This article previously was published on Law360 on March 4, 2016.
On February 29, 2016, and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its much-awaited draft Decision on the adequacy of the new EU–U.S. Privacy Shield framework, accompanied by information on how the framework will work in practice.
The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, imposing more specific and exacting measures on U.S. organizations wishing to join the framework. It also includes additional checks and balances designed to make sure that the privacy rights of EU individuals can be exercised when their data is being processed in the United States. That said, the seven Privacy Shield Principles are largely aligned with the privacy practices followed by Safe Harbor participants and found in other global privacy compliance programs, and should not be an insurmountable burden for companies looking to shift from Safe Harbor compliance to Privacy Shield compliance.
As compared to the Safe Harbor, the changes in the Privacy Shield fall generally into one of three categories: (1) changes to the substantive Privacy Principles with which certifying organizations must comply; (2) changes to the administration and supervision of the framework; and (3) explication of limitations on U.S. government access to data transferred under the Privacy Shield. We summarize these changes, as well as the practical implications for companies seeking to certify to the Privacy Shield
Changes to the Privacy Principles
As was the case under Safe Harbor, organizations that wish to use the Privacy Shield must self-certify compliance with a set of Privacy Principles via a filing to the U.S. Department of Commerce, signed by a corporate officer. Annual re-certification is required, as are follow-up procedures to verify compliance.
Conceptually, the seven high-level Privacy Principles generally remain unchanged from Safe Harbor. However, there are significant new obligations under some of the Principles.
The Notice principle under Safe Harbor merely stated that a participating organization was required to “inform individuals about the purposes for which it collects and uses information about them, how to contact the information with any inquiries or complaints, the types of third parties to which it discloses the information, and the choices and means the organization offers individuals for limiting its use and disclosure.” For the most part, certifying organizations complied with this requirement by describing these categories of information at a high level in their published Safe Harbor privacy policies.
The Notice principle under Privacy Shield is much more specific and in line with the requirements under the forthcoming EU General Data Protection Regulation (GDPR). In particular, this principle lists thirteen different details that participants must include in their published privacy policies, including (i) any relevant establishment in the EU that can respond to inquiries or complaints, (ii) the independent dispute resolution body designated to address complaints, a hyperlink to the complaint submission form of that dispute resolution body, and the possibility, under certain circumstances, for EU individuals to invoke additional binding arbitration; and (iii) the possibility that the organization may be held liable for unlawful transfer of personal data to third parties.
Organizations wishing to convert their Safe Harbor certifications will as a priority need to update their privacy policies to contain these specific data elements.
The Choice principle under Privacy Shield remains largely unchanged from Safe Harbor. It requires certified organizations to provide a mechanism for individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided, although Privacy Shield clarifies that this option need not be provided when the disclosure is made to a third-party service provider that will use the information solely under the instructions of the organization (i.e. data processors, in European terms). As with Safe Harbor, Privacy Shield also requires covered organizations to obtain affirmative express consent from individuals prior to sharing sensitive information with a third party or using it for a purpose other than for which it was initially collected.
Accountability for Onward Transfer
Previously known as the “Onward Transfer” principle under Safe Harbor, the new “Accountability for Onward Transfer” principle adds more requirements for transfers to third parties than explicitly required under Safe Harbor, distinguishing between when the recipient is acting as a “controller”—that is, using the information for its own purposes—or a service provider.
The Onward Transfer principle under Safe Harbor only explicitly stated that organizations transferring Safe Harbor data to a third-party controller were required to comply with the Notice and Choice principles with respect to the data. Under Privacy Shield, the transferring organization is now explicitly required to enter into a contract with the third-party controller providing that the data may only be processed for limited and specified purposes consistent with individual consent, and that the recipient will provide the same level of protection as the Privacy Shield Principles, with two exceptions:
- A contract is not required for transfers of personal data involving a small number of employees “for occasional employment-related operational needs,” such as the booking of a flight, hotel room, or insurance coverage.
- A contract is not required for transfers within a controlled group of corporations or entities, which may base the transfers on other instruments such as EU Binding Corporate Rules or other intra-group instruments that ensure the continuity of protection of personal information under the Privacy Shield Principles (e.g., compliance and control programs).
Even greater obligations are imposed on onward transfers to third parties acting as service providers. Under Safe Harbor, an organization could transfer the data onward to a service provider if it either (i) ascertained that the service provider was subject to an EU adequacy finding (including being a member of Safe Harbor) or (ii) entered into a written agreement requiring the service provider to provide the same level of protection as the applicable principles. In addition to maintaining that obligation, Privacy Shield requires that an organization only transfer EU personal data for limited and specified purposes, “take reasonable and appropriate steps to ensure that the [service provider] effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles”—which requires some measure of privacy and security diligence —and provide a “summary or a representative copy of the relevant privacy provisions of its contract” with the service provider to the Department of Commerce upon request.
Companies that certify to the Privacy Shield within the first two months of its effective date will have a maximum of nine months to conform third-party contracts to these new requirements; otherwise, the expectation is that all third-party contracts will conform to these requirements upon certification. Moreover, Privacy Shield members will need to have diligence reports and copies of their agreement, or at least templates of those agreements, readily available upon the request of the Department of Commerce or an interested data protection authority (DPA).
Data security requirements are unchanged under Privacy Shield. Organizations certifying to Privacy Shield must take reasonable and appropriate measures to protect EU personal data from loss, misuse and unauthorized access, disclosure, alteration, and destruction, taking into “due account” the risks involved in the processing and the nature of the personal data.
Data Integrity and Purpose Limitation
This principle retains all of the obligations under Safe Harbor, requiring the organization to take reasonable steps to limit processing to the purposes for which it was collected, and to ensure that personal data is reliable for its intended use, accurate, complete, and current. It explicitly adds that an organization must adhere to the Privacy Shield Principles for as long as it retains such information, regardless of whether the company withdraws from the framework.
The access principle is effectively the same as it was under Safe Harbor: organizations must provide a mechanism by which data subjects may request personal information related to them be corrected, amended, or deleted, and obtain confirmation of whether and organization is processing information related to them.
Recourse, Enforcement and Liability
When the Court of Justice of the European Union (CJEU) invalidated Safe Harbor in October 2015, it focused in large part on what it viewed as a lack of effective redress for EU individuals who might be aggrieved by the processing of their data by a member of the Safe Harbor. Privacy Shield dedicates significant energy to addressing this issue by expanding the Safe Harbor Enforcement principle to a new “Recourse, Enforcement and Liability” principle, dedicated to three requirements: individual redress, consequences for non-compliance, and compliance verification.
Safe Harbor required that participants subscribe to “readily available and affordable independent recourse mechanisms”—essentially, to register with a third-party arbitrator—to assess any complaints from EU individuals that the parties were unable to resolve on their own. Privacy Shield retains this requirement, though it requires that the process be offered at no cost to the individual, and explicitly calls for the possibility of damages “where the applicable law or private-sector initiatives so provide.” Privacy Shield organizations and their independent dispute resolution body must “respond promptly” to inquiries and requests by the Department of Commerce, which for its part is obligated to pass along complaints referred by EU DPAs.
Privacy Shield contemplates that EU residents may file complaints directly with their local DPA, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints.
As a last resort, individuals may invoke binding arbitration for complaints that are left unresolved by the independent dispute resolution body with a newly constituted Privacy Shield Panel. The panel will consist of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission, from which the parties will be able to select either one or three arbitrators. The Privacy Shield Panel will have the authority to impose individual-specific, non-monetary equitable relief to remedy non- compliance with the Privacy Shield (such as access, correction, deletion, or return of the individual’s data in question).
Consequences for Non-Compliance
In addition to the standard consequence for non-compliance with Safe Harbor—enforcement by the FTC or Department of Transportation—Privacy Shield explicitly states that an organization remains liable for its service providers’ failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the damage.
When an organization becomes subject to an FTC or court order based on non-compliance, it will be required to make public “any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC,” to the extent consistent with confidentiality requirements.
These types of internal compliance or assessment reports are typically demanded by the FTC as part of any privacy compliance investigation, so companies preparing their compliance reports should consider the possibility that they could become public at some point.
The obligation to verify compliance with the Privacy Shield is essentially the same as under Safe Harbor, but the Recourse, Enforcement and Liability principle specifically notes that organizations should pay attention where there have been previous cases of non-compliance. Privacy Shield also requires organizations to retain their records of the implementation of their Privacy Shield privacy practices and make them available in the course of an investigation—which, as discussed above, may later become public. This is very much in line with the documentation and accountability obligations introduced by the GDPR.
So long as an organization retains Privacy Shield data, it must affirm its compliance to the Department of Commerce on an annual basis, even if it withdraws from the framework. Alternatively, the organization must return or delete the information, or affirm that it will provide adequate protection for the Privacy Shield data by another authorized means such as the EU standard contractual clauses.
Changes to Administration and Supervision
Under Privacy Shield, the U.S. agencies responsible for administering the framework—the Department of Commerce, the FTC, and the Department of Transportation—agreed to administer and supervise the framework differently in a number of key ways.
- Privacy Shield website: In addition to maintaining a list of currently certified organizations, the Department of Commerce will make a number of updates to the current Safe Harbor website to update it for Privacy Shield, including: (i) maintaining and making available anauthoritative record of U.S. organizations that had previously self- certified to Privacy Shield but had been removed, identifying the reason why each was removed; (ii) prominently placing an explanation clarifying that organizations removed from the list must continue to apply the Privacy Shield Principles to the Privacy Shield data they continue to maintain; (iii) providing a link to the list of Privacy Shield-related cases on the FTC website, and (iv) tailoring different sections of the website to EU individuals, EU businesses, and U.S. businesses.
- Expanding efforts to follow up with organizations that have been removed: The Department of Commerce will (i) more proactively notify organizations that are removed from the Privacy Shield List for “persistent failure to comply” that they are not entitled to retain Privacy Shield data, and (ii) send questionnaires to organizations whose self-certifications lapse or who have voluntarily withdrawn from the Privacy Shield to verify how the organization will protect Privacy Shield data they retain.
- Searching for and addressing false claims of participation: The Department of Commerce will more proactively search for and address false claims that organizations maintain an active Privacy Shield certification, including (i) conducting spot-checks of the privacy policies of previously certified companies to determine whether they falsely continue to publish that they are an active member of the Privacy Shield; (ii) conducting Internet searches to identify where images of the Privacy Shield certification mark are being displayed to determine whether the displaying entities are active registrants; and (iii) promptly reviewing and addressing complaints about false claims of participation.
- Conducting periodic ex officio compliance reviews and assessments: The Department of Commerce will, in consultation with EU DPAs where appropriate, conduct reviews of an organization’s Privacy Shield compliance when either (i) it receives “specific non-frivolous complaints” about the organization’s compliance; (ii) the organization does not respond satisfactorily to inquiries by the Department; or (iii) there exists “credible evidence” that the organization does not comply. In addition, the FTC, which retains its primary enforcement role, will give priority consideration to referrals of non-compliance with the Privacy Principles to determine whether the organization has violated Section 5 of the FTC Act or other relevant laws. The FTC will also undertake Privacy Shield investigations on its own initiative.
- Increasing cooperation with EU DPAs: The Department of Commerce will more directly work with EU DPAs to administer Privacy Shield, including conducting compliance reviews and facilitating the resolution of complaints based on referrals from EU DPAs.
- Annually reviewing the functioning of the Privacy Shield: The Privacy Shield includes an annual joint review mechanism, at which representatives of the various stakeholders—including the Department of Commerce, FTC, European Commission, interested DPAs, and appropriate representatives from the Article 29 Working Party—will convene to discuss the continuing efficacy of the framework.
As expected, the parties went to lengths to address the aspects of Safe Harbor that the CJEU found to be deficient when it invalidated Safe Harbor in its October 2015 Schrems decision. In order to demonstrate that the United States meets the CJEU’s criteria for lawful government access to data, the Privacy Shield documentation includes letters from the Office of the Director of National Intelligence and the U.S. Department of Justice describing limitations on and oversight of government access to data held by U.S. organizations. The Privacy Shield documents also includes a letter from Secretary of State John Kerry describing a possibility for redress through an Ombudsman mechanism within the Department of State, which will be independent from the national security agencies, and oversight of U.S. national security access to data by the Privacy and Civil Liberties Oversight Board.
Importantly, there is no limitation on compliance with lawful government orders to produce data. There had been some concern that Privacy Shield would attempt to make U.S. companies choose between complying with competing international legal obligations, and the Privacy Shield makes clear that organizations can comply with lawful requests for data from the U.S. government. There also had been some reports during negotiations that the new agreement might mandate that participants publish “transparency reports” of the number of government access requests it received for personal information. The final Privacy Shield materials strongly “encourage” organizations to publish transparency reports, but doing so is not mandatory.
This aspect of the Privacy Shield is likely to be closely scrutinized by EU privacy regulators and advocates and, therefore, the long-term viability of the program will be dependent on the effectiveness of these controls and the view of them by the CJEU. But taken together, the Privacy Shield framework documents set out a strong case that the due process, oversight, and redress protections afforded to EU residents meet the CJEU’s standard in its Schrems decision to permit the transfer of EU personal data to U.S.
It is not surprising that in light of the arduous negotiations on this framework and the outcome of the Safe Harbor decision by the CJEU, the parties have made a substantial effort to address every possible weakness of the previous program. Ultimately, the Privacy Shield represents the commitment of the EU and the U.S. governments to securing the vital transatlantic data flows which are such an integral part of the information economy. The ability of companies on both sides of the Atlantic to benefit from these efforts now depends on the response of EU regulators and courts to the Privacy Shield.
From the point of view of organizations engaged in international data transfers, the good news is that the Privacy Principles are largely aligned with the types of privacy practices found in most global privacy compliance programs, and are not a substantial departure from the compliance mechanisms under Safe Harbor.
That said, there are a number of changes that create additional risks for companies that join the Privacy Shield, such as the presumption of liability for service provider privacy violations, the obligation to produce contract provisions to the Department of Commerce, and the possibility that compliance assessments will be publicized (in the relatively rare event that an organization becomes subject to an FTC or court order based on non- compliance). Regulatory scrutiny from U.S. government agencies also is sure to increase, particularly with the obligation of the Department of Commerce to investigate specific non-frivolous complaints that it receives.
The Privacy Shield also is still not yet in effect. The details are under review now by the EU’s Article 29 Working Party, which will render a non-binding opinion within the next few months. Taking that opinion into account, the full European Commission will then formally vote on the adequacy of the Privacy Shield program, at which point it will take effect. Therefore, U.S. companies still have a few months before they can formally sign up for the new Privacy Shield and, regardless of the Working Party’s response, it would be wise to carefully consider all alternatives available.