On February 29, 2016, the Department of Commerce and European Commission released the details of the new US-EU Privacy Shield program, intended to replace the now defunct US-EU Safe Harbor program. According to the materials released, the new program includes an expanded set of privacy principles, increased operational vetting to be conducted by the Commerce Department’s International Trade Administration, a new role for EU data protection authorities, assurances of enforcement from the Federal Trade Commission and the Department of Transportation, and a new arbitration model.
The details were released today as part of a package, transmitted by US Commerce Secretary Penny Pritzker to EU Commissioner Věra Jourová, that includes over 120 pages of documentation detailing the results of the Privacy Shield negotiations, as well as supporting letters from the US Department of Justice and the Office of the Director of National Intelligence to provide assurances that the privacy rights of Europeans will be protected.
Below is a description of the new Privacy Shield program. Please stay tuned for additional analysis and guidance on next steps.
For most companies, Privacy Shield will in practice be very similar to its predecessor, Safe Harbor, and most of the Privacy Shield requirements follow the original Safe Harbor framework. The Privacy Principles and self-certification requirements under Safe Harbor remain largely intact. However, several principles have been given more detail. For example, the Notice principle under the Privacy Shield sets forth 13 items that must be addressed in a company’s notice and includes a “clear and conspicuous” notice requirement. The Onward Transfer principle has also been updated, to, among other things, require participating companies to “provide a summary or a representative copy of the relevant privacy provisions of its contract with that [service provider] to the Department upon request.”
Thus, companies transitioning from Safe Harbor to Privacy Shield will need to take several further affirmative steps to bring their practices into compliance with the Privacy Shield.
Increased oversight by the Department of Commerce
Under the new program, the Commerce Department will be more rigorous in confirming the accuracy of the contents of the self-certification and affirmatively searching for non-compliant organizations.
For example, the summary letter from ITA to Commissioner Jourova includes the following highlights to address concerns about non-compliance by lapsed or partially non-compliant safe harbor participants:
- Removal of companies that have failed to renew. The Department of Commerce will more actively update the participant list, including removal of those that have not renewed, along with a reason for non-renewal. This will also involve maintenance of a former participant list because organizations that collect personal data during their participation in the program and retain such data after dropping out of the program are obliged to maintain those protections
- Increased validation of self-certification and dispute resolution. The Department will validate that the contents of each self-certification are complete, and will communicate with third party dispute resolution firms to validate that the assertion of registration is in fact correct
- Public enforcement actions. Enforcement of Privacy Shield violations will be publicly posted on the Commerce Department’s website
- Requirement to delete data for “persistent” violators. If an organization is removed from the Privacy Shield program for a ‘persistent failure to comply’ then that organization will be instructed to delete the personal data it obtained under the Privacy Shield program
- Validation efforts for inactive participants. The Department will actively contact former Privacy Shield organizations, inquiring whether data received during the program will be returned, deleted, or continue to be protected, and will validate that former Privacy Shield participants no longer make public assertions of their Privacy Shield participation.
More significantly, the Department of Commerce has also committed to the following:
- Compliance audits. The Department will conduct periodic audits or compliance reviews of the Program generally and participating organizations specifically. The company reviews will be triggered by “non-frivolous” complaints of non-compliance, an organization’s failure to respond to inquiries, or other “credible evidence” that the organization is not fulfilling its Privacy Shield commitments
- DPA cooperation. The Department will cooperate and coordinate with European DPAs to facilitate complaints and
- Cost-free arbitration. The Department will develop and maintain arbitration procedures and select arbitrators to resolve disputes at no cost to the complaining individuals (whereas previously an arbitration fee could be charged).
The Department will also appoint an independent administration official (Undersecretary Cathy Novelli of the State Department) to assess and contribute to validation of assertions by law enforcement and national security agencies for the need to access European data. This feature is a response to significant and vocal criticisms from EU regulators relating to Snowden allegations regarding US surveillance activities and their impact on the privacy of EU personal data.
The EC Adequacy Determination
In a draft decision adopted on February 29, 2016 (Draft Adequacy Decision), the EU Commission concluded that for the purposes of Article 25(2) of Directive 95/46/EC, the United States will be considered to ensure an adequate level of protection for personal data transferred from the European Union to organizations in the United States that are self-certified under the US-EU Privacy Shield. Such self-certified organizations will be included in the so-called Privacy Shield List, which will be maintained and made publicly available by the US Department of Commerce.
The new EU Privacy Shield is intended to reflect requirements set out by the European Court of Justice (ECJ) in its ruling in the Schrems case on October 6, 2015, which invalidated the existing Safe Harbor Agreement. The ECJ’s rejection of Safe Harbor was largely based on potential US government surveillance practices. The Draft Adequacy Decision addresses concerns regarding the use of personal data by US. public authorities in Section 3, as follows:
- Clear limitations on US public authorities’ access and use of personal data. The Draft Adequacy Decision states explicitly that the US has given the EU written assurances that access by public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. Specifically, the US government has given the European Commission explicit assurance that the US Intelligence Community “does not engage in indiscriminate mass surveillance of anyone, including ordinary European citizens.”
- Annual joint review. To regularly monitor the functioning of the arrangement there will be an annual joint review by the European Commission and the US Department of Commerce, which will address the issue of national security access. This meeting will be open for EU DPAs and representatives of the Article 29 Working Party.
- Individual redress. Any EU data subject concerned that her or his data has been misused under the new arrangement will have several redress possibilities. Companies must reply to complaints within given deadlines. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, alternative dispute resolution will be free of charge. As a last resort, EU data subjects might be able to bring civil claims against companies for misusing data, including under tort liability, unfair trade practices and breach of contract. Further, with respect to individual redress for data gathered pursuant to illegal US government surveillance, the EU Commission cites several remedies as providing appropriate protection under US law. First, an individual can prevent the US government from using illegally-gathered evidence against the individual in administrative or judicial proceedings, as described in Fourth Amendment jurisprudence in combination with the Foreign Intelligence Surveillance Act, the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, and others. Second, in certain specific cases under one or more of such statutes (e.g., egregious willful illegal surveillance), non-US citizens could bring a civil cause of action against the United States, or could sue US government officials in their personal capacity, both for money damages.
- Privacy Shield Ombudsperson. In order to provide an additional avenue accessible for all EU data subjects, the US government has decided to create a new mechanism, the Privacy Shield Ombudsperson. According to the Draft Adequacy Decision, the binding commitments from the US government ensure that the Privacy Shield Ombudsperson will investigated the individual complaints and provide individuals independent confirmation that US laws have been complied with or, in case of a violation of such laws, that non-compliance has been remedied.
Once the Adequacy Determination has been finalized, the full Privacy Shield package will be published in the Federal Register and will become effective in the US shortly thereafter. The question remains for US organizations whether to immediately apply for the Privacy Shield program or to adopt a wait-and-see approach.
Uncertainties of implementation
As noted above, the Privacy Shield details make clear that, under the new program there will be i) stricter vetting of applicants and those already within the program, and ii) a significant increase in enforcement.
For those organizations that had fully implemented the Safe Harbor principles and operating rules into their systems, policies, and training, the stricter vetting should not be too serious a concern. In essence, these firms had treated their Safe Harbor commitments much as any other government-supervised compliance program, with rigor and diligence. Critics of the Safe Harbor program, however, provided evidence of some participants not fully honoring these obligations. Therefore, smaller organizations or those that in the past had treated Safe Harbor as a check-box exercise will find the demand for robust policies, procedures, and internal enforcement mechanisms to be more of a challenge.
The implementation uncertainties are not limited to the US side. Recall that under the Schrems decision invalidating the Safe Harbor program, the ECJ confirmed that each DPA could – and indeed has the responsibility to – assure itself that potential transfers would be treated appropriately. For those DPAs that have expressed skepticism of Safe Harbor, it would not be unrealistic to expect them to solicit information from EU data exporters concerning just how confident the exporter is of the data importer’s protections.
Future challenges to Privacy Shield (as well as model contracts and binding corporate rules)
The United States has been eager to demonstrate its bona fides with respect to honoring the privacy expectations of Europeans whose personal data is in the US. The letter from the Office of the Director of National Intelligence seeks to provide such assurances, as does the approval by Congress of the Judicial Redress Act (see here and here) signed by the President on February 24, 2016.
It is unlikely, though, that skeptics such as certain European data protection authorities will accept such affirmations at face value. So while the United States will honor and implement the Privacy Shield program, European DPAs and organizations may be more hesitant to commit to a program that may be found invalid for similar reasons as the Safe Harbor (even if several European member states' surveillance programs would fail under a legal standard that found the Privacy Shield unlawful).
Beyond acceptance to the new club, the promise of enhanced enforcement by the FTC and DOT should give all organizations a moment’s hesitation. Even for well-intentioned organizations under Safe Harbor, the paucity of enforcement gave those participants a measure of comfort. While there are different reasons for the lack of enforcement (such as the paltry number of referrals by DPAs to the FTC), the FTC had begun to enforce the Safe Harbor program on its own.
Under Privacy Shield, the Europeans have a new set of expectations concerning enforcement by the United States. Within the US, few in the privacy space disregard the current level of FTC activity (even when formal enforcement is not initiated). It would therefore be unwise to anticipate that FTC enforcement of Privacy Shield – assuming sufficient staff and resources – will be anything to treat casually. But until we have some evidence of this (increased) enforcement activity, it will be difficult to articulate what the compliance risk has now become.
Next steps for US organizations
It is clear that the United States and European Commission have expended significant effort and political resources to move the process to this point. It also seems clear that the US and the EC want this to be a successful program – facilitating the international flow of personal data while respecting legitimate interests such as privacy and national security. There will doubtless be challenges from DPAs, but when taken to their logical extreme such challenges apply equally to all forms of data transfer, the impact of which would be to terminate data flows to the US.
US organizations who were previously certified to the Safe Harbor Program will need to assess how the new, more detailed compliance requirements map to their existing efforts. Some of this will be an operational review and some will involve a legal analysis of what constitutes compliance under this new regime. Similarly, organizations with developed privacy programs who were not participants in the Safe Harbor program will need to examine their existing programs in light of the new Privacy Shield requirements, and may need to make some adjustments in order to comply with Privacy Shield.
Those US organizations that are smaller or have not built out their privacy compliance programs may want to wait and watch how Privacy Shield works in practice before going through the self-certification process, as it necessarily includes some internal auditing, implementation steps, and public attestations of adherence prior to submitting an application for self-certification.
From the October invalidation of Safe Harbor, many Safe Harbor-certified and non-Safe Harbor-certified firms sought to leverage the EC-approved model clauses for their data transfers. This makes sense, and is currently still an option, given the anticipated scrutiny from Europe of data transfers in general.
Next steps in the EU
It is too early to tell whether EU authorities will agree with the Commission’s draft Adequacy Decision. The Commission will now obtain advice from the Article 29 Data Protection Working Party and representative DPAs of member states, several of which have expressed concerns regarding the adequacy of the proposed EU-US Privacy Shield in the past.