The much-anticipated documentation for the EU-U.S. Privacy Shield, a new framework on transatlantic data flows, was published by the European Commission on February 29, 2016. The framework now will undergo a process of review and approval, including by the EU’s Article 29 Working Party, which is due to finish its review by the end of March 2016. If approved, it will take effect after an implementation period, during which all companies that wish to use the Privacy Shield as a basis for data transfers will have to certify in accordance with the new framework.
This framework is significantly different from its Safe Harbor predecessor in the detail of the principles, oversight and redress mechanisms, more closely approximating Directive 95/46. Indeed, in some respects, such as the right of access or sectoral data (for example, data of airlines or ticket agents or from pharmaceutical companies), the Privacy Shield spells out in much greater detail how data protection principles apply. Companies that subscribe to the framework will need to adapt their privacy policies and practices, and put in place significant compliance mechanisms.
In brief, such companies will be required to accept the following new requirements beyond those in the now invalidated Safe Harbor:
- enhanced notice provisions, including, for example, the requirement to include a link to the Privacy Shield List and the independent recourse mechanism on its website;
- a requirement to enter into a contract with a third-party controller to which personal data is disclosed and retain liability for the onward transfer;
- the provision of independent recourse mechanisms at no cost to the individual; where processing HR data of EU individuals, a participating U.S. company must commit to cooperate with the European Data Protection Authorities (DPAs);
- retain records on the implementation of the Privacy Shield privacy practices and make them available on request; and
- compliance with individuals’ right of access to information that more closely resemble those in the EU.
Companies that were previously members of the Safe Harbor framework wanting to join the Privacy Shield framework will need to sign up again (i.e., there will be no transition arrangements). Companies relying on Binding Corporate Rules or standard contractual clauses may continue to use them, though EU individuals will have some additional redress rights even under those mechanisms (via new Privacy Shield Ombudsperson).
The EU-U.S. Privacy Shield agreement, announced in general terms by the European Commission on February 2, 2016, is intended to replace and strengthen the former U.S.-EU Safe Harbor framework. The prior framework was effectively invalidated by the Court of Justice of the European Union (CJEU) in the Schrems case on October 6, 2015. The Privacy Shield has been described by President Obama (at the signing of the Judicial Redress Act on February 24, 2016) as “a landmark new agreement … which provides tough new protections to safeguard consumer data, and … certainty to thousands of businesses representing hundreds of billions of dollars in trade.” Commissioner Jourová, in a press release, described the Privacy Shield as “a strong new framework, based on robust enforcement and monitoring, easier redress for individuals and, for the first time, written assurance from our U.S. partners on the limitations and safeguards regarding access to data by public authorities on national security grounds.”
Against the backdrop of the underlying strength and breadth of changes in the U.S. privacy and data protection landscape since 2000, as detailed in our Essentially Equivalent report, the additional, newly strengthened principles and enforcement, oversight and redress measures described below make for a higher level of protection under the Privacy Shield than under the original Safe Harbor.
Before it becomes final, this framework will undergo required review by the Article 29 Working Party (which is due to finish its review by the end of March 2016 and is likely to publish its opinion in mid-April), the European Data Protection Supervisor and the Article 31 Committee of Member States. In addition to the required reviews, the Commission has committed to consult with the European Parliament. The framework also requires approval by a “qualified majority” of the Member States in the Council of the European Union, i.e., at least 55 percent of the member states representing at least 65 percent of the EU population.
The reviews (other than by the Council) are non-binding, but the Working Party opinion will be significant for two reasons. In the near term, the DPAs’ opinion will shape the posture of data protection authorities with regard to the legal basis for transatlantic data transfers while the Privacy Shield awaits approval and entry into force. In the longer term, the opinion will matter, given the DPAs’ enhanced authority under the Schrems judgment to review international data transfers and the near-certainty that an eventual Commission adequacy determination on the Privacy Shield will face legal challenge.
Documentation by the Parties
The documentation for the EU-U.S. Privacy Shield is structured in three parts: (1) a Commission Communication to the European Parliament and Council entitled “Restoring Trust Through Strong Safeguards,” explaining the need and the basis for the framework, as well as the Umbrella Agreement on data-sharing among law enforcement authorities; (2) a draft adequacy decision by the Commission on the Privacy Shield; and (3) an extensive set of documents furnished by the U.S. government that furnish the basis for the Commission’s adequacy decision.
The draft adequacy decision from the Commission establishes that the U.S. ensures an adequate level of protection for personal data transferred under the EU-U.S. Privacy Shield from the EU to participating companies in the U.S. In particular, the Commission considers that the privacy principles (i.e., the principles to which participating companies must commit) “ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the basic principles laid down in Directive 95/46.”
In contrast to the three-page Safe Harbor decision invalidated by the CJEU, this draft decision runs 34 pages. Fully half of these focus on the issue of access by public authorities that was so central to complaints against Safe Harbor, setting out in sophisticated detail the scope of such access and the safeguards against infringement of the rights of EU individuals whose data is transferred to the U.S. pursuant to the Privacy Shield. On the basis of its own review, in addition to the representations by U.S. agencies, the draft decision concludes that such access is “limited to the extent necessary to meet national security or law enforcement requirements” and it provides sufficient remedies and oversight.
The documents furnished by the U.S. government consist of:
- the Privacy Principles and “Supplemental Principles” to which companies participating in the Privacy Shield must certify compliance;
- commitments (to be published in the U.S. Federal Register within 30 days of the final approval of the adequacy decision) from the heads of the U.S. Commerce Department (Secretary Pritzker and Under Secretary Selig), Department of Transportation (which regulates air carriers and ticket agents) (Secretary Foxx), Department of State (Secretary Kerry) and Federal Trade Commission (Chairwoman Ramirez) with regard to enforcement and implementation of the framework, including an expanded role and resources for the Commerce Department in oversight and administration of the framework and a new Ombudsperson at the State Department to address complaints regarding surveillance; and
- letters from the U.S. Office of the Director of National Intelligence (ODNI) and the U.S. Department of Justice to the U.S. Department of Commerce that describe the limitations and safeguards applicable to U.S. government access. The framework leaves the door open to “other U.S. statutory bodies … in the future.”
The Privacy Shield has used the CJEU ruling as a “benchmark” to include a number of new elements and materially more stringent and detailed provisions as compared to the Safe Harbor framework, including:
The Principles – companies participating in the EU-U.S. Privacy Shield will have to commit to: (i) the notice principle (i.e., provision of information to individuals as to the U.S. company’s adherence to the Privacy Shield); (ii) the choice principle (i.e., the right for individuals to opt out to the disclosure of data to third-party controllers or to further processing or, in the case of sensitive information, to opt in); (iii) the security principle (i.e., the implementation of “reasonable and appropriate” security measures); (iv) the data integrity and purpose limitation principle; (v) the access principle (i.e., the right for individuals to obtain information from the U.S. company), which is elaborated in significant detail in the Supplemental Principles; (vi) the accountability for onward transfer principle (i.e., a requirement that, in the case of onward transfer to a third party, the third party will need to enter into a contract to comply with the same level of protection as the subscribing controller), also substantially amplified in the Supplemental Principles; and (vii) the recourse, enforcement and liability principle that details what forms of recourse mechanism and enforcement are available.
Several Avenues of Redress for EU Individuals – in the first instance, individuals can complain to the U.S. participating company. The company will have to respond to the complaint within 45 days. To the extent U.S. companies are handling HR data of EU individuals, they will also need to commit to comply with decisions from European DPAs. Other companies may voluntarily commit to submitting complaints to a panel of DPAs. An unresolved complaint can then be dealt with through an alternative dispute resolution procedure, in which all U.S. participating companies must take part, and which will be at no cost to the individual. An EU individual or a DPA can also refer a still-unresolved complaint to a specified team at the U.S. Department of Commerce, which must respond within 90 days, or to the Federal Trade Commission (FTC) where the Department of Commerce is unable to resolve the matter. The FTC is creating a standardized referral process to facilitate referrals, and commits to work closely with DPAs to provide enforcement assistance and prioritize complaints referred by DPAs, the Commerce Department or independent dispute resolution bodies. In addition, where DPAs have jurisdiction over the transferring company, they can take action. As a last resort, where a DPA does not have jurisdiction, individuals can refer complaints to a binding arbitration panel, the Privacy Shield Panel, which would ensure a binding and enforceable decision subject to judicial enforcement under the U.S. Federal Arbitration Act.
Under the newly-enacted Judicial Redress Act, EU citizens may also have the right to file litigation against U.S. agencies under the federal Privacy Act, provided that the Privacy Shield goes into effect.
Annual Joint Review and Enhanced Enforcement – an annual joint review will be conducted by the European Commission and the U.S. Department of Commerce, assisted by U.S. security and intelligence agencies, the Ombudsperson and European DPAs to look at all aspects of the framework, including access by public authorities. According to the Commission Communication, “this review will not be a formalistic exercise without consequences” and in the event the commitments are not met by the U.S., the Commission will activate the process to suspend the Privacy Shield. Based on the annual review (and other relevant sources of information, such as transparency reports from participating companies) an annual report will be published by the Commission. The Commission will also hold an annual privacy summit with interested non-governmental organizations and stakeholders to discuss broader developments in the area of U.S. privacy law and their impact on Europeans. This annual review process and the annual privacy summit are intended to reinforce enforcement of the commitments by companies and U.S. government agencies, and to meet the requirement of the CJEU in the Schrems judgment that the Commission take into account changes from time to time. They are, as clearly stated by the Commission, to raise infringements with the Department of Commerce in the first instance, and to suspend the framework if they are not addressed.
The activities of participating companies will be subject to more active supervision by the Department of Commerce, including “regular and rigorous monitoring,” such as verification of certifications and detailed questionnaires where, for example, the Department receives specific complaints. The Commerce Department has doubled the staff for the data transfer program, and commits to provide additional resources as necessary. The framework is subject to continued enforcement by the Department of Transportation or the FTC which may involve “severe sanctions” and removal of the participating U.S. company from the Privacy Shield List. Presumably, as under the old Safe Harbor, company statements submitted to the Commerce Department in support of their self-certification will be made subject to the criminal sanction of 18 USC 1001, which makes lying to the government a potential felony.
The Privacy Shield also enlarges the role of DPAs by involving them in annual reviews, encouraging companies to choose the DPAs as dispute resolution bodies, as well as preserving their authority over HR data and other issues within their jurisdiction.
Access by U.S. government – for the first time, the U.S. government (the ODNI) provides written assurances that access to personal data by U.S. public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms (such as the Ombudsperson mechanism), safeguarding against generalized access. The U.S. further assures that there is no indiscriminate or mass surveillance on the personal data transferred to the U.S. under the Privacy Shield. The letter from the ODNI responds to the give-and-take of issues and questions since the Commission’s 2013 review, which was referred to in the Schrems judgment, with some of the fullest discussion to date of the process of intelligence-gathering.
Ombudsperson – the letter from the U.S. Department of State reflects a commitment to designate the Under Secretary of State for Economic Growth, Energy, and the Environment (currently Cathy Novelli) as the independent Privacy Shield Ombudsperson with respect to individual complaints regarding possible access by national intelligence authorities. This undersecretary is independent of the intelligence community, and the letter outlines an interagency process to review complaints to the ombudsperson filtered through Member State bodies with oversight of national security services. This role builds on Undersecretary Novelli’s designation pursuant to Presidential Policy Directive 28 (PPD-28) as the senior official “to coordinate with the responsible departments and agencies the [USG’s] diplomatic and foreign policy efforts related to international information technology issues and [in particular in this context] to serve as a point of contact for foreign governments who wish to raise concerns regarding signals intelligence activities conducted by the [U.S.].” Similar to what EU bodies such as the Garante do, the Ombudsperson will not confirm or deny the fact of surveillance or disclose remedies, but can invoke various administrative remedies to address instances of abuse.
The role of the Privacy Shield Ombudsperson will extend beyond the Privacy Shield to encompass complaints relating to data transferred under other international data transfer solutions such as EU Standard Contractual Clauses, Binding Corporate Rules and other derogations under the current EU Data Protection Directive 95/46/EC and the proposed EU’s General Data Protection Regulation.
Transition Process – there will be no transition provisions for Safe Harbor certified companies to move to the new Privacy Shield framework. However, companies that self-certify to the Privacy Shield within two months of its commencement will be given a further nine months in which to ensure all recipients of data under the onward transfer provisions contractually agree to the principles.
The Path Forward
The Article 29 Working Party will now proceed with its detailed review of the Privacy Shield together with its review of the existing data transfer mechanisms of EU Standard Contractual Clauses and Binding Corporate Rules, which remain valid until the Working Party review is completed. An extraordinary plenary meeting of the Working Party will be held towards the end of March 2016, during which it will decide whether the EU-U.S. Privacy Shield meets the “four essential guarantees for intelligence activities” and respects the powers afforded to data protection authorities under the EU Data Protection Directive 95/46/EC. The Working Party is also expected to express its views as to the ongoing validity of EU Standard Contractual Clauses and Binding Corporate Rules.
Following the consultations and opinions described above, the EU Commission’s College of Commissioners may then adopt the Commission’s final adequacy decision in relation to the EU-U.S. Privacy Shield. U.S. companies wanting to participate in the EU-U.S. Privacy Shield will then have to register on the Department of Commerce website to be on the Privacy Shield List and self-certify (and re-certify annually) that they meet the requirements. Prior to being placed on the Privacy Shield List the self-certification will be verified by the Department of Commerce.
Companies that were previously Safe Harbor-certified should consider a gap analysis of the requirements under the Privacy Shield to ensure they can comply with the new obligations and revise privacy policies and practices to address new elements of the Privacy Shield. Companies that were not previously Safe Harbor-certified will need to undertake a similar analysis against their current policies and procedures. In addition, given the ongoing monitoring by the Department of Commerce, participating U.S. companies will need to actively monitor their own compliance with the Privacy Principles to ensure they do not face sanctions or removal from the Privacy Shield List.