In two independent and much-anticipated events, separate EU entities took actions which will continue to complicate the ability of US companies to do business in Europe.

Privacy Shield Provisions Found Lacking by Working Group 29

First, the EU’s Working Group 29 rejected as inadequate the new Privacy Shield that had been negotiated between the officials of the European Commission and the US Department of Commerce. Although WG 29’s lack of enthusiasm for the Privacy Shield was a poorly kept secret, their 58-page opinion detailed a comprehensive list of commercial and national security deficiencies that will make it extremely challenging to resurrect the hoped-for replacement of the Safe Harbor Agreement between the US and the EU.

For a large number of US companies, Safe Harbor offered the only efficient way to transfer data on EU citizens from the EU to the US -- an indispensable feature of most multi-national companies utilizing US-based servers to manage HR and similar information on a company-wide basis.  The path for adoption of the Privacy Shield was never expected to be easy, as court challenges loomed regardless of the outcome of the WG 29’s considerations, but the breadth and specificity of the shortcomings perceived by that body will make subsequent legal attacks significantly more likely to succeed even if further negotiations between the US and EU can find ways to address the problems raised by WG 29. 

And, it is far from certain that even the most committed negotiations will produce a solution.  While the commercial aspects of the claimed deficiencies typically can be addressed, albeit with even more red tape facing US companies, the continued concerns expressed regarding national security implications, including the bulk collection of data, and the need for truly independent oversight of enforcement will be much more challenging to solve.  In theory the negotiators could take their chances by trying to defend the current version before the European Court of Justice, but that court has already once expressed skepticism over the efficacy of the proposed solutions when it struck down Safe Harbor.  Regardless of the path next taken, one thing is clear: a cloud of uncertainty will hang over the fate of any attempt to transfer EU citizen personal data through a negotiated process for months, and probably years, to come.

European Parliament Adopts General Data Protection Regulation

The European Parliament today adopted in plenary session the EU Data Protection Regulation, which will become law 20 days after its publication in the EU Official Journal, scheduled for July. It will officially become effective in all Member States two years after that date.

Jan Philipp Albrecht (Greens, DE), who steered the legislation through Parliament, observed: "The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European 'yes' to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share."

Key provisions include:

  • the right to be forgotten
  • the right to transfer one’s data to another service provider
  • the right to know when one’s data has been compromised
  • the right to have privacy policies explained clearly
  • the obligation to obtain clear affirmative consent before processing a person’s data
  • fines up to 4% of firms' total worldwide annual turnover

Each EU Member State will be required to adopt its own regulations that comply with the significantly more proscriptive provisions of the GDPR within the two-year deadline in 2018.  Unlike prior EU Directives, which allowed Member States significantly more leeway in implementing EU privacy provisions, the GDPR will require not only stricter, but more uniform, privacy protections throughout the EU.