TABLE OF CONTENTS I. INTRODUCTION 1312 II. BACKGROUND 1314 A. Differing Notions of Privacy in the United States and the European Union 1315 B. Standard for Transfer of EU Data: Data Protection Directive & General Data Protection Regulation 1318 III. LEARNING FROM THE PAST 1320 A. EU-U.S. Safe Harbor Agreement 1320 B. Safe Harbor Invalidated: The Schrems Holding 1324 IV. ANALYSIS OF THE PRESENT: EU-U.S. PRIVACY SHIELD AGREEMENT 1326 A. How the EU-U.S. Privacy Shield Framework Operates 1328 B. Improvements in the Privacy Shield 1330 1. Data Protection Mechanisms 1330 2. Redress Mechanisms 1332 3. Oversight Mechanisms 1334 C. Remaining Weaknesses and Potential Issues Threatening the Privacy Shield 1336 1. Lack of Protection from US Surveillance 1336 2. External Factors 1337 i. US Political Climate: Trump Administration 1337 ii. EU Political Climate: Brexit 1342 V. LOOKING TOWARD THE FUTURE: THE POSSIBLE OUTCOMES FOR THE EU-U.S. PRIVACY SHIELD 1344 A. First Privacy Shield Challenge: Annual Joint Review 1344 B. Upcoming Privacy Shield Challenge: Judicial Action by the CJEU 1346 C. Alternative Mechanisms to the Privacy Shield 1348 D. Privacy Shield Reimagined: EU-U.S. Business Privacy Shield 1352 1. Regulatory Examples: Fair Labor Association and Worker's Rights Consortium 1353 2. Replacement of US Government Role with a Data Privacy NGO 1355 3. Advantages to Data Privacy NGO Enforcement of EU-U.S. Business Privacy Shield 1356 VI. CONCLUSION 1358 I. INTRODUCTION
Personal data is a currency of the modern age and a valuable commodity in an increasingly electronic world. However, unlike traditional forms of currency, personal data inherently relies on private information about real people, occupying a sacred space that warrants heightened protection. The dominant exchange of this ubiquitous personal data currency occurs between EU member states and the United States. Despite this, the United States and the European Union historically have fallen short in reaching a consensus about the permissible process by which EU personal data can be transferred to the United States. (1)
On October 6, 2015, the Court of Justice of the European Union (CJEU) issued a decision invalidating Safe Harbor, the previous EU-U.S. privacy agreement that permitted data transfer between the European Union and the United States. In invalidating the agreement, CJEU explained that Safe Harbor was not compliant with the Data Protection Directive and US enforcement of the agreement prioritized US concerns over the Safe Harbor Principles. (2) Less than a year later, the European Commission (EC) approved a new data sharing agreement, the EU-U.S. Privacy Shield (Privacy Shield), which went into effect on August 1, 2016. (3) While the Privacy Shield is an improvement on the protection afforded to EU citizens and their personal data, the framework of the new agreement is not immune to challenge by the European Union and faces an uncertain future.
This Note investigates the range of possible outcomes that could result from the Privacy Shield. Part II examines the differing notions of privacy within the European Union and the United States, and analyzes the EU Data Protection Directive's impact on US collection, usage, and onward transfer of EU personal data. Part III outlines the predecessor agreement, EU-U.S. Safe Harbor, and discusses the rationale for its invalidation. Part IV introduces the new agreement, the EU-U.S. Privacy Shield, outlining its structure, identifying the improvements within the new framework, and recognizing the weaknesses that threaten its long-term success. Part V considers the potential challenges for the Privacy Shield in the upcoming years: joint annual review and review by the European Court of Justice. Next, it offers a synopsis of the alternative mechanisms for compliance if the Privacy Shield framework is invalidated. Part V concludes by recommending restructuring the Privacy Shield as a public-private arrangement, replacing the role of the US government with a Data Privacy non-governmental organization (NGO) to exploit the improvements in the Privacy Shield, while minimizing the risk of invalidation.
This Note only concerns the transfer of EU personal data to the United States for collection, usage, or onward transfer. Examples of these transactions include the inter-workings of one company with branches in both the United States and the European Union, travel corporations or online retailers who require personal information to finalize transactions, online educational institutions that seek personal statistics, social media platforms, and human resource companies, to name a few. (4) While there is no universal definition of personal data, the European Union has defined it as any information that makes it possible to identify a person, including: names, phone numbers, birthdates, both home and email addresses, credit card numbers, national insurance numbers, IP addresses, employee information including number, login information, gender, and marital status, and biometric and genetic data. (5) Personal data includes aggregate data, which involves the aggregation of information from servers and personal online profiles in order to tailor online ads to the specific preferences of a targeted user. (6)
If the Privacy Shield fails, the consequences will be severe, impacting not only the EU member states' and the United States' economy, but global trade as well. The European Parliament recognized the importance of the EU-U.S. trade relationship, noting that cross-border data flows between the European Union and the United States are the highest in the world--50 percent higher than any other transfer--and acknowledging personal data as an essential component. (7) The Department of Commerce (DOC) noted that EU-U.S. transatlantic trading is the largest trading relationship in the world, estimated to produce half a trillion dollars of commerce annually, representing half of all US investments abroad, and employing 3.5 million Americans. (8) Clearly, there is a lot at stake both for consumers and corporate entities in the United States and the European Union. (9) The United States and the European Union not only have different notions of what personal data includes, but also operate under two very different definitions of privacy more generally, which impact their respective laws and public policies. (10) As a result, the European Union and the United States have opposing views of what data protection specifically looks like and how it should be implemented. (11) Despite these differences, the European Union and the United States have recognized the profound need for cooperation and consensus.
Differing Notions of Privacy in the United States and the European Union
The historical notion of privacy in the United States differs from that of the European Union. To start, the word "privacy" is absent from the US Constitution. (12) American jurisprudence has recognized that a right to privacy is implicit in the Fourth Amendment's prohibition against unreasonable search and seizure. (13) However, courts have historically limited this right to criminal matters, leaving lackluster constitutional protection for civil privacy rights. (14)
Beyond the Constitution, there is also a common law privacy tort in the United States: invasion of privacy. (15) However, the tort's protection is narrow in reach: once an individual publishes personal information, he or she waives the right to sue for the tort. (16) Statutory law in the United States has also failed to create a comprehensive set of privacy standards. (17) Instead, legislative enactment has taken a piecemeal approach, passing narrow laws that are scattered across specific target genres. (18) Often these pieces of legislation are reactive and narrow in scope, creating privacy rights in instances where highly publicized violations have engendered public concern. (19) Notably, the majority of legal privacy protections in the United States guard against government intrusion. When regulation of the private sector must occur, there is a strong presumption in favor of self-regulation as the "least intrusive and most efficient means," preferring soft laws that permit, but do not compel, private actors' participation. (20)
The European Union has a very different notion of privacy that is reflected in the protections afforded individuals. Rather than limiting privacy rights to instances of government intrusion, the European Union recognizes privacy and data protection as an express right that protects individuals from corporate data collection. (21) Privacy of one's personal data is a fundamental right that is guaranteed by the European Union Charter of Fundamental Rights. (22) This sui generis right, analogous to a constitutional right in the United States, is grounded in international human rights instruments. (23)
In addition to recognizing a right to privacy, the European Union also asserts that data protection is an essential mechanism for protecting EU citizens' fundamental rights. (24) The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) were created by the Organization for Economic Cooperation and Development (OECD), an intergovernmental organization with thirty-five participating members, including the European Union. (25) The OECD Guidelines provide suggestions on what should be taken into account when developing legislation on privacy and data protection and highlight principles to preserve individual rights while easing restrictions on the flow of information between nations. (26) The European Union's adoption of the OECD Guidelines, by virtue of its membership in the OECD, resulted in each EU member state largely enacting its own data protection rules from the OECD Guidelines, creating uncertainty and inconsistency in legislation throughout the European Union. (27) To remedy the confusion, EU member states voted...