematic checks to monitor compliance of privacy policies with the Privacy shield principles.
Earlier this month, the Information Commissioner’s Office (ICO) published the results of its initial investigations into the use of data analytics in political campaigns. It published a Notice of Intent (on the basis of an over-riding public interest) to issue monetary penalties of £500,000 against Facebook. This is the maximum amount which was permitted under the previous U.K. Data Protection Act 1998. The penalties related to unfair processing of personal data in breach of the first data protection principle (fair and lawful processing) and seventh principle (appropriate technical and organizational measures against unlawful processing). Other companies have been served with enforcement notices requiring them to stop processing data relating to U.K. citizens. A criminal prosecution is also being brought against one company for failing to properly deal with a previous enforcement notice. Further organizations are being subjected to ongoing audits by the ICO.
Due to the timing of the incidents under investigation, they were not subject to the GDPR’s civil monetary penalties of up to €20,000,000 or 4 percent of annual global turnover. It does not necessarily follow that the ICO would apply the maximum penalty under the GDPR. However, the investigation demonstrates that regulators will look to issue meaningful fines for serious breaches. It also demonstrates that a wide range of remedies will potentially apply, in addition to the headline fines, which could be significant impediments to businesses operating internationally.
Applying Familiar Principles in a New Regulatory Environment
As noted in our previous post, while some rights, obligations and processes under the GDPR are new and have attracted much attention, the basic principles remain the same as under previous legislation. However, businesses will need to re-examine how they comply with those key principles in the new regulatory environment. This is particularly important at a time when regulatory scrutiny and customer concern over data privacy issues are heightened. Businesses should be sensitive to, and seek the necessary advice on, new regulatory guidance and shifts in regulatory approach.