Get Privacy Shield wrong and it will have to be renegotiated in 2018, warns data protection lawyer

Key points

"Privacy Shield may have to be renegotiated in 2018 because the GDPR obviously puts many more obligations, responsibilities and accountabilities onto firms," says NetApp's Sheila Fitzpatrick

Privacy Shield, the EU-US data transfer agreement intended to replace Safe Harbour, contains only "cosmetic" changes and there is much work to do if it will not have to be renegotiated.

That's according to Sheila Fitzpatrick, worldwide data governance counsel and chief privacy officer at storage firm NetApp, who also sits on the data protection advisory committee at the EU.

To read the US press you'd think Privacy Shield is pretty much a done deal. This is a combination of wishful thinking and misunderstanding, she says.

"The US has difficulty in understanding the protection of personal data because it is almost a foreign concept. Businesses are used to having whatever data they need, whether it's consumer data or employee data, they're used to having it at their fingertips."

By contrast the Europeans are much more sceptical.

"In the EU there is a lot more caution and there's certainly mistrust right now. The EU is saying that a lot of work needs to be done. There's a lot of scepticism about how committed is the US really towards the privacy framework just based on past history."

Far from any deal being done, several significant hurdles remain before Privacy Shield can cross the finish line, including approval by the 28 EU member states, a non-binding vote by the Article 29 Working Party group of data protection officials (WP29), and a final decision by the College of Commissioners. Even after that it may still be struck down by the high court.

"At that time the ECJ [European Court of Justice] can step in because if any of the member states say this isn't restrictive enough it can be invalidated based on the justification they used [to invalidate] Safe Harbour," Fitzpatrick explains.

Self-certification

One of the problems some European states had with Safe Harbour was that US companies wishing to transfer personal data from the EU were allowed to certify themselves. It had been assumed by many that self-certification would be dropped in its replacement, but it is still there at the insistence of the Americans.

"Self-certification is a sticking point in terms of what enforcement looks like," says Fitzpatrick. "The audit is a concern because right now they're saying it will be a joint audit between the FTC [US Federal Trade Commission] and the ombudsman and the EU. But will there be an audit conducted in the States before the EU is even informed?"

The ombudsman

The data ombudsman is another sticking point. This is the official to whom EU citizens can turn to if they feel their privacy has been breached by an American firm. However, this supposedly independent post is actually embedded in the FTC, which itself is part of the US State Department.

"It was supposed to be a separate, totally unbiased office that would report through the administrative branch but it was not to be part of the State Department or the FTC," says Fitzpatrick.

"Well, the position will report directly to the Secretary of State so there is a major concern that the bodies will not be unbiased and given free rein to basically implement the laws."

Notification

Another bone of contention is how individuals are to be informed whether or not their data has been breached. There is a 45 day window within which a company must report back to an EU citizen who has made a complaint, but exactly what needs to be reported is unclear.

"They could do a 45-day forensic investigation and then say ‘no, your data wasn't impacted,' and you never have to be notified," Fitzpatrick says.

A lot of work remains if Privacy Shield is to be ratified in June as planned, she says.

"First of all they have to define the framework in writing, put more details around it. The US has been tasked to go away and create the ombudsman, the responsibility and the functions and how the registration and self-certifications can occur."

Only after that can it go before the EU member states, WP29, the College and ultimately, possibly, the ECJ. But even if it is passed, it faces a sterner test when the EU General Data Protection Regulation becomes law in 2018.

"The talk at the moment is that Privacy Shield may have to be renegotiated in 2018 because the GDPR obviously puts many more obligations, responsibilities and accountabilities onto any not just US-based multinational companies but any organisation that does business in Europe," Fitzpatrick says.

Unless the protections built into Privacy Shield are significantly stronger than those in Safe Harbour, any relief felt by US firms when the Privacy Shield "deal" was announced last month is likely to be short-lived.