So it’s here! Yesterday, the European Commission published the suite of documents that comprise Safe Harbor’s replacement – the EU-US Privacy Shield. Documents available here.
Over the intervening day or so, blogs everywhere have described what the Privacy Shield is (and we’ll get to that too), but many have missed perhaps the most important point: is it any good?
We’ll answer that question upfront: yes, it’s good. Very good, in fact. But whether that means it will succeed as a solution is an entirely different issue.
Why the need for a Privacy Shield?
A quick re-cap: European data protection laws forbid the transfer of personal data outside of the European Economic Area, unless the recipient implements one of a limited number of legal solutions. Up until October last year, one of these solutions for US data importers was the “US-EU Safe Harbor framework”.
This was a self-certification scheme operated by the US Department of Commerce to which US companies could voluntarily subscribe and, by so doing, commit to protecting imported EU data in compliance with seven Safe Harbor principles. The idea behind doing so was that, by giving these commitments, US companies would essentially be committing to protect imported EU data to roughly EU standards.
Except Safe Harbor wasn’t sufficiently protective, according to the Court of Justice of the European Union, declaring Safe Harbor invalid in October last year and throwing EU-US data transfers – and transatlantic business – into jeopardy. Since then, the race has been on for the US and EU to agree a new framework to replace Safe Harbor (a process they had already begun before the CJEU became involved) and the result was the EU-US Privacy Shield.
Enter the Privacy Shield
Earlier this month, the European Commission and the Department of Commerce agreed a deal had been reached on the Privacy Shield. We posted about that deal here but, at that point, the actual text and details of the Privacy Shield were not published. Those appeared on the European Commission’s website yesterday.
The first thing you’ll notice if you start reading the Privacy Shield documents is that they are considerably more lengthy and detailed than the previous Safe Harbor framework. It’s obvious just how much careful and painstaking work has gone into creating them – and the result is really very good. Much better, in fact, and much more realistic than their ugly twin sister, the Model Clauses. Privacy Shield is to Safe Harbor what the GDPR is to the current Data Protection Directive.
Much has already been said about how the US has promised to curtail mass surveillance activities under the Privacy Shield to just six distinct purposes (including counterterrorism, cybersecurity, and combating transnational criminal threats) and established an ombudsman to handle complaints relating to surveillance activities, so we won’t focus on that here. Instead, we’ll keep to those aspects of the Privacy Shield most relevant to businesses.
What does the Privacy Shield comprise?
Like Safe Harbor before it, the Privacy Shield will be a voluntary self-certification scheme – though, this time, one that has stronger and more detailed compliance obligations and more (and more effective) redress mechanisms.
It comprises 7 principles (Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; Recourse, Enforcement and Liability) and a bunch of “supplemental” principles. The supplement principles are an assortment of special cases (e.g. exceptions for handling sensitive data, journalistic exceptions, secondary liability for ISPs and telcos, professional due diligence and audits) and supplemental requirements and clarifications to the core principles (on topics such as the role of DPAs, verification of compliance, self-certification etc.).
So what do I really need to know about the Privacy Shield?
- It’s not live yet! The European Commission has to adopt a formal adequacy decision before the Privacy Shield goes live. That will take some time, as the European Commission has to consult with various bodies before it can adopt its decision. Probably summer this year – that’s still quite a few months off.
- It’s still self-certification: There is no formal audit process that applicants must go through in order to get acceptance into the Privacy Shield. However, as part of the self-certication, the applicant must confirm how it has verified its compliance with the Privacy Shield – whether through in-house or third party verification, and evidence of this verification must be provided when requested. If you don’t go through this verification, then you’ll be knowingly making a misrepresentation to the Department of Commerce and risk unfair and deceptive practices enforcement by the FTC – and nobody, ever, wants that.
- Safe Harborites won’t be grandfathered in: The Privacy Shield contains a number of important differences from Safe Harbor that means existing Safe Harbor certified companies won’t simply be grandfathered in to Privacy Shield. Sorry.
- You’ll need to get redrafting: One of the key changes to the Privacy Shield requirements is to the Notice principle. This sets out 18 different notice requirements that must be communicated to individuals (types of data concerned, purposes for which processed, participation in Privacy Shield, rights of redress and so on). That means you’ll need to revisit all those lovely Safe Harbor privacy notices you’ve had sitting on your website for years now and get redrafting!
- You’ll need to get renegotiating, too: Another important change concerns the Accountability for Onward Transfers principle. Privacy Shield companies that onward transfer EU data to “agents” (that is, processors) must ensure that those agents process the data only for ‘limited and specific purposes”, provide the same level of privacy protection as the Privacy Shield, and “take reasonable and appropriate steps” verify their agents’ compliance (that means due diligence and audit, people). If you plan to participate in Privacy Shield, you’ll need to revisit all those legacy vendor contracts to get them Privacy Shield ready – and, for bigger companies, this will mean a big procurement and renegotiation exercise. On the plus side, the Privacy Shield’s subcontracting provisions are significantly more workable than those of the Model Clauses.
- Take care when handling sensitive information: The Privacy Shield defines sensitive personal information to equate to the EU definition. Privacy Shield companies must get opt-in consent before they can disclose sensitive information to third parties or use it for new purposes. Big deal, you might think – but how many US companies know that, in the EU, sensitive information includes “trade union membership” data or information about “political opinions” or “philosophical beliefs”? Best go check what you’re sharing and find out if you’re getting the right consents…
- Individuals have recourse – and then some! The Privacy Shield has redress mechanisms aplenty – individuals can complain to the company itself, to an appointed independent alternative dispute resolution provider, to EU DPAs, to the Department of Commerce, to the FTC and – as a last result – seek binding arbitration. Whew! What a lot of redress mechanisms for something that, historically, almost no one complains about. In any event, companies who receive complaints must respond within 45 days – so need to set-up escalation procedures and training to make sure that customer service staff who receive complaints know what to do with them (“Privacy Shield what, you say?”).
- It won’t solve your EU customer problems, yet: The Privacy Shield faces an uncertain future. Civil liberties groups dislike it, Max Schrems dislikes it, Edward Snowden dislikes it, and certain DPAs dislike it. So it seems more than likely that, even if formally declared adequate in the near future, it’ll be legally challenged almost immediately. Those legal challenges will drive fear in the EU customer markets, meaning EU customers will be reluctant to entrust their data to companies that rely solely on the Privacy Shield as a basis for data exports. So, like it or not, you’ll probably still end up signing a gazillion model clauses to keep your customers happy – but, given the uncertainty and continuing threats from DPAs about Safe Harbor enforcement, you can’t really blame them, can you?
Should you adopt the Privacy Shield?
The Privacy Shield has the potential to be a great solution for US businesses looking to import EU data. It’s also a huge statement of just how seriously the US is taking the need to address EU privacy concerns, and credit has to go the negotiating teams on both sides of the Atlantic that they were able to achieve this. It’s a serious ramping up of standards and does, from a protection standpoint at least, what it needed to do.
With that said, the Privacy Shield remains under fire from all quarters, meaning its future success remains far from certain. On that basis, sole reliance on the Privacy Shield at this time would at best be hasty and, at worst, could prove a strategic error for US businesses. It seems likely that, for now, most businesses will enter a kind of ‘watching brief’ mode – similar to that when cookie consent rules were first introduced – and wait to see what their competitors do.
If the Privacy Shield gets formally declared “adequate” by the European Commission, and if it survives the legal challenges it will inevitably face, and if it gets adopted and promoted by some of the bigger global companies (especially the big cloud players that host data for multitudes of EU companies), then this will gradually drive greater comfort in the market – and, with that, greater adoption and acceptance of Privacy Shield.
Personally, I hope that happens.