Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules.

The U.S.-EU Safe Harbor framework (“Safe Harbor”) was developed by the U.S. Department of Commerce in consultation with the EU Commission. Safe Harbor operated by allowing participating companies to pledge adherence to seven privacy principles and agree that the U.S. Federal Trade Commission (“FTC”) could investigate and enforce that adherence. In 2000, the EU Commission reviewed the seven principles and the FTC enforcement mechanism and determined that companies who certified their adherence to the framework met the Directive’s adequacy requirement. In October of 2015, however, the European Court of Justice (the “ECJ”) held that the Safe Harbor was invalid because it violated the Directive’s principles as well as EU fundamental rights. Following that decision, companies covered by the Safe Harbor could no longer rely upon it as a basis of adequacy.

In February of 2016, the European Commission (“EU Commission”) released the draft text of the EU-U.S. Privacy Shield Framework (“Privacy Shield”) that is designed to replace the invalidated Safe Harbor and govern the transfer of personal data between the EU and U.S. The Privacy Shield is designed to impose stronger obligations on U.S. organizations for protecting the personal data of EU individuals than were afforded under the Safe Harbor. In accordance with the Directive, the Article 29 Working Party, an advisory body on data protection and privacy (the “WP29”) reviewed the Privacy Shield and issued its opinion on April 13 with reservations in particular on the independence of the ombudsperson and possible massive and indiscriminate data collections in the event of specific risks (e.g., terrorism). On May 26, the European Parliament adopted a resolution on transatlantic data flows, calling on the EU Commission to “implement fully the recommendations expressed by the WP29.” The European Data Protection Supervisor issued its own opinion regarding the Privacy Shield on May 30, echoing many of the recommendations of the WP29. On June 29, the EU Commission sent an updated text version of the Privacy Shield to the Article 31 Committee — which includes representatives of the 28 Member States and the EU Commission — based on the changes recommended by the WP29. The EU Commission announced on July 8, 2016, that the Article 31 Committee approved the final version of the Privacy Shield. The Privacy Shield was formally approved by the EU Commission on Tuesday, July 12, 2016. The U.S. Department of Commerce will begin accepting certifications on August 1, 2016.

Privacy Shield Principles and Self-Certification

To benefit from the Privacy Shield, companies must annually self-certify to the U.S. Department of Commerce their compliance to the following Privacy Shield principles (“Privacy Shield Principles”):

  1. Notice – Inform individuals as to the company’s adherence to the Privacy Shield Principles.
  2. Choice – Provide individuals with the right to opt out of the disclosure of their personal data to third parties, or, in the case of sensitive data to opt in.
  3. Accountability for Onward Transfer – Assume responsibility for disclosures of personal information to third parties, contractually require such third party’s compliance with the Privacy Shield Principles, and require the third party to notify the company if such third party determines it will be unable to comply.
  4. Security – Implement reasonable and appropriate data security measures.
  5. Data Integrity and Purpose Limitation – Limit the collection and retention of personal data to the disclosed purpose for collection and use of such personal data, and limit the length of time such data may be retained.
  6. Access – Provide individuals with the right to access, correct, or delete their personal data.
  7. Recourse, Enforcement, and Liability – Provide enforcement and recourse mechanisms for individuals affected by non-compliance with the Privacy Shield Principles.

Companies that adhere will be placed on the U.S. Department of Commerce’s publicly available list of Privacy Shield participants (“Privacy Shield List”). The U.S. Department of Commerce is required to maintain the Privacy Shield List based on the annual self-certification process, and update the Privacy Shield List based on re-certifications and its own proactive efforts to monitor companies’ compliance with the Privacy Shield Principles. Unlike companies using the Privacy Shield to transfer other types of data (e.g., consumer data), companies that seek to transfer employee data must additionally indicate their willingness to cooperate with the relevant EU data protection authorities and to provide the U.S. Department of Commerce with a copy of their human resources privacy policy.

Redress against U.S. Companies and Government Agencies: Binding Arbitration, Privacy Shield Ombudsperson, and Judicial Redress Act of 2015

In our initial discussion of the Privacy Shield, we asked whether there would be separate alternative dispute resolution mechanisms or if the U.S. Department of State’s (“DOS”) new “Privacy Shield Ombudsperson” would be the final arbiter of complaints, especially those regarding national security matters. We also questioned the interrelationship between the Privacy Shield’s internal redress rights and those provided under the Judicial Redress Act, which has since been enacted in the U.S. The Privacy Shield sheds new light on those questions, highlighting an array of options for EU citizens seeking redress.

First, the U.S. Department of Commerce has committed to adopt well-established arbitral procedures, such as those developed by the American Arbitration Association (“AAA”) or Judicial Arbitration and Mediation Services (“JAMS”) to handle claims before a “Privacy Shield Panel” composed of one or three arbitrators as agreed upon by the parties from a pool of at least 20 arbitrators designated by the U.S. Department of Commerce and EU Commission. The Privacy Shield Panel may only award “individual-specific, non-monetary equitable relief” (e.g., access, correction, deletion). Damages, costs, fees and other remedies may not be awarded, but an EU citizen can still bring claims for damages that are otherwise available by law. The Privacy Shield Panel may only hear “residual” claims, that is, those that remain at least partially unresolved following direct and/or alternative resolution attempts (e.g., ADR). Participating U.S. companies will be required to make annual contributions to an arbitration fund established by the U.S. Department of Commerce, and they will be bound by the Privacy Shield Panel’s decisions, subject to enforcement under the U.S. Federal Arbitration Act.

Second, the DOS has established the new role of Privacy Shield Ombudsperson to “facilitate the processing of requests relating to national security access to data” transferred from the EU to the U.S. The Ombudsperson will handle such requests under the Privacy Shield as well as those made pursuant to binding corporate rules, standard contractual clauses, and other lawful means of EU to U.S. data transfer (called “derogations”). Requests to the Ombudsperson will be made through the EU individual’s Member State’s body “competent for the oversight of national security services.” This procedure will not preclude individuals from requesting access to records under the U.S. Freedom of Information Act (“FOIA”) or alleging violations of law or other misconduct through the Inspectors General or Privacy and Civil Liberties offices within respective U.S. agencies. For the current administration, Secretary of State John Kerry has appointed Under Secretary of State Catherine A. Novelli, who is the Senior Coordinator for International Information Technology Diplomacy, as the Privacy Shield Ombudsperson.

Finally, President Barack Obama signed the Judicial Redress Act (“JRA”) into effect on February 24, 2016, which allows non-U.S. individuals from countries designated by the U.S. Department of Justice to seek redress under the U.S. Privacy Act of 1974. The Privacy Act allows an individual to request Government-held data, with remedies ranging from those equitable in nature (e.g., access, correction, amendment) to civil damages and attorney’s fees to criminal fines and penalties.

Taken together, these redress mechanisms represent a significant departure from past methods available to EU individuals. Once the Privacy Shield framework is fully developed and JRA country designations are made, EU individuals may seek redress against U.S. companies or Government agencies through one or more robust procedures with a fair guarantee that their rights are essentially equivalent to those they enjoy in their own countries.

Human Resources Data

The Privacy Shield contains separate rules for companies transferring individually identified or identifiable human resources data. These companies must cooperate with the respective EU Member States to ensure compliance with local labor laws related to such human resources data. While these companies will still have to comply with the Privacy Shield’s notice and choice principles, they may be exempt from the access obligations in certain circumstances, such as employee security investigations, employee monitoring, or where access may prejudice “sound management.” These companies may also be exempt from the access obligations when transferring employee data to a third party for employment-related operational needs of the company, such as travel booking or insurance coverage for a small number of employees. The company must provide the U.S. Department of Commerce with a copy of its privacy policy relevant to human resources data and a location where the privacy policy is available for viewing by employees.

Impact on Companies

The Privacy Shield offers new potential for global companies to conduct transatlantic business involving personal data transfers. If a company decides to self-certify under the Privacy Shield, the company should immediately begin to educate relevant stakeholders within the company on Privacy Shield compliance. Companies looking to take advantage of the Privacy Shield should determine if they need to adjust their privacy practices and make updates to their privacy policies to meet the new standards. The Principles will apply immediately upon companies who self-certify with the U.S. Department of Commerce. Companies who self-certify within the next two months will have nine months to bring pre-existing third-party commercial relationships into compliance with the Privacy Shield Principles. However, during this time period, companies must continue to comply with all other Principles, including the Notice and Choice Principles (e.g., creating a mechanism for EU citizens to opt-out of data processing).

U.S. and EU representatives have expressed that the Privacy Shield will withstand a challenge in the ECJ. However, some data protection authorities still harbor doubts that, in the event of a new challenge, Privacy Shield can pass the test set forth when the ECJ invalidated Safe Harbor.