The European Commission adopted its much anticipated decision on the EUUS Privacy Shield (“Privacy Shield”) on 12 July 2016. The Privacy Shield was developed jointly by the European Commission and the US Department of Commerce to replace the Safe Harbor framework, which was declared invalid by the Court of Justice of the European Union in the Schrems case.
The adoption of this adequacy decision by the Commission means that any transfers of personal data from the EU to companies in the United States that are certified under the Privacy Shield will be deemed to be made in accordance with EU data protection law.
As noted in our previous article here, US companies have been able since 1 August 2016 to sign up to the Privacy Shield and receive personal data originating in the EU on the basis of their Privacy Shield certification. It has been reported that over 500 organisations have been certified under the Privacy Shield to date, including such prominent stakeholders as Microsoft, Google and Salesforce, and that some 1,000 more are in the process of applying.
The Privacy Shield has been the subject of much comment (both positive and critical) since its publication. Most of the criticism levied at the Privacy Shield focuses on concerns over the potential access by US public authorities to personal data transferred from the EU to the US This potential access was one of the main criticisms of Safe Harbor arising from the Schrems case, and appears to be a continued source of concern for privacy campaigners.
Other criticisms of the Privacy Shield include that certain principles of European data protection law, for example in relation to data retention and purpose limitation, are not adequately reflected in the framework, and that the Privacy Shield does not give users as much control over the use of their personal data as under EU data protection law.
What is new and improved in the Privacy Shield?
Such criticism notwithstanding, it seems clear that the Privacy Shield improves on Safe Harbor in a number of key areas, considered below:
- More detailed transparency/notice requirements: The privacy principles that US companies receiving personal data originating from the EU will have to comply with (the “Principles”) include more detailed and robust notice requirements than those required under Safe Harbor. For example, organisations signing up to the Privacy Shield must provide a notice, in “clear and conspicuous” language to individuals informing them of: the types of personal data the organisation is collecting; whether (if relevant) its subsidiaries adhere to the Principles; the purposes for which the organisation will disclose personal data to third parties; the right of individuals to access their personal data; the independent resolution body designated to address complaints and provide recourse; the possibility in certain circumstances to invoke binding arbitration; and the requirement to disclose personal information in response to lawful requests by public authorities.
In addition, the Principles are set out in a clear and easily understandable way for organisations in a single annex (Annex II) of the Commission’s Decision. In the Safe Harbor decision these were constituted, in a rather piece-meal fashion, of “Privacy Principles” in one annex, and “Frequently Asked Questions” in another annex.
- More choice over uses of personal data: Privacy Shield requires certified organisations to offer individuals “clear, conspicuous and readily available mechanisms” to allow them to “opt out” of the disclosure of their personal data to third parties (save where such disclosure is to an “agent” pursuant to a contract) or of the use of their data for a purpose that is “materially different” from the purpose(s) for which it was originally collected (or subsequently authorised) by the individuals.
The requirement for an opt out for a “materially different” use of data under the Privacy Shield is arguably more protective than the obligation under Safe Harbor, which required an opt-out for a purpose that was “incompatible” with the purpose(s) for which it was originally collected/subsequently authorised etc.
Strengthened requirements and accountability for onward transfers: The Privacy Shield contains more detailed requirements in relation to the onward transfer of personal data from Privacy Shield organisations in the US to other third party organisations. Any onward transfers to data controllers must be made on foot of a contract with the third party controller providing that any data so transferred “may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the [Privacy Shield] organisation if it can no longer meet this obligation.” By contrast, Safe Harbor only contained a broad requirement to “apply the Notice and Choice Principles” in respect of the disclosure of information to third parties.
In addition, the Privacy Shield expands on the requirements set out in Safe Harbor in respect of the transfer of data to agents. These additional requirements include that the Privacy Shield organisation: transfers data only for limited and specified purposes; takes reasonable and appropriate steps to ensure that any processing is carried out in accordance with the Principles; takes steps to stop and remediate unauthorised processing; and provides a summary or copy of the relevant privacy provisions of the contract with the agent to the Department of Commerce if requested.
A further improvement on Safe Harbor from a privacy perspective is that the Principles expressly state that Privacy Shield organisations will remain liable for any processing of personal data by their agents in a manner inconsistent with the Principles (unless the organisation proves that it is not responsible for the event giving rise to the damage). Safe Harbor, by contrast, contained a general presumption that the organisation, once it had complied with the principles in respect of onward transfer to an agent, would not be held responsible for processing outside of the permitted purposes, unless the organisation was aware or should have been aware of such processing and did not take steps to remedy it.
- Data retention: The Principles state that personal data may only be retained for as long as it serves the processing purpose(s) for which it was originally collected /authorised by the individual (with an exception for archiving purposes in the public interest, journalism, literature, art etc). This is a marked improvement on Safe Harbor, which did not include specific obligations in relation to data retention.
- Wider range of enforcement mechanisms: The Privacy Shield also improves on Safe Harbor to the extent that it offers a wider range of avenues for individuals to seek redress where they are affected by an organisation’s non-compliance with the Principles. These options include bringing a complaint: to the relevant organisation (the organisation must respond within 45 days); to the independent dispute resolution body designated in accordance with the Principles by the organisation; or, directly to the Federal Trade Commission.
Individuals may also complain to a national Data Protection Authority who will deliver advice through an informal panel of DPAs established at Union level. Where the Privacy Shield organisation fails to comply with the DPAs’ advice within 25 days, the matter may be referred to the FTC or other competent US authority for enforcement action eg under Section 5 of the FTC Act (or similar statute) or to the Department of Commerce (who may remove the organisation from the Privacy Shield List).
Finally, as a mechanism of “last resort”, individuals have the right to invoke binding arbitration. The Department of Commerce is to establish a fund supplied with annual contributions from Privacy Shield organisations to help cover the costs of the arbitration.
- Ombudsperson: The Commission decision acknowledges that whilst EU individuals do have certain avenues of redress where they have been the subject of unlawful surveillance for US national intelligence purposes, the available causes of actions are relatively limited, and EU citizens may have difficulty showing that they have the requisite “standing” (ie a legally protectable interest) to bring a case to court. In an effort to fill this gap, the US Secretary of State has committed to create a new “Privacy Shield” Ombudsperson, who is to be independent from the US Intelligence Community, and whose remit will include ensuring that individual complaints are properly investigated, that US laws have been complied with, or, where such laws have been violated, that the non-compliance has been remedied. Helpfully, individuals can address complaints to a competent national authority in their own country (and in their own language) and such authority will then assist the individual in formulating the request to the Ombudsperson. Also positive from a privacy perspective is that to bring a complaint before the Ombudsperson, an individual will not have to demonstrate that his/her personal data have in fact been accessed by the US government via surveillance activities.
- Assurances regarding access by US National Security agencies: The Privacy Shield includes written commitments by the US Government on enforcing the arrangement, including assurances from the Office of the Director of National Intelligence and the US Department of State, on the safeguards concerning access to personal data by public authorities in the US
- Annual re-certification: Organisations must self re-certify their compliance with the requirements of the Privacy Shield to the Department of Commerce on (at least) an annual basis, and the Department is to monitor compliance with this requirement, and remove organisations that do not re-certify as required from the Privacy Shield List. The assessment and verification requirements were not as clear under Safe Harbor – under that regime, an organisation was required to sign a statement verifying that a self-assessment had been carried out once a year.
- Annual Joint Review Mechanism: A major advantage of the Privacy Shield over the Safe Harbor framework is that there is an in-built “Annual Joint Review” mechanism, to review the functioning of the Privacy Shield on an annual basis. This annual review is to be performed by the Commission, the US Department of Commerce and the Federal Trade Commission, together with other relevant stakeholders such as Intelligence Community Representatives and the Privacy Shield Ombudsperson, as appropriate. It will also be open to EU DPAs and representatives of the Article 29 Working Party to participate in this review meeting.
This means that the Privacy Shield is intended to be a “living” instrument, which can adapt as required to reflect future developments in privacy law. Indeed, the decision specifically states that the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the General Data Protection Regulation (in May 2018). By contrast, Safe Harbor only provided for a review to be carried out by the Commission after three years.
Privacy Shield, whilst not perfect, is a viable option for transfers
Whilst it is arguable that some of the criticism levied at the Privacy Shield may be justified – for example, it may be difficult in reality to fully monitor the access US intelligence agencies may have to EU data transferred under the Privacy Shield - it should also be remembered that the Privacy Shield is relevant to personal data that was originally collected in accordance with EU data protection law. As such, data subjects should have been informed of any further processing of their personal data (including any processing in the US) at the time of collection, and any such processing should be compatible with the purposes for which the data were originally collected.
Furthermore, any analysis of the Shield needs to take into account, from a realistic and practical standpoint, the reality that managing data transfers in today’s global business environment can present significant challenges for organisations.
It is also worth bearing in mind that the other currently approved exemptions to the prohibition on the transfer of personal data outside of the EEA, such as obtaining data subjects’ consent, entering into data transfer agreements based on the EU Commission approved “Model Clauses”, or putting in place “binding corporate rules”, can also present challenges to implementation in practice.
In light of the matters considered above, it seems fair to conclude that the Privacy Shield represents a marked improvement on the Safe Harbor framework. As such, as organisations weigh up the various options around the transfer of personal data to the United States, the Privacy Shield would appear to represent a viable solution.