With the Article 29 Working Party’s position on the adequacy of the EU-U.S. Privacy Shield framework agreement (Privacy Shield) decision expected this week, U.S. businesses should be evaluating privacy options and preparing to make significant adjustments to internal procedures. In this newsletter, we cover key considerations for businesses weighing whether to join the Privacy Shield, what to expect from last week’s leak, and the impact of a possible rejected decision.

Joining the Privacy Shield is completely voluntary, and is a decision that every U.S. organization should not take lightly, especially as there are other methods of transatlantic data transfers, such as the EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The Privacy Shield introduces a lot of additional obligations and liability for U.S. organizations, including:

  • An annual registration and self-certification process
  • Agreeing to the Privacy Principles, which include:  
    • Notice
    • Choice
    • Security
    • Data Integrity and Purpose Limitations
    • Access
    • Accountability for Onward Transfers
    • Recourse, Enforcement, and Liability
  • Subjecting the organization to oversight by the U.S. Department of Commerce and the Federal Trade Commission (FTC)
  • Including a declaration of the organization’s commitment to comply with the Privacy Principles in their privacy policy, including a link to the Department of Commerce’s Privacy Shield website for any online privacy policy
  • A commitment to cooperating with the relevant Data Protection Authorities (DPA) for any organization that processes EU human resources data with respect to the investigation and resolution of complaints

Accordingly, in addition to registering with the Privacy Shield, a U.S. organization must also publicly commit to comply with the Privacy Shield’s requirements. Once publically committed, that commitment will become enforceable under U.S. law.

Unfortunately, failure to comply with the Privacy Shield requirements could result in sanctions or exclusion from the framework. Even if an organization determines that it no longer wants to participate in the Privacy Shield and elects to withdraw, it may remain subject to the Privacy Shield for a long time. Any U.S. organization that was part of the Privacy Shield and elects to withdraw, yet wishes to retain information collected while a part of the Privacy Shield, would be required to annually re-certify its commitment to apply the Privacy Principles to information received under the Privacy Shield to the Department of Commerce. Or, the organization must provide some alternative means to show that it can apply “adequate” protection by another authorized means, which may be the SCCs or BCRs. Thus, every U.S. organization should give careful consideration before electing to be part of the Privacy Shield.

Transatlantic Transfer of EU Personal Data

In light of the voluntary nature of the Privacy Shield, and because it has not yet been adopted, U.S. organizations that have received personal data from the EU under the invalidated Safe Harbor must consider and utilize alternative mechanisms in order to be compliant with the data sharing requirements of the Data Protection Directive 95/96/EC. In short, because the Directive regulates the export of personal data outside of the European Economic Area (EEA), it prohibits EU organizations from transferring or exporting personal data unless such recipient organizations are able to ensure adequate protection for the data. This may be accomplished by the Privacy Shield, if and when it is approved, or the SCCs or BCRs noted above. Thus, a U.S. organization can continue to receive personal data from the EU if it enters into the SCCs or adopts the BCRs.

Since the Directive is implemented through the local laws of each Member State, a local DPA has the right and ability to launch a local enforcement action against any organization that it believes has not implemented an acceptable alternative compliant data transfer mechanism. Should an organization fail to have a compliant transfer mechanism, the local DPA may impose monetary fines and sanctions, including the prohibition on the transferring of personal information.

What to Expect from the Leak

While the opinion is not scheduled to be released for a few more days, speculation across the internet has been rampant as to which way the opinion of the Article 29 will go – ranging from clear statements that the Privacy Shield will be deemed adequate to not even a remote chance of receiving the blessing of Article 29. Of course, all this landed on the back burner once extracts of the Article 29 opinion started to leak.

“Until these issues are addressed, the WP29 considers it is not in a position to reach an overall conclusion on the draft adequacy decision. It stresses that some of the clarifications and concerns — in particular relating to national security — may also impact the viability of the other transfer tools.”

“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy decision does, indeed, ensure a level of protection that is essentially equivalent to that in the EU.”

If true, the content of the leak should not come as a surprise. As you will recall, the purpose of the Privacy Shield was to make certain that there was a mechanism in place to “ensure a level of protection [in the U.S.] that is essentially equivalent to that in the EU.” Back in February, the Article 29 group published a set of conditions to be met by the Privacy Shield in order to comply with European privacy laws as well as to ensure protection of basic human rights. If this leak is true, it would be a clear statement that the Article 29 group does not believe that the Privacy Shield has satisfied each of its conditions and Article 29 can, therefore, not support the European Commission’s adequacy decision.

Implications of a Possible Rejection

Given the magnitude of this decision, any rejection would likely not sit well with the U.S. government or U.S. organizations, and ultimately, may have a negative impact on cross-Atlantic business and drive up the cost of global commerce.

While true that a rejection would be a major blow for the European Commission, approval by the Article 29 group is not required to implement the Privacy Shield framework. It is unclear whether the Commission would implement the Privacy Shield, despite a rejection by the Article 29 group, but there is a lot of speculation that it may be the case, given the significant pressure from the U.S. government and organizations on both sides of the Atlantic. The continued state of uncertainty is not conducive to business, the government, or citizens. It is worth noting that approval by the Article 29 group is just one of many hurdles still to be cleared before it can be finalized by the EU and U.S. governments, including a resolution in the European Parliament. All of that is a prerequisite for approval by the European Court of Justice (ECJ), Europe’s highest court, and the ECJ will most likely seek to weigh in on its validity.

Of course, one should bear in mind that regardless of what happens with the Privacy Shield this week, we are likely to see several rounds of changes in the next two-plus years in order to bring the Privacy Shield into compliance with the General Data Protection Regulation (GDPR). GDPR was signed off by the Council of the European Union on Friday, and is getting very close to becoming law. One of the last steps is the final adoption of the text by the European Parliament, which is expected to happen later this week. Once GDPR is finally adopted, organizations will have two years (likely to be May of 2018) before the European Commission begins enforcing it. GDPR is another regulation directed at governing the processing of commercial data and, among its many obligations, will institute additional requirements on data controllers, as well as provide additional enforcement mechanisms and power. That includes providing for significant fines, subjecting the processing of any EU personal data to the EU rules, regardless of where such processing takes place or by whom, and granting new and additional rights to the data subjects.

Thus, despite any changes adopted by an organization to comply with the Privacy Shield, U.S. organizations will likely have to adjust their internal procedures and enter new SCCs or develop new BCRs under the GPDR. Despite all of that, any existing SCC and BCR structures may be subject to further review under the Directive, since some DPAs have expressed their belief that these suffer from the same flaws as Safe Harbor. But for now, U.S. organizations may continue to receive and process EU personal data by entering into the SCCs and BCRs.