- U.S. organizations wishing to import data from EU subjects will be subject to much more “robust” privacy protocols
- Final approval still faces hurdles
On Tuesday, February 2, 2016, the European Commission announced that representatives of the EU and US had concluded several months of intense negotiations following the October 2015 Schrems decision – in which the Court of Justice of the European Union (“CJEU”) declared that Safe Harbor does not comply with EU Privacy Directive 95 (the “Directive”) – with an agreement for a replacement data transfer protocol being called the “EU-US Privacy Shield.”
No written agreement(s) have yet been disclosed to the public. The lead EU negotiator has stated that the documents are being finalized and will be released in late February. In the US, data privacy watchdog EPIC has filed a FOIA request hoping to obtain it sooner. Despite the lack of official documentation at this point, statements from the Commission and from the Article 29 Working Party (“WP 29”), the EU’s top privacy regulators, give some broad outlines of the agreement, including some idea of how the Privacy Shield will differ from Safe Harbor.
The Commission pointed out three bullet points:
- Robust” privacy obligations
- U.S. businesses receiving personal data of EU subjects must commit to “robust obligations” to respect personal data processing and protection rights under the EU Privacy Directive. The U.S. Department of Commerce will be charged with monitoring U.S. business compliance. Enforcement will reside with the Federal Trade Commission (“FTC”). Businesses handling HR data of European subjects also must comply with decisions made by the WP 29 and the 28 EU data protection authorities (“DPAs”).
- “U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed.”
- Transparency and safeguards for law enforcement and national security access to records.
- The Commission announced that US negotiators had provided written assurances that EU data transferred into the US will not be subject to “indiscriminate mass surveillance” and law enforcement and national security access to such data “will be subject to clear limitations, safeguards and oversight mechanisms.”
- The Commission and the Dept. of Commerce will conduct a joint annual review to ensure compliance with these metrics.
- Effective oversight and accessible due process for data subjects
- It will be easy for data subjects to file complaints concerning use of their information, with “several redress possibilities.” The complaint resolution process will be transparent, independent and accessible. ADR mechanisms will be free of charge for subjects.
- For complaints regarding governmental access to subjects’ data, a new “Ombudsman” position will be created within the State Department. It has been reported that this provision was a key dealbreaker for EU negotiators, and that an eleventh-hour phone call from Secretary of State John Kerry, agreeing to the Ombudsman provision, saved the negotiations and sealed the deal for Privacy Shield
The WP 29 put out its own statement on February 3, requesting “all documents” pertaining to the reported agreement by the end of February, and promising to review the proposed agreement in the “coming weeks.” WP 29’s comment identified four “guarantees” in EU data privacy jurisprudence that it says will need to be built into the Privacy Shield, and cautioned that the group “still has concerns” with U.S. ability to meet those standards given the “US legal framework” as it applies to privacy. The four guarantees are:
- There must be “clear, precise and accessible rules” for data use/processing, meaning that any data subject can access the rules and have a clear understanding of the ways in which their personal information may be used by the US organizations;
- US data controllers/processors must be called to “Necessity and proportionality” with regard to the legitimate objectives pursued need to be demonstrated: a balance needs to be found between the objective for which the data are collected and accessed (generally national security) and the rights of the individual;
- “An independent oversight mechanism should exist, that is both effective and impartial: this can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks.”
- Effective remedies need to be available to the individual: anyone should have the right to defend her/his rights before an independent body.
WP 29 also mentions that, following its determination of whether Privacy Shield should receive an “adequacy” determination, it will reconsider whether Model Contracts and Binding Corporate Rules should continue as “adequate” methods for transatlantic data transfers.
Next steps – What should US companies do now with respect to transatlantic data imports?
The EU-US negotiations took a few months, and we can expect several more months (at least) before the agreement is officially adopted and available for US organizations to implement for transatlantic data transfers. There are many procedural hurdles still to be overcome within the EU framework to reach an official “adequacy” determination for “Privacy Shield.” Given the procedural and substantive hurdles that remain, it may be several months or more before the Privacy Shield is implemented. Even if implemented it faces the possibility of legal challenges based on Schrems.
- First, WP 29 must provide an opinion supporting adequacy
- Next, the Article 31 Committee – under the EU’s more strict “examination procedure” of the “comitology” process – must provide an adequacy opinion;
- Then, the EU College of Commissioners must approve and officially adopt the decision.
- At any time, the full EU legislative body can act to scuttle the entire process
- On top of all this, even when officially adopted, Schremsdemonstrates that the CJEU is the final authority on whether an “adequacy” determination is sufficient under the Directive.
One EU Parliament member known for strong positions on data privacy has publicly criticized Privacy Shield as a “joke” that will not pass muster under Schrems. Overcoming all the procedural hurdles is no foregone conclusion.
Substantively, the US needs to take several steps to keep the process moving forward:
- Secretary Kerry will have to establish and appoint the Ombudsman
- Congress must pass the 2015 Judicial Redress Act providing EU citizens the right to sue US agencies in US courts for privacy violations
Given the heavy importance placed on oversight and remedies in the statements of both the Commission and WP 29, it seems unlikely that the working group will reach an adequacy opinion without those measures having been implemented, as appears to be material terms of the negotiated “agreement.”
For now, WP 29 announced that US organizations can use and rely on Model Contracts and Binding Corporate Rules for EU-US data transfers, without risking enforcement action, until at least mid-April. WP 29 and most privacy experts have expressed grave concern that those transfer mechanisms are also invalid following Schrems, because they suffer from the same fundamental shortcoming – any data entering the US is subject to spying by US government agencies, without meaningful oversight or due process.
For now, US organizations doing business in or with EU member states or their subjects should:
Conduct a review of how, and where, personal data collected from European subjects is transmitted, processed, and stored and protected – both internally and with all vendors who perform any data processing or storage on your behalf
- Review all vendor contracts to ensure appropriate contractual provisions are in place
- Monitor press releases and other guidance coming from WP 29 and the member country Data Protection Authorities (DPAs) in all jurisdictions where they have operations and/or customers – wherever the data originates. It is expected many individual DPAs may issue their own minimum standards and guidance in the coming weeks and months.
- Keep abreast of actions taken by other similarly-situated companies with respect to their own transatlantic data transfers, and the reception of relevant EU authorities to those actions.
- Strongly consider the use of Model Contracts until Privacy Shield is adopted. Discuss with legal counsel other possible strategies for measures to satisfy the Directive, including specific consents.
- Be prepared for potential enforcement actions by member state DPAs. Most recently, Facebook has been ordered by the French DPA to cease and desist certain tracking activity including allegations Facebook is transferring certain EU subject data to the US under the now-defunct Safe Harbor