The European Commission and the U.S. Department of Commerce have agreed on a new draft of the Privacy Shield agreement (Shield v 2.0). The documents that form the Privacy Shield v 2.0 are an updated version of those that were published in late February 2016, and were subsequently criticized by the Article 29 Working Party,1 the European Data Protection Supervisor, and the European Parliament, preventing their ultimate adoption. The Shield v. 2.0 clarifies numerous issues, and introduces some additional requirements.
The primary changes are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield (the Decision). Among other things, the Decision indicates that certified companies will be required to obligate recipients of personal data from a Privacy Shield-certified company to notify the latter if the recipient can no longer provide the same level of protection as required by the Privacy Shield Principles (Principles). Certified companies must also require their subcontractors and service providers to delete or de-identify personal data when no longer needed for the identified processing or compatible purposes.
Scope of Application
The updated Decision clarifies that the Principles will apply solely to the processing of personal data by a U.S. organization insofar as the processing by such organization does not fall within the scope of EU legislation.
Updated Analysis of the Privacy Principles
The updated Decision states that organizations will have to ensure that personal data is reliable for its intended use, accurate, complete, and current. Special rules will apply to the use of personal data for direct marketing purposes, to allow individuals to opt-out at any time. Regarding cross-border transfers, the Decision stresses that the obligation to provide the same level of protection must apply to all parties involved in the processing of the data, irrespective of their location, when the original recipient itself transfers that data to a third party, for example a subprocessor.
Recourse, Enforcement, and Liability
The Decision clarifies that organizations that have failed to deal appropriately with complaints will be subject to the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. It provides a lengthy analysis and details the eight levels of redress and the escalation procedure that will be available to EU residents.
Increased Focus on Transparency and Oversight
Part of the new measures include: (i) the monitoring by the U.S. Department of Commerce whether the self-certified organizations on the Privacy Shield list are current in their obligations, and (ii) if they are not current in their obligations, enforcing the return or deletion of the personal data that they received under the Privacy Shield.
Access by U.S. Public Authorities
The Decision clarifies that the EU Commission has determined that U.S. law contains a number of limitations on the access to, and use of, personal data transferred to the United States for national security purposes, and that sovereign and redress mechanisms provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse. It confirms that bulk collection will only be authorized exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimize the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes). The definition of “feasible” is left to practice.
After the Article 31 Committee vote on July 8 (which consists of representatives of all the Member States and the Commission), the Privacy Shield v 2.0 is expected to be formally adopted by the Commission and by European Commissioner Jourová and U.S. Secretary of Commerce Penny Pritzker at the beginning of next week. Then, the final documents will be published shortly thereafter.
For a detailed analysis of the July 2016 version of the Privacy Shield documents please see the authors’ article published on July 8, 2016, “EU-U.S. Privacy Shield v 2.0 Signed, Sealed, and Delivered.”