In October 2015, in the Schrems case, the Court of Justice of the European Union (“CJEU”) declared that the EU-US Safe Harbor data transfer pact, which allowed US companies to import European data into the US, was invalid, because the EU Commission had not properly determined that US data privacy protections were “adequate” to protect Europeans’ data as required by the EU Privacy Directive 95 (the “Directive”).
As previously reported here, on February 2, 2016, EU and US negotiators announced that they had reached an agreement for the Privacy Shield framework to replace the Safe Harbor, and address the concerns raised by the CJEU in Schrems. But officials did not issue any written documents embodying the framework at that time, promising them in “late February.”
Taking full advantage of leap day to meet that timeframe, on February 29, officialsannounced the release of the policy details. The Department of Commerce issued the long-awaited written Privacy Shield Principles (pdf), and the EU released a draft adequacy decision (pdf). the Commission is maintaining a Privacy Shield website and providing a quick reference guide about compliance in an Privacy Shield Fact Sheet and a Privacy Shield Q&A. Commerce also ha sposted a fact sheet.
This development could not have come sooner for US companies, considering that some EU member DPAs have begun enforcement actions against entities who had relied on Safe Harbor and continued conducting transatlantic data transfers after Schrems without implementing alternative adequate measures, such as Binding Corporate Rules or using model contracts.
Privacy Shield Principles
Similar to Safe Harbor, Privacy Shield is based on written privacy principles with which US organizations wishing to use the framework for data transfers must comply. Like Safe Harbor, the Privacy Shield principles are based on the seven OECD privacy principles. However, the Privacy Shield principles are more detailed and restrictive than Safe Harbor.
The Privacy Shield Principles are:
Privacy Shield will require more information be provided to consumers and data subjects in companies’ Privacy Notices, including a declaration that the organization adheres to the Privacy Shield Principles, notice of individuals’ rights to access their personal information, and identification of the independent dispute resolution body selected by the organization to address individuals’ complaints (free of charge to individuals).
Individuals will have the right to opt out of having their data shared with unaffiliated third parties, or used for purposes other than those for which the organization originally collected it. For sensitive data like health information and racial or political identifiers, individuals must affirmatively opt in to allow sharing and new use purposes.
- Accountability for Onward Transfer
To transfer personal data to a third party for the transferee’s own purposes, organizations must have a contractual relationship with the transferee that requires adherence to the Privacy Shield principles, and comply with the Notice and Choice Principles before making such transfer.
For transfers of data to a third party for processing as the agent of the organization, the organization is ultimately responsible for ensuring the agent complies with the Principles.
Organizations will need to implement data security processes in keeping with security industry best practices.
- Data Integrity and Purpose Limitation
Organizations should collect only that personal information necessary to accomplish the purposes of collection. Organizations should ensure that the data is reliable, accurate, current and complete for such purposes.
With few exceptions, individuals will have the right to access the personal information about them, and to delete, correct or amend that information.
- Recourse, Enforcement and Liability
This is the most significant change from Safe Harbor. Privacy Shield provides a multi-layered system for transparent and fair resolution of complaints from individuals that organizations are not operating in compliance with the Principles. Further, the FTC will retain Section 5 jurisdiction to investigate and enforce Privacy Shield, independent of these dispute resolution systems. The Recourse, Enforcement and Liability Principle puts great emphasis on the concept that dispute resolution, at each layer of the process, should be designed to fairly and transparently provide individuals with all remedies that they would be entitled to under applicable law, and to provide for corrective measures to ensure an organization’s future compliance with Privacy Shield. The consequences for repeat failures to abide by the commitment to Privacy Shield can include removal from the Privacy Shield list and even disgorgement of data collected from EU subjects and transferred to the US in reliance on Privacy Shield.
- Internal complaint handling
Organizations must commit to robust, fair and transparent internal procedures for resolving complaints. Internal complaints must be answered by organizations within 45 days.
- Redress: Independent dispute resolution bodies
Organizations must also designate an independent dispute resolution body for consumer complaints, at no cost to the individual, for redress of claims not resolved internally to the individual’s satisfaction. This requirement may be satisfied by voluntarily participation in review by a panel of EU DPAs and a commitment to abide by the “advice” of the DPA Panel with respect to dispute resolution. Alternatively, organizations may select a different, independent dispute resolution service or possibly even industry self-regulatory bodies may satisfy the “independent” dispute resolution requirement.
Companies that wish to transfer Human Resources data for processing into the US are required to submit to the DPA Panel system for resolution of disputes arising out of such transfers.
- Referral from EU Data Protection Authorities to Department of Commerce
Individual subjects will also have the right to complain to their local EU Data Protection Authority (“DPA”), which then may refer the complaints to the US Department of Commerce and FTC for investigation. The US agencies have committed to facilitate resolution of the complaints received in this manner.
- Binding Arbitration
If individuals are not satisfied by any of the above resolution procedures, subject to a few exceptions, they will have the right to invoke binding arbitration before 1 or 3 arbitrators from the Privacy Shield Panel, which will consist of at least 20 arbitrators appointed by the US Department of Commerce and EU Commission. The Privacy Shield Panel will have authority to implement all legal and equitable remedies available under applicable law.
Judicial Redress Act
Separate from Privacy Shield itself – but seen as necessary to get final EU approval of Privacy Shield – EU citizens have been for the first time granted rights to sue the United States under the Privacy Act if they assert the U.S. wrongly obtains their personal information in connection with law enforcement or national security. On February 24, President Obama signed into law the Judicial Redress Act, which updated the federal Privacy Act to allow foreign subjects to sue in courts of the United States for alleged privacy violations. This legislation was a prerequisite for the finalization of the EU-US Umbrella Agreement, which will apply to transatlantic transfers between US and EU governments of individuals’ personal data for law enforcement purposes. It was also widely viewed as necessary to help push through final implementation of Privacy Shield as the primary mechanism for legal importation by U.S. companies of personal data collected from EU subjects for commercial purposes. EU Commissioner Vera Jourova, lead EU negotiator for Privacy Shield, praised the enactment of the Judicial Redress Act in a statement.
Also in the Privacy Shield package released by the US, is a letter from Secretary of State John Kerry, in which Undersecretary of State Catherine Novelli (and a former VP at Apple) was named as the Ombudsperson, through whom EU member DPAs can submit complaints about US surveillance of EU subject data processed in the US. This “independent” ombudsman was a key provision required by EU negotiators.
Also similar to Safe Harbor, participating organizations will self-certify to the Department of Commerce that they will comply with Privacy Shield. Commerce has committed to more robust and exhaustive verification of the credibility of organizations’ self-certifications. The Department will maintain a public list of self-certifying companies, and also a list of companies that have lost certification status.
The US has also committed to expand efforts to ensure the legitimacy and credibility of the Privacy Shield in the market, including by:
- Following-up with removed companies to determine whether data collected pursuant to Privacy Shield is being adequately protected, or needs to be disgorged from the organization
- Taking action against companies falsely claiming to operate within the Privacy Shield.
- Conducting periodic ex officio compliance reviews and assessments of the program
- Maintaining a transparent and useful Privacy Shield website resource
- Participate in annual privacy summits with EU stakeholders to review Privacy Shield’s effectiveness
Next steps in the EU process
- EU’s Article 29 Working Party (“WP 29”) will review Privacy Shield, and must provide an opinion supporting the proposed adequacy determination for it to move forward. WP 29 will meet next on April 12-13, 2016, and has issued a statement saying that they will take up a draft opinion of their privacy committee at that meeting.
- The Article 31 Committee – under the EU’s more strict “examination procedure” of the “comitology” process – must provide an adequacy opinion;
- Then, the EU College of Commissioners must approve and officially adopt the decision. It is reported that the Commission wants Privacy Shield adopted by June 2016.
- Under EU legislative process, at any time, the full EU legislative body can act to scuttle Privacy Shield
On top of all this bureaucracy, even when officially adopted, Schrems demonstrates that the CJEU is the final authority on whether an “adequacy” determination is sufficient under the Directive. Indeed, Schrems, perhaps more than anything shows the independent power of the European DPAs. Even if Privacy Shield is finally approved by the EU Commission, individual DPAs who feel that the “adequacy” determination is wrong can act on their own against companies transferring data in reliance on Privacy Shield, setting up a legal case for the CJEU to rule on whether Privacy Shield is “adequate” under the Directive.
Digital privacy advocates have already spoken out against Privacy Shield, with Max Schrems calling it “lipstick on a pig.” EU Green Party leader and privacy advocate Jan Albrect more diplomatically complained that Privacy Shield represents mere “cosmetic changes” from Safe Harbor. Likewise, EU privacy activists at eDRI called it “the same unsafe harbour.”
What US companies should be doing now
Plan to implement robust internal dispute resolution processes. Organizations must commit to a robust dispute resolution process that will resolve complaints expeditiously and fairly, and must commit to the DPA cooperation process or designate an independent resolution body for complaints not resolved internally.
Plan to update your contracts. “Onward Transfers” – sharing EU subject data with third parties – are permissible only if pursuant to a contractual relationship providing the transferee will abide by the Principles. Privacy Shield organizations will remain primarily liable for enforcement concerning any privacy violations by a third-party transferee.