Francesca Giannoni-Crystal, o much promise, so little delivery …, i.e. why the Privacy Shield might not matter much for the biggest American businesses (read: tech-giants)

After the October 6, 2015, European Court of Justice’s annulment of the Safe Harbor decision of adequacy (Maximilian Schrems v. Data Protection Commissioner), the European Data Protection Authorities (DPAs) gave businesses until January 31, 2016, for the start of enforcement of the Schrems’ decision (see here).

The Safe Harbor Scheme had been used for almost 15 years as the main avenue to legitimately transfer data from the EU to the US. Indeed, pursuant to Article 25(1) of Directive 95/46/EC, the transfer of data to a third country may take place only if the third country ensures an adequate level of protection of such data. Article 25(6) allows the Commission to find that a third country ensures an adequate level of protection by reason of its domestic law or its international commitments, so allowing the transfer to this third country. The Commission had issued a decision of that sort relating to United States (Decision 2000/520/EC of 26 July 2000 – here – providing that the US recipient adhered to the Safe Harbor principles. Read more on the Safe Harbor here. Almost 4000 companies operated under the Safe Harbor Scheme (see here list), including the tech-giants like Apple, Google, Facebook, LinedkIn, Twitter, Airbnb, Yahoo. Because the transfer of data to the US for processing and storing was fundamental in the business models of those companies, the annulment of the Safe Harbor had been almost an Armageddon in the digital world. After the deadline for enforcement of the Schrems decision, the transfer of data to the US is possible only with the free and informed consent of the data subjects or through the alternative (and burdensome) methods of model contract Clauses and binding Corporate Rules (read here for alternatives to Safe Harbor for the transfer of data between the EU and the US ).

The digital world waited anxiously for a new deal between the EU and the US, which came on February 2, 2016, when the EU Commission and the U.S. government agreed on new scheme (“Privacy Shield”). Once approved, it will allow the transfer of data to the US as the Safe Harbor did. Compared to the Safe Harbor, however, the Privacy Shield contains stronger obligations on U.S. companies, clearer safeguards for data subjects, transparency on U.S. government’s access, and more redress possibilities for EU citizens.

On February 29, 2016, the EU Commission released the Privacy Shield legal documents, including a draft adequacy decision, Privacy Shield factsheet and the correspondence with its American counterparts. See more here.

After a non-binding opinion by the Article 29 Working Party (WP29) – expected to be approved on April 12-13, 2016, at its Plenary meeting — and after a binding opinion by the Member States in “comitology” (pursuant to Article 31 of Directive 95/46/EC) – expected some time between April and May (see here for the complete timeline of the Privacy Shield), the EU Commission (probably in June 2016) will adopt the adequacy opinion that will allow the Privacy Shield to enter into force. Until the approval of the adequacy decision, the consent of data subjects or the use of model contract clauses and binding corporate rules are required to transfer data to the US. As said these methods are quite burdensome on businesses, which are now understandably making the countdown to the entering into force for the Privacy Shield.

The new scheme, however, risks to be a “so much promise, little delivery” document for most large American businesses and particularly for the tech-giants. In fact, once the new General Data Protection Regulation (last text of GDPR here) is approved (the EU Parliament is scheduled to vote on April 18), and enters into force — which should be in the Spring of 2018, — the long-awaited Privacy Shield is going to be of very little use to the tech giants. The GDPR will supersede Directive 95/46/EC and will establish the same law in all the 28 EU member states (unlike the current situation, in which every member nation has its own data protection law.)

Article 3 of the GDPR establishes a broader territorial scope for EU data protection. Once in force, it will subject to EU privacy law (i) “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not” Article 3(1) and (ii) “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or (b) the monitoring of their behaviour as far as their behaviour takes place within the European Union.”  To summarize Article 3(2): if an organization (wherever located) “targets” EU citizens, then this organization is bound to comply with the GDPR (exactly as a European organization). Is there any possibility of finding that the tech-giants do not target EU citizens in offering there their digital services?

But there is more: one could make an argument that (at least) the tech-giants are already bound to comply with the current EU Directive. Recent decisions of the European Court of Justice (ECJ) make exactly this point. The Google Spain decision held that Google was subject to EU privacy law because it has a branch/subsidiary that sold advertising spaces orientating “its activity towards the inhabitants of that Member State”. The Weltimmo decision held that data protection legislation of a Member State may be applied to a foreign company which exercises in that State, through stable arrangements, a real and effective activity, and the presence of a single representative may be sufficient to trigger the application of a Member State’s data protection law. The WP29 issued a new opinion on the law applicable in light of the CJEU judgment in Google Spain  explaining that — based on the ECJ’s case law cited above — the territorial scope of the Directive already extends to processing carried out by non-EU entities when those entities have a ‘relevant’ establishment in Europe whose activities are ‘inextricably linked’ to the processing of data. While (at least for the moment) the mentioned decisions have not been used to hold foreign organizations liable under the Directive, those decisions surely reinforce the impact of Article 3 GDPR.

In conclusion, because the tech-giants “targets” European citizens and/or monitor their behavior, either directly or indirectly (through a subsidiary advertising company like in Google Spain), and they probably have (at least) one representative (under Weltimmo), once the GDPR is in force, they will be bound to comply with it. The Privacy Shield will not be applicable to an organization that is subject to the EU GDPR. The significance of the Privacy Shield will be limited to those non-EU organizations that – neither directly or indirectly – offer a service to EU citizens, or monitor their behavior. And obviously do not have a representative in EU. When it comes to big organizations, there should not be many.

For more information, Francesca Giannoni-Crystal.