skip to main content
Receive client alerts and/or Silicon Valley e-News in your inbox.
Data transfers are the lifeblood of business in a global market. Consequently, any uncertainties concerning the lawfulness of international transfers of personal data pose a significant commercial risk to US and EU businesses that operate internationally.
What is the problem?
The Privacy Shield was negotiated between the European Union and the US government to prove a legally binding means for businesses to transfer personal data on EU residents to the US. Businesses certify that they will provide privacy protections comparable to those that apply in the EU. The Privacy Shield provides a means to legally enforce that certification. Absent the Privacy Shield and related mechanisms provided by the EU Commission, the transmission of personally identifiable data from the EU to the US can violate EU law.
The current problem stems from Section 14 of the Executive Order on "Enhancing Public Safety in the Interior of the United States," which has cast doubt whether the Privacy Shield can meet EU legal requirements. That section provides:
"Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."
Immediately after publication of that executive order Jan Phillip Albrecht, a member of the European Parliament and its rapporteur on data protection regulation, tweeted to suggest that this statement might invalidate Privacy Shield. Albrecht called in his tweet for immediate suspension of Privacy Shield.
In a sequence that would be familiar to President Trump himself, Mr. Albrecht’s tweet sparked something of a media storm, including headlines suggesting that the executive order could "nix" transatlantic data flows. Commentators observed that the executive order might undermine Privacy Shield because it departed from assurances given to the EU Commission by the Obama administration (and supported by a five page letter from US intelligence agencies) concerning the treatment of personal data. The story became, in effect, self-fueling. Articles and tweets expressing concerns themselves became the basis for further articles and tweets.
The EU Commission moved swiftly to address the issue, pointing out that the relevant protections (from an EU perspective) are in the EU-US Umbrella Agreement (in force 1 February 2017) and in the US Judicial Redress Act, which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts. These protections would be subject to the provision in the executive order that requires actions to be “consistent with applicable laws.” On that analysis, the executive order did nothing to disturb the assurances given in 2016, on the basis of which the EU Commission adopted Privacy Shield.
Although we tend to agree with the analysis by the EU Commission, it is clear that perception can be at least as powerful as fact. Indeed, in the current highly-charged environment, such perceptions may become "alternative facts," to use the current euphemism for exaggerated claims that seek to supplant actual facts in political discourse. Both the Privacy Shield and the EU model clauses (which provide an alternative means for protecting EU-US data transfers) are currently subject to legal challenge in Europe. The Privacy Shield is also under close scrutiny at a political level, with its success or failure representing a major test of governments' ability to facilitate and protect international data transfers.
In practice, the executive order is likely to be cited as a real and ongoing cause for concern by those already challenging the legal basis for Privacy Shield (notably, Austrian privacy campaigner Max Schrems, whose earlier legal challenge led to the Court ruling that brought the previous Safe Harbor arrangement to an end).
The Privacy Shield is supplemented by other means of giving assurances of privacy protections. Principal among these are EU Commission-approved “model clauses,” which are privacy protections that firms may voluntarily adopt in contracts and other governing corporate documents. All these mechanisms seek to provide assurances that personal data leaving the EU will receive protections comparable to those that apply in the EU. If the EU were to determine that US law, post-executive order, is fatal to the enforceability of the Privacy Shield, it might also conclude that US law is equally fatal to the enforceability of these other mechanisms.
Under EU law, the main practical alternative to the Privacy Shield and its related mechanisms involves obtaining data subjects' specific, timely and informed consent for the trans-Atlantic transfer of data. Obtaining such consent can be extremely difficult. Thus, if Privacy Shield were to fail, business would be faced with potentially growth-threatening difficulties given current business models which are often premised on the free flow of data across international borders.
Steadying the ship
It is extremely unlikely that the executive order on "Enhancing Public Safety in the Interior of the United States" was drafted with any thought that it might adversely affect the personal data transfers on which modern business depends. However, given that its terms have been widely reported as a threat to a key EU-US agreement it would be extremely useful if the Trump Administration were to provide specific confirmation that the assurances given to the European Commission in 2016 remain valid and reliable. While such a statement might be less immediately striking and newsworthy than the tweets and executive orders of Trump Administration's high-energy and rule-book shredding first days, it would materially help to ensure that businesses can focus on productive activities rather than having to divert resources to deal with the risk of personal data transfers being blocked or made subject to regulatory sanctions. Under a new EU law coming into full operation next year, those sanctions could reach up to 4% of a business' worldwide turnover.
BREXIT AND US-UK TRADE – TIME FOR A NEW DEAL?
The possibility of a new US-UK trade deal was a significant topic for discussion during UK Prime Minister Theresa May's recent visit to the White House. While both the US and the UK might be keen to make rapid progress with a bilateral trade deal, the UK is currently bound by the terms of its EU membership and cannot press ahead.
Brexit has cleared a major hurdle. The UK Supreme Court ruling of 24 January 2017 confirmed that Parliamentary authority is required before the Prime Minister can take the executive step of triggering Article 50 of the Lisbon Treaty. The UK's membership of the EU ends two years after Article 50 has been triggered.
On 1 February the UK House of Commons voted by 498 to 114 in favour of the Bill that will authorise the Prime Minister to trigger Article 50. The vote was on the Bill's second reading, which means that the House of Commons has approved the principle. The Bill now moves into its committee stage before its third and final reading in the House of Commons, It then proceeds to the House of Lords, where any serious attempt to vote it down would spark a major constitutional crisis. Given the stakes, the House of Lords is unlikely to resist the Bill's progress.
On 2 February the UK government published its strategy for Brexit negotiations. As expected, bilateral trade deals are presented as the key to future prosperity, and the US is singled out as the UK's most important current and potential trading partner.
There is an appropriately transatlantic feel to the government's strategy paper. It recalls a statement attributed by US writer Mark Twain to UK Prime Minister Benjamin Disraeli: "there are lies, damned lies and statistics".
The US is confidently described as the UK's "single biggest export market", and is therefore marked out as the prime target for an early bilateral trade deal. Strictly speaking, that claim might well be accurate. However, it depends on the crucial words "on a country-by-country basis". The US is the UK's "single biggest export market" only because the European Union is treated as 27 separate markets rather than the reality of the EU single market.
But the observation is consistent with the fact that as a market (and not a UK trading partner) the United States is larger than the EU after deducting the UK from the EU column. But the US market is approximately 5,000 miles further away from the UK than its sister states of the EU. Furthermore, the US market is already quite strong in sectors like finance and services where the UK excels.
Economists and business leaders will have much to consider as they attempt to quantify the pluses and minuses of the EU vs. the US as UK trading partners. An intriguing question is whether, much as the UK has been the bridge into the EU for US businesses and others, can it instead serve as a conveniently-positioned bridge into the US market for businesses on the eastern side of the Atlantic? What sort of UK-US trade agreement would that require?
In any event, good negotiators know that they are only as good as their plan B. As the Prime Minister negotiates a post-Brexit trade agreement with the EU, a potential high-octane trade deal with the US could be an important part of her plan B. It is much in the UK’s interest to pursue these negotiations as diligently and as publically as possible. It will equally be in President Trump’s interest to do all he can to strengthen the UK’s position in these matters lest the UK be forced to accept terms from the EU that are not in either party’s interest.
The government's Brexit strategy paper repeats and confirms the point made by the Prime Minister in her speech of 17 January 2017. Leaving the EU means leaving the single market. It therefore means having to negotiate a new trade deal with the EU as a bloc, but almost certainly requiring separate ratification by each EU member states. That is because any comprehensive trade deal with the EU would inevitably cover matters within the competence of the EU Commission and other matters reserved to the member states. As the EU experienced in the final stages of negotiating the CETA deal with Canada in 2016, that split of competence creates a significant risk that ratification will be withheld by one or more of the EU member states, perhaps adding months or even years to the process.
With no guarantee of a swift or smooth path to a UK-EU trade deal, the statistical conjuring in the Brexit strategy paper gives the strongest indication to date that a UK-US trade deal is at the very top of the UK government's wish list.
If you have any questions, feel free to contact:
Belton Zeigler is a veteran litigator and a senior member of Womble Carlyle’s Data Management and Cybersecurity Team. He has adapted his extensive experience in industrial and infrastructure matters to counsel clients on data management and cybersecurity including matters such as data breach preparation and response, as well as litigation involving data management.
Andrew Kimble is a partner with Bond Dickinson whose practice focuses on all aspects of data protection, freedom of information and privacy work including data protection audits, data security incidents, cross-border data transfers, outsourcing arrangements, subject access requests, direct marketing and general data protection and FOIA compliance.
Malcolm Dowden is a Legal Director with Bond Dickinson with extensive experience of international commercial contracts, including the design and delivery of training for national and municipal authorities on contract law issues for public-private partnership. Malcolm also has experience of statutory and regulatory drafting in the UK and other common law jurisdictions.