On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.
In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.
The new arrangements will include the following elements:
- Stronger obligations on companies and robuster enforcement
- Privacy Principles – organisations wishing to make use of the Privacy Shield must self-certify their commitment to and compliance with a set of Privacy Principles. The principles are similar to those previously found under Safe Harbor (although in many cases they are more enhanced) and include principles relating to: providing individuals with notice about data processing; providing choice about data being disclosed to third parties, used for new purposes, the collection of sensitive data and being subject to direct marketing; requirements to implement security measures to protect data and have in place contracts with sub-processors; limitation and integrity obligations which require that only data which is necessary for the purpose it is collected for is processed and that such data is kept accurate and current for its intended use; access rights of data subjects to their data for a non-excessive fee and rights for individuals to have data amended or deleted where it is inaccurate or processed in violation of the principles; accountability for onwards transfers (see further information in relation to this below); and principles which subject organisations to recourse, enforcement and liability and result in obligations to annually certify compliance with the principles and ensure ongoing compliance.
- Greater transparency – including a public register of companies that have self-certified compliance with the principles of the Privacy Shield, a Department of Commerce (“DoC“) maintained list of companies removed from the register and reasons for removal and links to FTC decided cases relating to the Privacy Shield. In addition, company privacy policies will need to contain links to the official Privacy Shield website and to an independent complaints mechanism that the company is subject to.
- Oversight mechanisms to ensure companies abide by Privacy Shield rules – for example, the DoC will monitor false claims of Privacy Shield participation (e.g. through actively checking whether organisations that leave the scheme have removed statements about their participation in the Privacy Shield from their privacy policies and that such companies continue to adhere to the principles as long as they process personal data received under the Privacy Shield), EU data protection authorities (“DPAs“) will have a single point of contact at the DoC to refer organisations to for review and the DoC and Federal Trade Commission (“FTC“) will provide certain investigatory assistance to DPAs.
- Sanctions or exclusion of companies if they do not comply – including companies being subject to independent dispute resolution procedures, administrative orders brought by the FTC and the imposition of “individual-specific, non-monetary equitable relief” by the Privacy Shield Panel (a new recourse mechanism of last resource – see further information below).
- Tightened conditions for onwards transfers – transfers of personal data from Privacy Shield registered entities to other organisations must only take place for limited and specified purposes, on the basis of a contract (or comparable arrangement within a corporate group) and only if the contract provides for the same level of protection as provided by the Privacy Shield.
- Clear safeguards and transparency obligations
- Written assurances from the U.S. that any access to data by public authorities will be subject to clear limitations, safeguards and oversight mechanism – the U.S government, through the Department of Justice and the Office of the Director of National Intelligence, has provided the EU with written representations and assurances that access by public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.
- No indiscriminate surveillance – the U.S. government has given the European Commission explicit assurances that the U.S. Intelligence Community “does not engage in indiscriminate surveillance of anyone, including EU citizens”.
- New redress possibility through EU – U.S. Privacy Shield Ombudsperson – the U.S. will establish a new redress mechanism through an Ombudsperson who will be tasked with following-up complaints and enquiries from EU individuals with regard to national security access.
- Several Redress Possibilities
- Direct with the company – companies must reply to complaints from individuals within 45 days.
- Alternative dispute resolution – companies must make available and submit to a free of charge, independent alternative dispute resolution procedure.
- With Data Protection Authorities – DPAs will work with the DoC and FTC to ensure unresolved complaints from EU citizens are addressed. Companies will be obliged to comply with the decisions of DPAs where they handle human resource data from the EU.
- Privacy Shield Panel – if the other redress mechanisms fail, individuals may invoke binding arbitration by the “Privacy Shield Panel” (a panel made up of privacy specialist arbitrators selected by the DoC and the EU Commission).
- Annual Joint Review Mechanism – the European Commission and the DoC will conduct an annual review of the functioning of the Privacy Shield, including review of the access to data for law enforcement and national security purposes. Based on the annual review the Commission will publish an annual report. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss the development of US privacy law and its impact on Europeans.
While the Commission is encouraging companies to begin preparation for joining the new framework, this may be an early call. Further work and analysis will be required for companies to decide if the new Privacy Shield is a suitable data transfer method for them when compared to alternative mechanisms (such as the EU Standard Contractual Clauses).
While similar to the previous Safe Harbor Framework, the Privacy Shield requires a more comprehensive compliance program to implement and maintain. It also creates significant consequences for failure to adhere to its principles. Joining the Privacy Shield should therefore not be undertaken lightly.
In addition, the published text has no legal effect until further approval is gained from relevant EU institutions. Reliance on the Privacy Shield is also further complicated by the possibility that privacy activists may launch court action against the scheme which may in turn undermine businesses confidence in the proposals.
In terms of timing, the EU the Privacy Shield text will now be put before representatives of the Member States and the Article 29 Working Party (the representative body of data protection authorities in the EU) before being finalised. The U.S. is now expected to begin preparation for the framework, monitoring mechanisms and the new Ombudsperson. No definitive timeframe has been provided for the Privacy Shield to come into force, however, expectation is that it will be available for use in the next few months.
You can read the official communication from the EU Commission regarding the Privacy Shield here.