Nicknamed the EU-US Privacy Shield (Privacy Shield), there were high hopes that the framework would replace the 15-year-old Safe Harbor, which was invalidated by the European Court of Justice (CJEU) in 2015.
The announcement was met with initial fanfare, originating across various sectors, including from those in the aviation sector who had been relying on the now-defunct Safe Harbor for transferring data from the European Union.
However, whilst it appeared significant progress had been made, a recent rejection of the Privacy Shield by the Article 29 Working Party (Working Party), the group composed of representatives of the EU national data protection authorities, has arguably put matters back and underlined that the Privacy Shield is certainly not the silver bullet many of its advocates initially considered it to be.
So what exactly do these developments mean for airlines and others in the aviation sector?
In 2013, following Ed Snowden’s revelations of ongoing surveillance by US intelligence agencies, trust in the US was significantly damaged from an EU perspective and it proved to be the downfall of the previous trans-Atlantic data transfer on which many aviation companies relied - Safe Harbor.
In particular, when citizens of the EU discovered the extent of the US’s data collection operations, a lawsuit was filed in Ireland, which eventually wound up before the European courts, and the net result was that Safe Harbor was invalidated.
The months that immediately followed the invalidation saw intense negotiations between the European Commission and the US Department of Commerce to find a Safe Harbor 2.0 so that those companies who previously exported data relying on Safe Harbor could continue to do so without delay and significant business disruption.
When that replacement - the Privacy Shield – was finally announced, it was initially greeted with a sigh of relief. However, for those following privacy developments closely, the Working Party’s rejection of the Privacy Shield did not come as a surprise.
So what are the Working Party’s criticisms of the Privacy Shield and where does this leave those in the aviation sector who previously relied on Safe Harbor to transfer data to the US?
Working Party Criticisms
Whilst the Working Party acknowledges that the Privacy Shield offers improvements compared to its predecessor, it identified a number of key flaws in its opinion as follows:
• Lack of clarity – its view is that the Privacy Shield documentation is difficult to understand, in particular there is “an overall lack of clarity”. It suggests that a glossary of terms should be added to the agreement’s appendix to clarify important concepts.
• No equivalent protection – one of the key concerns of the Working Party is that the US will continue not to hold European citizen’s data to the same standards as it is held to under EU laws. It notes that a number of EU data protection principles that are central to EU law are missing from the new framework. For example, it notes that the Privacy Shield documentation does not address data retention adequately, raising concerns that it would not prevent an organisation in the US holding data indefinitely, when this would not be permitted in the EU.
• Problems with the ombusdsperson – whilst the Working Party welcomed the introduction of an ombudsperson to deal with complaints brought by data subjects, it has concerns that this person does not appear to be sufficiently independent. In addition, it raised questions over whether the ombudsperson has sufficient powers to effectively exercise its duty and whether the redress mechanism is too complex.
• Collection of data by law enforcement - the Working Party goes on to express concerns in its opinion that “massive and indiscriminate” collection of data by US law enforcement agencies is not fully excluded and the circumstances in which law enforcement agencies may access data is unclear. More specifically, it has concerns that exceptions to allow the bulk collection of data are inadequately defined e.g. “terrorism”, “cybersecurity threats” and “espionage”.
• Problems with the grace period – the Working Party was critical that organisations that certify within two months of approval of the Privacy Shield arrangement coming into force receive a nine month grace period from compliance with the third party contracting requirements (i.e. the Privacy Shield contains new requirements regarding contracts for onward transfers to third parties). The Working Party considered that organisations should be compliant right away.
So what does this mean for those in the aviation sector?
Whilst the Working Party’s opinion is non-binding, it does carry significant weight bearing in mind the authors behind it will retain substantial power to review individual data transfers made under Privacy Shield.
While the adoption of a new EU-US data transfer protocol is arguably preferable to the gaping hole that the invalidated Safe Harbor left in place, this opinion leaves the door open on several important issues that may ultimately undermine its efficacy.
In terms of next steps, the European Commission are now consulting with a committee consisting of representatives of the EU member states before it issues a final decision on what the Privacy Shield will look like. If the final decision is voted through it is widely expected to be challenged via the European courts in the same way that Safe Harbor was, however.
Such question marks over the long term future of the Privacy Shield (added to by the built in mechanism which allows for it to be dismantled or substantially changed each year), arguably diminishes its value as a long term compliance solution and it is argued that it should not be relied on alone to safeguard trans-Atlantic transfers.
With these types of uncertainties on the table, it is argued that other options for transatlantic data transfers – namely model contract clauses, binding corporate rules or relying on the agreement made between the EU and the US to legitimize the transfer of passenger name record information from EU airlines to US authorities – remain safer alternatives for companies in the Aviation Sector than opting into the Privacy Shield.
The details will no doubt become clearer in the coming weeks, but in any event, airlines and others in the aviation sector would be best advised to consider all their options rather than placing too much faith in the Privacy Shield in light of these recent developments.
Steven Farmer is a Counsel in Pillsbury’s London office.