privacy shield

The ongoing pandemic has not stopped progress in the world of privacy protection. This month there have been huge developments that may have profound implications for commerce between United States and the European Union (EU).

We have written extensively about the European “General Data Protection Regulation” or the GDPR. This is a set of privacy regulations that govern online activities in the EU. The emphasis of the GDPR is upon personal privacy. In the United States, there are little to no similar privacy protections except in the few states which have enacted their own versions of the GDPR, such as California.  Nevertheless, the lack of effective privacy regulation in the United States has been of great concern to the EU regulators. To assuage them, the Obama administration created the Privacy Shield that enabled firms subject to the US Patriot Act to process EU citizens’ data so that it did not contradict the GDPR.

The Privacy Shield is a self-certifying, voluntary program that requires members to enact specific privacy policies and comply with programs that are consistent with GDPR rules. There are 23 Privacy Shield Principles that address various topics.  Details about these principles can be explored here.

In July 2020, an EU court invalidated the Privacy Shield program because it doesn’t effectively protect EU citizens. The regulators then gave the Trump administration an ultimatum, comply with the GDPR protections or cease doing business in the EU. According to Engadget, the ultimatum may force US companies to set up European data hubs or stop doing business with the EU. Apparently, this does not affect data transfers like email, vacation bookings and news site access.

According to a statement by the US commerce secretary, Wilbur Ross, the US is studying the EU ruling and ignoring it for now:

While the Department of Commerce is deeply disappointed that the court appears to have invalidated the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield, we are still studying the decision to fully understand its practical impacts.

The Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. Today’s decision does not relieve participating organizations of their Privacy Shield obligations.

Max Schrems, an EU lawyer who instigated the EU lawsuit that led to the invalidation of the Privacy Shield, has stated, “it is clear that the US will have to seriously change their surveillance laws, if US companies want to continue to play a major role in the EU market.” He states that the EU will not change fundamental rights to please the United States.

According to Forbes, the 2013 Edward Snowden disclosures about US surveillance practices were a root cause of the many European legal challenges that the US has faced, including lawsuits against Facebook Ireland that led to the invalidation of the Safe Harbor agreement of 2015, which was the predecessor to the Privacy Shield.

The situation undoubtedly creates considerable uncertainty for more than 5,300 companies who participate in the Privacy Shield program, including Facebook, Twitter, Google and Amazon.

 We will continue to follow these developments.

— Adam G. Garson, Esq.