After months of criticism from various EU bodies and institutions, the much-anticipated EU–U.S. Privacy Shield finally has been approved by the European Commission, paving the way for self-certifying U.S. organizations to transfer legally EU personal data across the Atlantic. The adoption of this new framework ends months of uncertainty for thousands of companies that relied on the Privacy Shield's predecessor, the Safe Harbor Program, to transfer EU personal data across the Atlantic. The terms of the Privacy Shield are expected to be published in the U.S. Federal Register by mid-August 2016. Companies interested in self-certifying compliance with this new trans-Atlantic data-transfer framework can do so beginning August 1, 2016, when the Department of Commerce will begin accepting certifications. Now is the time for companies to consider whether certifying with the Privacy Shield is the best option for their business.
EU and U.S. officials released the details of the new "Privacy Shield" framework in February 2016 to replace the Safe Harbor with a more robust and comprehensive trans-Atlantic data- transfer scheme. The European Court of Justice ("ECJ") invalidated the Safe Harbor program in its October 6, 2015, Schrems decision, ruling that it failed to provide an adequate level protection to personal data transferred from the European Union to the United States.
Following its release, the Privacy Shield immediately became the subject of intense scrutiny, particularly by the Article 29 Working Party ("Working Party"), the European Parliament, and the European Data Protection Supervisor. All heralded the Privacy Shield as a positive step in the right direction, but they identified several deficiencies in the terms of the new framework and called for clarity and improvement. In particular, the Privacy Shield was heavily criticized for the complexity of the redress system, the need for more substantive detail on data retention restrictions, the apparent lack of independence of the proposed U.S. Privacy Shield Ombudsman, and overall uncertainty as to whether the U.S. government's "written assurances" would sufficiently safeguard against "massive and indiscriminate collection" of EU personal data by U.S. authorities. Privacy advocates, moreover, vowed to challenge the Privacy Shield for failing to adequately address and protect EU personal data from unfettered access by the U.S. intelligence community.
While the opinions of these EU bodies and institutions are nonbinding on the EU Commission, all have been highly influential in finalizing the terms of the Privacy Shield. The results of the continued negotiations between EU and U.S. officials have culminated in a revised version of the Privacy Shield approved by the Article 31 Committee, a group of national representatives from the EU Member States, on July 7, 2016.
With the Article 31 Committee's "strong support" for the Privacy Shield, EU and U.S. officials announced the approval of the new trans-Atlantic agreement on July 12, 2016, and made the final amended text of the Privacy Shield publicly available. The official text of the Privacy Shield remains largely based on the original text published in February 2016; however, it also provides more clarity with respect to certain principles and incorporates recommendations from EU bodies and institutions on legal redress mechanisms available to EU data subjects, data retention restrictions, and the role of the U.S. Ombudsman, among others. The following highlights some of the key revisions to the Privacy Shield:
Privacy Shield and the EEA. Provided it is approved by the European Economic Area ("EEA") Joint Committee, the Privacy Shield will also apply to personal data transferred from members of EEA, including Iceland, Lichtenstein, and Norway, in addition to all EU Member States. Notably, the Privacy Shield does not apply to data transfers from Switzerland. Switzerland has yet to adopt its own version of the Privacy Shield—as it did with the Safe Harbor—to legitimize personal data transferred to the United States.
Scope of Application. The revised text confirms that the Privacy Principles apply to both data controllers and data processors (i.e., agents). Moreover, data processors must be "contractually bound to act only on instruction" from the EU data controller and must assist the data controller in responding to individuals' requests to exercise their rights under the Privacy Shield (e.g., access requests).
The Privacy Shield is Not a Proxy for Compliance with the GDPR. The amended text clarifies that the Privacy Shield applies only to personal data transferred by EU data controllers or data processors to U.S. organizations certifying compliance with the Privacy Shield. It is does not equate to compliance with EU legislation governing the processing of EU personal data within the European Union. In other words, Privacy Shield organizations must still assess whether they must also comply with the EU General Data Protection Regulation ("GDPR"), which comes into effect on May 25, 2018. Any Privacy Shield organization subject to the GDPR must also meet its broader requirements.
Privacy Shield Principles Revamped. The revised text of the Privacy Shield maintains the requirement that participating organizations commit to seven core Privacy Principles and 16 supplemental Principles. However, the final amended text revamps and elaborates upon a number of the core Privacy Shield Principles, largely in response to criticism with respect to the lack of clarity in the original text.
- Data Integrity and Purpose Limitation Principle: This Principle requires organizations to ensure that data is accurate, complete, and current and that it is processed in a way that is compatible for the purpose(s) for which it was originally collected or subsequently authorized by data subjects. Under the Privacy Shield, organizations may retain personal data only for as long as it serves the purpose for which it was collected or subsequently authorized. Organizations may continue to process personal data for longer periods, but only for limited enumerated purposes such as archiving or journalism, among others. The language is largely consistent with the GDPR and may have a significant impact on companies seeking to retain data for analytics purposes.
- Access Principle: The EU Commission's adequacy decision identifies certain U.S. federal laws covering specific sectors or data—such as mortgage offers, credit lending, and employment—that provide protection against automated decisions that have an adverse effect on data subjects; however, the decision recognizes that there is an increased use of automated decisions and profiling not currently covered by U.S. law. The United States and the European Union have agreed to engage in continued dialogue on the similarities and differences in the EU and U.S. approach to automated decisions as part of the Privacy Shield annual reviews.
- Accountability for Onward Transfer Principle: Under the Onward Transfer Principle, participating organizations can engage in onward transfers only if a contract with the third-party recipient is in place that requires the same level of protection guaranteed by the Privacy Principles. Data subjects also must be given notice of the transfer, and if the recipient is a third-party data controller, the subject can opt out of the transfer (or, in the case of sensitive data, must provide affirmative consent to the transfer). However, EU officials expressed concern that this Principle lacked clear guidance on regulating whether third-party recipients were adequately safeguarding data. The revised text now clarifies that the contract with the third-party recipient must require the recipient to notify the Privacy Shield organization when it can no longer meet the protection obligations. Specifically, contracts with a third-party controller must provide that the third party will either cease processing or take other reasonable and appropriate steps to remedy the situation. Conversely, if the contract is with a third-party processor (i.e., agent), it is the Privacy Shield organization that must take these measures. The Privacy Shield organization remains potentially liable for the actions of its processors (and subprocessors) unless they can demonstrate that they are not responsible for the damage caused.
Department of Commerce Increased Oversight. The new text of the Privacy Shield also reinforces the U.S. Department of Commerce's critical oversight role of the Privacy Shield, as it is tasked with: (i) maintaining and making publicly available a list of organizations participating in the Privacy Shield; (ii) systemically verifying that such organizations comply with the Privacy Principles; and (iii) removing those that have left the Privacy Shield either voluntarily or due to lack of compliance. Even when an organization has withdrawn, the Department of Commerce will still monitor departed organizations to verify that they have not only ceased all representations regarding Privacy Shield certification but also have returned or deleted all personal data processed under the framework, or otherwise continue to apply the Principles to such previously collected data.
In addition, the Department of Commerce will, on an ongoing basis, conduct ex-officio compliance reviews of self-certified organizations by asking organizations to respond to detailed questionnaires, or otherwise when there are specific complaints or credible evidence of noncompliance. This includes, for example, ensuring that organizations have registered with independent resolution bodies to ensure data subjects have access to recourse for potential noncompliance.
Redress, Enforcement, and Liability. The new text of the Privacy Shield was revised to provide clarity and further explanation on the recourse options available to EU data subjects, including a suggested "logical order" or sequence that data subjects can follow when pursuing available redress mechanisms. However, the revised text maintains the redress mechanisms established in the original draft text: individuals can still lodge a complaint directly to a self-certified organization, to an independent dispute resolution body designated by an organization, to a national data protection authority, or to an applicable U.S. regulator (e.g., the Federal Trade Commission). As a method of last resort, individuals can also invoke binding arbitration by the "Privacy Shield Panel," a pool of potential arbitrators designated by the Department of Commerce and the European Commission. Detailed discussion of the recourse options can be found here.
Access and Use by U.S. Intelligence and the Role of the Ombudsman. The most significant revisions to the Privacy Shield affect the issue of U.S. government access to European data.
The revised text includes additional assurances provided by the U.S. Office of the Director of National Intelligence ("ODNI"), which make explicit that intelligence collection should be "as tailored as feasible," and that the U.S. intelligence community should prioritize the availability of other alternatives over bulk collection. Moreover, according to assurances by the ODNI, bulk collection will be an exception and will be accompanied by additional safeguards, such as focusing collection on "specific, legitimate national security purposes" and using filters and other technical tools to limit data collection. Based on this analysis, the EU Commission asserts that these additional restrictions imposed on the access to EU personal data conform with the standards set forth in the ECJ's Schrems decision and EU Charter of Fundamental Rights.
Ombudsman. The amended text of the Privacy Shield now clarifies the independence of the Ombudsman to investigate claims and remedy noncompliance free from influence by the U.S. intelligence community. The Ombudsman was designed to provide EU citizens with another recourse mechanism to voice their concerns over the U.S. government's commitment to limits its access to EU personal data. Under the revised draft, the Ombudsman will rely on independent bodies to investigate surveillance complaints and to ensure that requests are processed and resolved in accordance with the law.
Brexit and the Privacy Shield
It is not clear whether—and to what extent—the Privacy Shield will remain in force in the United Kingdom in light of the country's recent decision to withdraw from the European Union. The United Kingdom is not expected to leave the European Union until at least May 2018, and to do so, it will need to invoke Article 50 of the Treaty on European Union, which commences withdrawal proceedings. Until then, organizations can rely on the Privacy Shield to transfer data from the United Kingdom to the United States. Whether organizations can continue to use the Privacy Shield once the United Kingdom formally severs its EU membership will largely depend on the details of the United Kingdom's relationship with the European Union. The United Kingdom could, for example, remain inside the EEA, and as a result, data transfers under the Privacy Shield could continue to flow to the United States from the United Kingdom. If it enters under different arrangements, it would need to agree on appropriate bilateral arrangements. Transfers of UK personal data to the United States under the Privacy Shield after Brexit will remain uncertain until the United Kingdom's overall relationship with the European Union is resolved.
What this Means for Business
Businesses will now have to evaluate the revamped Privacy Shield and assess whether compliance with the new framework is the best—and most practical—option to access EU personal data in the United States. Following the invalidation of the Safe Harbor, many businesses that previously relied on the defunct framework invested considerable time and resources to comply with alternative data-transfer mechanisms, including standard contractual clauses or Binding Corporate Rules. Businesses using these alternate mechanisms must take into account whether it makes good business sense to revert back to a Safe Harbor 2.0—including revising their privacy policies and third-party data-transfer agreements to meet the Privacy Shield Principles.
For companies eager to certify compliance, there is a nine-month "grace period" for those organizations that self-certify within the two months following the Privacy Shield's effective date in order to modify existing contractual arrangements with third parties and bring them into "conformity with the accountability for onward transfer principle." Organizations must still, however, apply the Notice and Choice Privacy Principles and ensure that third-party recipients can provide the same level of protection guaranteed by the Privacy Principles.
Organizations that maintained their Safe Harbor certification may find an easier transition back to the Privacy Shield. The self-certification process is reminiscent of the Safe Harbor program, and given the overlap between the Safe Harbor and Privacy Shield principles, organizations previously Safe Harbor-certified may find the compliance requirements familiar, albeit more stringent. Still, even those organizations considering certifying compliance with the Privacy Shield within the first two months must be prepared to engage in expedient negotiations with service providers to revise their data processing agreements in conformance with Privacy Shield Principles. Those organizations failing to do so within the prescribed nine-month grace period may find themselves the first subjects of FTC enforcement and corresponding penalties.
The Article 29 Working Party is expected to weigh in on the Privacy Shield's amended text on July 25, 2016. Although their opinion is nonbinding, it will provide key insight into whether Europe's data protection authorities view the Privacy Shield as a robust data-transfer mechanism. Businesses considering the Privacy Shield also should expect privacy advocates and others to challenge the legality and viability of the Privacy Shield in court. In particular, it remains to be seen whether the additional assurances on bulk collection and access by U.S. intelligence agencies will satisfy EU courts. Other methods for transferring personal data across the Atlantic are also facing legal scrutiny. In late May 2016, the Irish Data Protection Commissioner said that it planned to ask national courts to request a preliminary ruling from the European Court of Justice ("ECJ") to review the validity of standard contractual clauses used by Facebook and a countless number of other companies to transfer personal data outside the European Union. An adverse decision from the ECJ may have a reverberating impact on the Privacy Shield and cross-border data flows generally.
Although there will likely be challenges, the approval of the Privacy Shield signals the end—at least for now—of a long period of uncertainty for the business community. Companies will now have another alternative to legally transfer EU personal data to the United States, in addition to standard contractual clauses and Binding Corporate Rules.