The final text of the much anticipated EU-US Privacy Shield has been sent by the European Commission for review and approval to the Article 31 Committee, which includes representatives from all 28 Member States. Approval by the Article 31 Committee will pave the way for a final decision by the Commission adopting the Privacy Shield, expected on 11 July, 2016. If approved, the Privacy Shield will take effect as soon as the US Department of Commerce establishes a new process for US companies that wish to use the Privacy Shield as a legal basis for data transfers of personal data from the EU to certify in accordance with the new framework. Businesses should examine the final Privacy Shield documents and requirements and determine whether to proceed with certification once the Privacy Shield is approved.
On 6 October, 2015, the Court of Justice of the European Union (“CJEU”) deemed the EU-US Safe Harbor invalid in the Schrems case. As part of the rationale for the decision, the CJEU noted a 2013 report by the European Commission that criticized the Safe Harbor framework and set out a list of 13 points that needed to be addressed to strengthen the framework. Since the court judgement, representatives from the EU and the US have intensified negotiation of a new framework to permit the safe transfer of personal data from the EU to the US in accordance with EU data protection law. On 29 February, 2016 European Commission announced a new “Privacy Shield” framework and released text, including a draft decision. President Obama heralded this as a “landmark new agreement” and Commissioner Jourovà hailed it as a step forward towards a “strong new framework” for ensuring that the appropriate safeguards are in place when transferring data from the EU to the US.
The text has since undergone intense scrutiny from the Article 29 Working Party, the European Parliament, and the European Data Protection Supervisor, who all agreed that Privacy Shield is a step in the right direction but recommended a number of improvements.
The EU and the US have continued negotiations to iron out these further issues. In particular they have discussed issues concerning safeguards against alleged mass and indiscriminate government surveillance of European data subjects’ personal data, the powers of the new Ombudsperson, data retention, and the complexity of legal redress mechanisms and bulk data collection by national intelligence agencies, among others. The final text recently distributed to the Article 31 Committee is a revised version of the Privacy Shield text published in February.
This revised Privacy Shield sets a new standard for international data transfers. Although it undoubtedly will face a legal challenge, the conclusion of negotiations and final approval nevertheless bring some degree of certainty to a EU data protection landscape that is layered with uncertainty.
Updates to the Privacy Shield Text
Some of the revisions and clarifications to the draft Privacy Shield text include:
- Privacy Shield applies to processors as well as controllers. The updated text confirms that the Principles and Supplementary Principles that make up the Privacy Shield framework will apply to both data controllers and data processors. It further states that processors will have to be contractually bound to act on the instructions given to them by an EU controller and assist an EU controller in responding to data subjects exercising their rights under the Privacy Shield.
- Privacy Shield does not affect processing in the EU, only data transferred to the US. The Privacy Shield applies to transfers from a controller or processor in the EU to US organisations that have self-certified their adherence to the Principles of the Privacy Shield. Such organisations will have to comply with the Privacy Shield Principles when processing personal data of European data subjects. The Privacy Shield does not effect the application of European Union legislation (such as the GDPR) that governs the processing of personal data in Member States. Accordingly, companies certifying to the Privacy Shield cannot use it as a proxy for compliance with the GDPR, and must still assess their potentially broader GDPR obligations.
- Privacy Shield is effective on certification except for a narrowly drawn transition period. The Principles of the Privacy Shield apply immediately upon self-certification with the Department of Commerce. There is one exception to this general rule: organisations will have a nine month transition period from self-certification (assuming self-certification takes place within the first two months of the Privacy Shield becoming effective) to conform existing commercial relationships with third parties with the rules applicable under the Accoubntability and Onward Transfer Principle. During this interim period, organisations must apply the Notice and Choice Principles and shall ensure that where personal data is transferred to a third party agent, such agent provides the same level of protection that is required under the Principles. This transition period allowing organisations to get their onward transfer provisions in place allows for “a reasonable and appropriate balance between the respect for fundamental rights and the legitimate needs of businesses to have sufficient time to adapt …”.
- Privacy Shield may apply to all countries in the EEA. The revised text proposed to increase the scope of the Privacy Shield to apply not only to just EU Member States but also to those States which are not in the EU but are in the EEA (i.e. Norway, Liechtenstein and Iceland). In a footnote, the text states that “The EEA Joint Committees has to decide on the incorporation of the present decision into the EEA Agreement.”
- Privacy Shield Principles have been expanded. Some of the Privacy Shield Principles have been substantially rewritten. The Data Integrity and Purpose Limitation Principle has been expanded to include additional language on data retention and compatible use, with compatible use language being largely consistent with the GDPR. As such, among other issues, companies considering the Privacy Shield will have to take a hard look at the potential impacts of the new regime on big data analytics and secondary uses of personal data. The Access Principle takes note of US laws that provide access, correction, and redress for credit or mortgage denials but notes that other automated processing decisions are not expressly covered by US law. Continued dialogue is planned on the topic of automated decision-making, focusing on similarities and differences between the US and EU approaches. The text also adds language to the Accountability for Onward Transfer Principle to include a requirement to notify where a third-party recipient is unable to provide the same level of protection as is required under the Privacy Shield Principles. This is intended to ensure that requirements cannot be circumvented by transferring processing to a third party.
- The US Department of Commerce’s oversight role has been further clarified. The Department of Commerce will have an increased role in the oversight of the Privacy Shield. Its responsibilities will include maintaining the self-certification list, making this list publically available, and on an on-going basis conducting ex officio compliance reviews of self-certified organisations. These compliance reviews shall occur through detailed questionnaires, as well as reviews where the Department receives specific complaints or there is otherwise evidence of non-compliance.
- Expanded explanations of the redress mechanisms. The explanation of redress mechanisms have been rewritten to provide a fuller description of the redress mechanisms available to data subjects. The new text also provides a roadmap, indicating how the redress mechanisms work together and in which order such mechanisms should be used. The draft Commission decision describes the roadmap providing “data subjects with a number of possibilities to enforce their rights” and lays them out in a “logical order that it is advisable to follow.”
- Expansion of access by intelligence services. The revised draft decision contains additional language that puts greater emphasis on the US laws, orders, and procedures that govern surveillance measures that may be taken by intelligence agencies. The language is more specific about the scope of foreign intelligence surveillance and confirms that any intelligence surveillance shall be targeted to that scope. In addition, paragraphs have been added that state that collecting foreign intelligence information “is a legitimate policy objective” under EU law, citing CJEU and ECtHR decisions. Further, the decision clarifies, based on additional information from the US Office of the Director of National Intelligence, that bulk collection will only be authorised in exceptional circumstances where targeted collection is not feasible, will be accompanied by additional safeguards to minimise the amount of data collected and subsequent access which will have to be targeted and only allowed for specific purposes.
- Further clarity on the role of the Ombudsperson. To ensure independent oversight of the Privacy Shield, the Annex from the US State Department provides additional clarification that the Ombudsperson will be independent from the Intelligence Community. In addition, the role of the Secretary of State in monitoring the Ombudsperson is enhanced and clarified, ensuring that the Ombudsperson will carry out its role objectively and without improper influence. The revised Privacy Shield also includes further description of how the Ombudsperson will deal with complaints, as well as how it will cooperate with independent oversight bodies.
The Path Forward:
The revised text is currently being reviewed by the Article 31 Committee, which must approve the text by a “qualified majority,” i.e. at least 55% of Member States representing at least 65% of the EU population. The European Commission is keen to receive approval from the Article 31 Committee as soon as possible and is expected to issue a final decision by 8 July, 2016. The Privacy Shield is then anticipated to be formally adopted by Commissioner Jourová and US Commerce Secretary Pritzker on 11 July, 2016.
Following the tumultuous months since the Schrems decision, and particularly with recent enforcement actions by German data protection authorities and discussions around the adequacy of Standard Contractual Clauses, approval of the Privacy Shield is expected to help alleviate much of the uncertainty surrounding transatlantic transfers. The new Privacy Shield will be welcomed by many of the companies that transfer personal data from the EU to the US and that will, very soon, finally have a Safe Harbor replacement to build upon. Nevertheless, it is almost certain that the Privacy Shield will face a legal challenge that will end up in the CJEU in the next year or two. With a similar challenge to standard contractual clauses moving forward in Ireland, uncertainty about international data transfers and changes in data protection law make uncertainty a fact of life in EU data protection for the foreseeable future.