On 12 July 2016, the European Commission adopted the EU-US Privacy Shield adequacy decision (Privacy Shield) allowing transfers of personal data from the European Union1 to US organisations which voluntarily certify under the Privacy Shield framework. The US Department of Commerce will begin accepting applications for certification from 1 August 2016. Organisations that are headquartered in the US, or group companies with a US-based company which access, receive or process personal data (including HR data) from the EU, may consider signing up to the Privacy Shield as a data export solution.
This note will help organisations evaluate whether or not to take advantage of the Privacy Shield and, if they decide to do so, to prepare them for the certification process and compliance.
Assessing the benefits of the Privacy Shield
Since the Court of Justice of the European Union (CJEU) invalidated the EU Commission’s Decision on EU-US Safe Harbor in October 2015, US organisations have not been able to rely on the Safe Harbor scheme to receive personal data from the European Economic Area countries (EEA). Instead, they have had to use other legal mechanisms such as the EU standard contractual clauses (SCC) or rely on the limited exceptions set out in Article 25(2) of the European Data Protection Directive (e.g. consent of the data subject). Given the more involved process of a Binding Corporate Rules’ (BCR) application, BCRs are less likely to be a short term alternative option.
Perhaps the main advantage of signing up to the Privacy Shield is that it avoids the need to sign individual contracts with each organisation from which data is received. An organisation with a Privacy Shield certification can be presumed to afford adequate protection to EU personal data. The adoption of the Privacy Shield, therefore, provides US organisations with an additional legal mechanism to enable lawful transatlantic data flows from the European Union.
The Article 29 Working Party (WP) (representing the EU data protection regulators) has broadly welcomed the Privacy Shield which should provide comfort to US businesses considering certifying. However, the WP has also expressed doubts about the scheme and has stated its intention to reassess its views further down the line. The WP sees the independence of the Ombudsperson who will oversee the scheme, and evidence that the Privacy Shield has teeth with real sanctions for non-compliance, as key factors in determining its success. It is worth remembering that it is open to the EU regulators to investigate data exports, regardless of any EU Commission decision of adequacy.
In addition, although the Privacy Shield provides a set of more robust and enforceable protections for the personal data of EU individuals, it may still be subject to legal challenge before the European courts, despite the view of the Commission and the US Department of Commerce that the flaws in the Safe Harbor scheme have been addressed. Any challenge would most likely relate to the use of EU personal data by US law enforcement agencies but could nonetheless have implications for all organisations signing up to the Privacy Shield.
US organisations need to consider the benefits of the Privacy Shield carefully, taking into account their business needs and practices and weighing the Privacy Shield up against the other available data transfer mechanisms from the EEA to the US. Legal advice should be sought at the outset of the decision making process.
Key requirements for US organisations signing up to the Privacy Shield
US organisations signing up to the Privacy Shield will be required to:
- Self-certify annually that they meet their obligations under the Privacy Shield;
- Comply with Privacy Shield Principles (Principles): these include providing data subjects with key information about their data; allowing them to opt out where data is to be disclosed to a third party; limiting the processing to what is relevant for the purpose; complying with data subject access requests; complying with rules relating to onward transfers of data; keeping personal data secure; deleting personal data which is no longer being used for the purposes for which it was originally collected; providing robust mechanisms to ensure compliance and providing recourse for EU data subjects;
- Reply promptly to any complaints (within 45 days); and
Scope of the Privacy Shield
The Privacy Shield applies to the personal data of any EU data subject that has been transferred from the EU to organisations in the US that have self-certified their adherence to the seven Principles with the US Department of Commerce. It applies to both data controllers and data processors and service providers and agents will also be able to certify under it.
To be eligible to sign up to the Privacy Shield, an organisation needs to be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT). The FTC has no jurisdiction over most financial organisations such as banks, savings and loan institutions or federal credit unions. It also has no jurisdiction over common carriers activities, air carriers and foreign air carriers and persons, labor associations, most non-profit organisations, and most packer and stockyard activities. The DOT has exclusive jurisdiction over US and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation.
Are you ready to comply with the Privacy Shield requirements?
If you are a US organisation considering self-certifying under the Privacy Shield, you will need to assess your current privacy compliance programme and make any necessary changes before applying for certification. You should:
- Assess your current privacy compliance programme against the Privacy Shield Principles
Determine whether changes need to be made to your current privacy compliance programmes. In particular, revisit current data transfer practices including the extent to which they rely on the SCCs or the exceptions under article 25(2) of the Data Protection Directive. The fact that an organisation was certified under the EU-US Safe Harbor scheme does not mean that it will automatically comply with the Privacy Shield as the requirements have been strengthened in line with recommendations made by the CJEU and DPAs.
- Consider whether specific rules will apply: onward transfers
Specific rules apply to onward transfers (i.e. transfers of personal data from an organisation to a third party controller or processor), human resources data collected in the employment context (HR data), direct marketing and to pharmaceutical and medical products. It is important to check whether these specific issues affect you. By way of example, if you pass EU data to third parties, you need to check your agreements with them to ensure they provide the same level of protection as is required by the Principles. If you receive EU HR data in the context of an employment relationship, you must agree to cooperate with relevant DPAs to resolve any complaints about your use of such data.
- Consider whether you want to take advantage of a grace period in relation to arrangements with third parties
The Principles apply immediately upon certification. However, the Privacy Shield provides an exception to this. Where there is a pre-existing commercial relationship with a third party, a grace period of up to nine months is allowed in relation to compliance with the rules of the Accountability for Onward Transfer Principle under the Privacy Shield, to allow for the amendment of relevant agreements. To benefit from this, organisations must self-certify in the first two months following the day when the Privacy Shield becomes effective.
- Identify a dispute resolution mechanism and provider
The Privacy Shield requires organisations to provide “robust mechanisms to ensure compliance with the Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies”.
Prior to self-certifying, your organisation will need to identify the recourse mechanism for individuals and the dispute resolution process it will use to handle complaints and disputes. Organisations may designate the panel of EU DPAs or an alternative dispute resolution provider which can be based in the EU or the US. Existing providers include the Better Business Bureau, TRUSTe, JAMS or the Direct Marketing Association. The US Department of Commerce will be responsible for ensuring compliance with this requirement.
The Privacy Shield also requires organisations to provide a “contact point” in relation to any questions or issues with the dispute resolution provider. In practice, this is likely to be the Chief Privacy Officer or the person responsible for certifying compliance with the Privacy Shield.
- Comply with the notice and information requirements
Under the Privacy Shield, organisations must comply with the Notice requirement which includes making privacy policies public and displaying them on any organisation’s website. The information must include:
- an express statement setting out that you adhere to the Principles;
- if the policy is available online, a hyperlink to the dispute resolution provider’s website or a complaint submission form as well as the contact details for the provider; and
The US Department of Commerce has made clear that it will systematically verify that the self-certification requirements are met. It will also ensure that organisations’ privacy policies conform to the Principles. This means it is vital to put in place internal measures to verify that your published privacy policies conform to the Principles and are actually complied with, either through a system of self-assessment or by asking a third party to assist. It is also likely that organisations will have to amend their existing internal policies dealing with the handling of personal data (e.g. information security, complaint procedures or subject access requests) to ensure they reflect their adhesion to the Principles internally.
The overall Principles will be enforced by the FTC and the DOT. Complaints arising out of the Privacy Shield will be dealt with in accordance with the independent recourse mechanism chosen by the certified organisations. Where their complaints have not been resolved by any of these recourse or enforcement mechanisms, the Privacy Shield provides for a binding arbitration mechanism. An independent Ombudsperson will also be responsible for overseeing compliance and dealing with national security interference. In addition, there will be an annual review process which will involve the US Department of Commerce, the FTC, and other agencies, as appropriate, the EU Commission and EU DPAs to assess the effectiveness of the scheme on an ongoing basis.
How to apply
The US department of Commerce provides a description of the information required to self-certify under the Privacy Shield here. Applications will be considered from 1 August 2016.
Time will tell whether the Privacy Shield will be able to illicit more confidence for the WP and also how this will play out given the impending (and so called) “Schrems II” challenge to the validity of the SCCs. For now, the European Commission appears to have played it hard. However, one should bear in mind that the annual review mechanism makes the Privacy Shield a living instrument that is likely to evolve with the industry and technology practices as well as towards a GDPR compliant framework.
1At the time of writing, the Privacy Shield decision does not apply to Iceland, Liechtenstein and Norway. Once incorporated into the EEA Agreement, US certified companies will be able to receive personal data from those countries.