EU-US Privacy Shield from the European Perspective
The EU/US Privacy Shield, one of the most important instruments for legally compliant data transfer between the EU and the US, is being challenged in the EU. dotmagazine spoke to Oliver Süme, Partner at Fieldfisher and Chair of the eco Association, about the European perspective, the importance of the agreement, and the current challenges to transatlantic data flows.
DOTMAGAZINE: Oliver, how would you define the cultural (business/civil society) understanding of the purpose, value, and pros & cons of data protection and privacy legislation in the EU/USA?
OLIVER SÜME: In contrast to what we mostly see in the US, the data protection regime in the European Union is really protecting the personal data of individuals, based on a very broad definition. Personal data is not only everything that is directly related to an individual person, but can also be anything relating to an identifiable individual person. That can also be indirect data like – as is expressly mentioned in the EU General Data Protection Regulation (GDPR) – an online identifier, which could be even an IP address.
So, it’s a very broad description and any kind of potentially individual personal information can fall into the scope. While we acknowledge the protection of personal data as a fundamental right for European citizens, it has more the character of consumer protection in the US.
DOT: What do you see as advantages of a privacy agreement such as the Privacy Shield between the EU and the US?
SÜME: The Privacy Shield is one of the most important legal grounds for the data transfer between the EU and the US under the GDPR. The GDPR states that transferring personal data from the European Union to any other third-party country (like the US, but it also counts for many other countries), requires compliance with a number of specific, limited conditions and safeguards which form the legal basis for international data transfers.
One of these safeguards can be what is known as an “adequacy decision” of the European Commission, which would mean the Commission has assessed that a specific country has established a data protection framework with a similar level of protection to that in the European Union.
As the US do not have a similar data protection framework in place, the European Commission negotiated the Privacy Shield with the US administration. The result is a quite comfortable certification process for US businesses, combined with rules for complaint procedures for EU citizens, which allows convenient, safe, and reliable legal grounds for data transfer to the US. Aside from the use of the officially-approved EU model clauses, it provides the most important legal basis for the exchange of personal data with the US for thousands of European companies. If either the Privacy Shield or the EU model clauses were to be declared invalid, this would cause serious damage to major sections of the industry on both sides of the Atlantic.
DOT: What do you see as the important differences between the EU and the USA in terms of privacy legislative procedures?
SÜME: With the GDPR now in effect since May 2018, we have one fully harmonized and directly applicable legal framework in place for data protection in the EU. Apart from some exemptions, we have one set of rules for each and every Member State in the European Union.
In the US, regardless of the cultural differences and the general understanding of data protection, we see different privacy laws from state to state. For example, California is on its way to implementing a legal framework that is quite comparable to the GDPR, whereas a lot of other US states do not have any privacy laws at all and have to rely on case law.
DOT: Which authorities are involved in governing the Privacy Shield agreement in the EU?
SÜME: The Privacy Shield agreement is governed by the European Commission as the administrative body that negotiated the agreement with the US administration. However, it is also being challenged currently by the European Parliament, because some Members of Parliament are questioning whether the Privacy Shield provides for required safeguards. They are concerned with regard to US surveillance laws. In particular, the US Cloud Act allows US law enforcement agencies to access data. We see also concerns at the European Data Protection Board with regard to the fact that the US have not appointed a so-called Ombudsperson – as agreed with the EU Commission – more than two years after the agreement was concluded.
DOT: Are your government authorities themselves bound by privacy law?
SÜME: In Europe, they are, of course. The GDPR covers not only private companies, but also administrations and public bodies.
DOT: What structures/positions/processes still need to be established for Privacy Shield to be effective in the long term?
SÜME: The most important discussion we currently see is about the obligation of the US to appoint an Ombudsperson. This would be an officially appointed representative to act as a contact person and complaints office for EU citizens who feel their privacy or data protection rights may have been breached by a company certified under the Privacy Shield. The Ombudsperson would be the official body to address concerns and complaints to, and has indeed a core function in the agreement. This Ombudsperson has so far not been appointed by the US government, which is a major stumbling block in the whole process, and one of the main criticisms raised currently.
DOT: What were the key takeaways from the Transatlantic Dialogues organized by eco and the i2Coalition in February? What can the two associations now do to guide the development of a stable and long-term privacy agreement?
SÜME: I think the first key takeaway was that the exchange between the US and European industry is central to the whole discussion. It’s not only important for the industry on both sides of the Atlantic to better understand the other’s needs, but also for the legislators and political stakeholders that we have involved in this dialogue to see the needs, to see how important safe data transfer is to industries on both sides of the Atlantic, and to consider how important the Privacy Shield is as a legal ground for international business operations. It’s very important to encourage this exchange and also to provide answers directly from the industries to the political stakeholders in Europe and in the US.
The second key takeaway is that we learned a lot about how this political and legal discussion is framed in the US. We learned the US are well on the way to finally appointing the Ombudsperson and have initiated the required processes in Congress. This was important news for many political stakeholders as well. We were able to provide them with first-hand information on current political and legislative developments in terms of data protection in the US. It was also extremely interesting to learn that the GDPR has already influenced the understanding of data protection in the US. There are a number of bills on the way in the US which are more or less a consequence of the GDPR. The US industry, the US states, and the federal government see that they also need to raise their level of data protection.
DOT: What are your hopes and expectations for the third roundtable in Washington?
SÜME: I hope that we will be able to provide the US legislators taking part in the dialogue with the same important level of information that the i2Coalition was able to provide to the EU members of Parliament, members of the European Data Protection Board, and members of the Commission. As I said before, that was the major value of our roundtables in Berlin and Brussels. Now we have the chance to respond in kind, and to inform not only i2Coalition members, but also and in particular the US legislators and members of the administration, about what’s going on in Europe: How the GDPR has developed in practice, how important the data transfer from Europe to the US is, and what the latest political and legislative approaches are in Europe. I think that will provide important information to US-based companies, to the US administration, and to members of the Congress.
Oliver Süme is a certified IT lawyer and partner at the European law firm Fieldfisher in Hamburg, Germany. He is an IT and technology law specialist with two decades of experience in the field. Oliver advises national and international clients of various sectors on their path to digitalization. Data protection, IT Security, and IT contracts are among his key areas, as are the legal impact of new technologies such as blockchain, Internet of Things, and Industry 4.0. He has a particular focus on advising international Life Science companies on data protection and GDPR compliance.
Oliver held the presidency of the European ISP association EuroISPA for five years until 2018, and in 2017 took over the role of Chair of the Board at eco – Association of the Internet Industry.