Register
Test Utimaco's SecurityServer with our free simulator. Register here.

ANY QUESTIONS? CONTACT US. hsm@utimaco.com

Demystifying the EU-U.S. Privacy Shield – Safe Harbor, Privacy Shield & Beyond

Mar 31, 2017

EU-U.S. framework for transatlantic exchanges of personal data for commercial purposes

Early in 2016, the EU-U.S. Privacy Shield started a new chapter in the history of EU-US data exchange. When the European Court of Justice declared the International Safe Harbor Privacy Principles invalid on October 6th 2015 (based on Case C-362/14), privacy and data protection issues suddenly came back into the focus of attention of the press and wider public. Shortly after, the successor to Safe Harbor ought to see the light of day.

Graphic 1

What was Safe Harbor and why was it ruled invalid

EU Data Protection Directive 95/46/EC prohibits the transfer of personal data from EU member states to third-party countries when their data protection regulations cannot keep up with the protection levels required by EU law. This was the case for the United States of America – they do not have similar data protection regulations in place.

To serve global economic purposes and allow for transatlantic data transfers, the Safe Harbor Privacy Principles had been in place since July 2000 (Decision 2000/520/EC). The European Commission (EC) had determined that the United States “ensure[s] an adequate level of protection by reason of [its] domestic law or of the international commitments it has entered into” (acc. Article 25(6), Directive 95/46/EC).

What happened next was incited by the two main characters of this play: Edward Snowden, an American whistleblower and – maybe a little less known, but definitely the decisive factor – Maximillian Schrems, an Austrian privacy activist who filed a legal complaint against Facebook Ireland. According to the transcript of Case C-362/14, Mr. Schrems contended that the laws and practices in force in the United States do “not ensure adequate protection of the personal data held in its territory against the surveillance activities that were engaged in there by […] public authorities”. On these grounds, the Court (Grand Chamber) ruled Decision 2000/520/EC, i.e. the Safe Harbor Decision, invalid on October 6th 2015.

___________________________________________________________________________________________________________________________________________

Side note: Reform of EU Data Protection Directive 95/46/EC

The new EU data protection framework, also referred to as General Data Protection Regulation (GDPR), which has been discussed and negotiated by the European Council, Parliament and Commission for roughly four years, was adopted on April 14th 2016. Regulation 2016/679 will go into effect as of May 25th 2018 and repeal Directive 95/46/EC, which has been in place since 1995. Directive 2016/680 shall be transposed into EU Member States’ national law by May 6th 2018.

___________________________________________________________________________________________________________________________________________

The quintessence of the new EU-U.S. Privacy Shield Framework

After long, intense negotiations, the European Commission and the US Government agreed on a new framework regarding transatlantic data transfers: The EU-U.S. Privacy Shield saw the light of day. It provides a “mechanism [for companies] to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce”. On July 12th 2016, the EC formally adopted the Privacy Shield Framework (Commission Implementing Decision (EU) 2016/1250), declaring it adequate to enable data transfers under EU law (see the adequacy decision).

The European Court of Justice had set forth a number of requirements on October 6th 2015, which the Privacy Shield now considers. These include effective supervision mechanisms with strong oversight, limitations for access to personal data for national security purposes, the handling and resolving of individual complaints as well as an annual joint review of adequacy decisions (MEMO/16/2462, EC Fact Sheet, July 12th 2016).

The EU-U.S. Privacy Shield resides on four pillars:

Graphic 2

The US Department of Commerce has started receiving applications from US companies for the Privacy Shield since August 1st 2016. More than 1,500 organizations (status January 2017) are currently listed on the US Department of Commerce Privacy Shield List, including familiar companies such as Google, Amazon or Twitter. For a list of Privacy Shield companies, go to https://www.privacyshield.gov/welcome.

Who gets the most out of Privacy Shield?

Both US and EU companies as well as public authorities and entities have an interest in continued transatlantic commerce and data exchange. EU citizens might criticize the inadequacy of this agreement and consequences for data privacy, but they also profit from it when it comes to using Social Media or international online shopping.
What is worth mentioning, however: Next to the Privacy Shield, there are alternative mechanisms which enable data transfer from within the EU to non-EU countries, e.g the EU Model Contracts with Standard Contractual Clauses and Binding Corporate Rules.

Will the EU-U.S. Privacy Shield Framework last?

The on-going discussions and criticisms surrounding the EU-U.S. Privacy Shield – e.g. from the Article 29 Working Party and the Digital Rights Ireland data protection organization – illustrate how transatlantic data transfer is not yet secured, which leaves us curious as to the outcome.
On the other hand, the Article 31 Committee did not make use of their veto. And only recently did we learn that the “America first” initiative of new US president Donald Trump seems to target some essential achievements of the transatlantic cooperation, such as data protection and privacy.
Last but not least, a number of changes are also ahead to insure compliance of the Privacy Shield with the new GDPR that will apply as of May 2018.
Companies are thus well advised to stay up to date with upcoming requirements and deadlines from either side – and should meanwhile have mechanisms in place to fully secure the data they handle.

Encryption – The key ingredient for businesses and owners of personal data

Let us make a simple and yet well-founded statement: To be on the safe side, EU and US companies alike need to make sure the sensitive or personal data they collect and keep is well secured. End-to-end encryption, starting as close as possible to the source of this data, is the key. This is the only way to prevent unauthorized and unwanted access – regardless of data transfers, storage locations (within EU borders, in the US or elsewhere) and applicable local laws and regulations.
Hardware Security Modules (HSMs) and hardware encryption without backdoors prevent unwanted access to a company’s sensitive data and protect data even if a breach has happened – whether initiated by cyber criminals or a public authority’s mass surveillance initiative. To learn more about Hardware Security Modules and securely encrypting your data, no matter where it will be stored, please e-mail us at hsm@utimaco.com or call us at +49 (0) 241 1696 200.

Download the complete White paper here: Utimaco White paper – Privacy Shield Demystified

Sources of information:

* Directive 95/46/EC
* Commission Decision 2000/520/EC
* The Guardian “What is ‘safe harbour’ and why did the EUCJ just declare it invalid?”
* Commission Decisions on the adequacy of the protection of personal data in third countries
* Judgement of the Court (Grand Chamber) of October 6th 2015
* The end of Safe Harbor
* European Commission > Justice > Data Protection
* European Commission > Justice > Data Protection > Factsheet EU-U.S. Privacy Shield
* European Commission > Justice > Data Protection > Guide EU-U.S. Privacy Shield
* US Department of Commerce: EU-U.S. Privacy Shield
* MEMO/16/2462, EC Fact Sheet, July 12th 2016
* Neuerung der EU-Datenschutzrichtlinie
* “Datenschutzverhinderungsgesetzt”, heise.de
* Foley: To join or not to join the Pricacy Shield
* European Data Protection Supervisor
* Article 29 Working Party
* Noerr – Nichtigkeitsklage gegen EU-U.S. Privacy Shield und koordinierte Prüfungsaktion der deutschen Datenschutzbehörden
* CJEU Case T-670/16
* Executive Order: Enhancing Public Safety in the Interior of the United States