Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules.

The U.S.-EU Safe Harbor framework (“Safe Harbor”) was developed by the U.S. Department of Commerce (“DOC”). Safe Harbor operated by allowing participating companies to pledge adherence to seven privacy principles and agree that the U.S. Federal Trade Commission (“FTC”) could investigate and enforce that adherence. In 2000, the EU Commission reviewed the seven principles and the FTC enforcement mechanism and determined that companies who certified their adherence to the framework met the Directive’s adequacy requirement. In October of 2015, however, the European Court of Justice held that the Safe Harbor was invalid because it violated the Directive’s principles as well as EU fundamental rights. Following that decision, companies covered by the Safe Harbor could no longer rely upon it as a basis of adequacy.

In February, the European Commission (“EU Commission”) released the text of the EU-U.S. Privacy Shield Framework (“Privacy Shield”) that is designed to replace the invalidated Safe Harbor and govern the transfer of personal data between the EU and U.S. The Privacy Shield is designed to impose stronger obligations on U.S. organizations for protecting the personal data of EU individuals than were afforded under the Safe Harbor.

Privacy Shield Principles and Self-Certification

To take advantage of the Privacy Shield to effectuate transatlantic data transfers, employers must annually self-certify with the DOC their compliance to the following Privacy Shield principles (“Privacy Shield Principles”):

  1. Notice – Inform individuals as to the organization’s adherence to the Privacy Shield Principles.
  2. Choice – Provide individuals with the right to opt out of the disclosure of their personal information to third parties, or, in the case of sensitive information, to opt in.
  3. Accountability for Onward Transfer – Assume responsibility for disclosures of personal information to third parties and contractually require such third party’s compliance with the Privacy Shield Principles.
  4. Security – Implement reasonable and appropriate data security measures.
  5. Data Integrity and Purpose Limitation – Limit the collection and retention of personal information to the disclosed purpose for collection and use of such personal information.
  6. Access – Provide individuals with the right to access, correct, or delete their personal information.
  7. Recourse, Enforcement, and Liability – Provide enforcement and recourse mechanisms for individuals affected by non-compliance with the Privacy Shield Principles.

Benefits of the Privacy Shield are guaranteed from the date that the DOC places the employer on the publicly available list of Privacy Shield organizations (“Privacy Shield List”). The DOC is required to maintain the Privacy Shield List based on the annual self-certification process, and update the Privacy Shield List based on re-certifications and its own proactive efforts to monitor organizations’ compliance with the Privacy Shield Principles. If an employer wishes to have the Privacy Shield apply to human resources data, the employer must additionally indicate its willingness to cooperate with the relevant EU data protection authorities and provide the DOC with a copy of its human resources privacy policy.

If an employer is removed from the Privacy Shield List, then it is no longer permitted to take advantage of the Privacy Shield’s “adequate protection” determination to facilitate transatlantic data transfers. Despite not being permitted to take advantage of the benefits of the Privacy Shield, organizations removed from the Privacy Shield List must continue to apply the above principles to the information that the organization received while participating in the Privacy Shield, and annually affirm its continued compliance for so long as it retains such information. Any organization that has been removed from the Privacy Shield List that continues to claim participation in the Privacy Shield may be subject to a regulatory enforcement action.

Privacy Policy Requirements

In order to rely on the Privacy Shield, employers who handle an EU individual’s personal data must make the following updates to their publicly-available privacy policies:

  1. Include a statement of the employer’s participation in the Privacy Shield framework.
  2. Provide a hyperlink to the Privacy Shield List.
  3. Include a statement of the individual’s right to access his or her personal data.
  4. Include a statement that the employer may be responsible for disclosures of information to third parties acting on its behalf.
  5. Identify the independent dispute resolution body that is available to investigate and resolve complaints from individuals. Examples of independent resolution bodies include alternative dispute resolution providers based in the U.S. or EU or a dispute resolution panel established by the EU data protection authorities.
  6. Provide a hyperlink to the complaint submission form for the independent dispute resolution body.
  7. Include a statement that the employer is subject to the authority of relevant regulatory bodies and that it may be required to disclose personal information in response to lawful requests made by regulators or law enforcement.

Redress against U.S. Employers and Government Agencies: Binding Arbitration, Privacy Shield Ombudsperson, and Judicial Redress Act of 2015

In our initial discussion of the Privacy Shield, we asked whether there would be separate alternative dispute resolution mechanisms or if the U.S. Department of State’s (“DOS”) new “Privacy Shield Ombudsperson” would be the final arbiter of complaints, especially those regarding national security matters. We also questioned the interrelationship between the Privacy Shield’s internal redress rights and those provided under the Judicial Redress Act, which has since been enacted in the U.S. The recent release of documentation on the Privacy Shield sheds new light on those questions, highlighting an array of options for EU citizens seeking redress.

First, the DOC has committed to adopt well-established arbitral procedures, such as those developed by the American Arbitration Association (“AAA”) or Judicial Arbitration and Mediation Services (“JAMS”) to handle claims before a “Privacy Shield Panel” composed of one or three arbitrators as agreed upon by the parties. The Privacy Shield Panel may only award “individual-specific, non-monetary equitable relief” (e.g., access, correction, deletion). Damages, costs, fees and other remedies may not be awarded, but an EU citizen can still bring claims for damages that are otherwise available by law. The Privacy Shield Panel may only hear “residual” claims, that is, those that remain at least partially unremedied following attempts to resolve the dispute directly with the employer or through other recourse mechanisms. Participating U.S. employers will be required to make annual contributions to an arbitration fund established by the DOC, and will be bound by the Privacy Shield Panel’s decisions subject to enforcement under the U.S. Federal Arbitration Act.

Second, the DOS has established the new role of Privacy Shield Ombudsperson to “facilitate the processing of requests relating to national security access to data” transferred from the EU to the U.S. The Ombudsperson will handle requests under the Privacy Shield framework as well as those made pursuant to binding corporate rules, standard contractual clauses, and other lawful means of EU to U.S. data transfer (called “derogations”). Requests to the Ombudsperson will be made through the EU individual’s Member State’s body “competent for the oversight of national security services.” This procedure will not preclude individuals from requesting access to records under the U.S. Freedom of Information Act (“FOIA”) or alleging violations of law or other misconduct through the Inspectors General or Privacy and Civil Liberties offices within respective U.S. agencies. For the current administration, Secretary of State John Kerry has appointed Under Secretary of State Catherine A. Novelli, who is the Senior Coordinator for International Information Technology Diplomacy, as the Privacy Shield Ombudsperson.

Finally, President Barack Obama signed the Judicial Redress Act (“JRA”) into law recently, which will allow non-U.S. individuals from countries designated by the U.S. Department of Justice to seek redress under the U.S. Privacy Act of 1974. The Privacy Act allows an individual to request Government-held data, with remedies ranging from those equitable in nature (e.g., access, correction, amendment) to civil damages and attorney’s fees to criminal fines and penalties.

Taken together, these redress mechanisms represent a significant departure from past methods available to EU individuals. Once the Privacy Shield framework is fully developed and JRA country designations are made, EU individuals may seek redress against U.S. employers or Government agencies through one or more robust procedures with a fair guarantee that their rights are essentially equivalent to those they enjoy in their own countries.

Human Recourses Data

The Privacy Shield contains separate rules for employers transferring human resources data. These employers must cooperate with the respective EU Member States to ensure compliance with local labor laws related to such human resources data. While these employers will still have to comply with the Privacy Shield’s notice and choice principles, they may be exempt from the access obligations in certain circumstances, such as employee security investigations, employee monitoring, or where it may prejudice “sound management.” The employer must also provide the DOC with a copy of its privacy policy relevant to human resources data and a location where the privacy policy is available for viewing by employees.

Impact on Employers

The Privacy Shield offers new potential for global employers and companies to conduct transatlantic business involving personal data transfers. While the framework must still be reviewed by the EU’s Article 29 Working Party (composed of data protection authorities from each EU Member State) and then formally adopted by the EU Commission, employers should immediately begin to educate relevant stakeholders on Privacy Shield compliance. Once the EU Commission has adopted the adequacy decision, employers looking to take advantage of the Privacy Shield should determine if they need to adjust their privacy practices and make updates to their privacy policies to meet the new standards. In the meantime, employers can still take advantage of other data transfer mechanisms, such as binding corporate rules and standard contractual clauses. An employer’s choice of data transfer mechanism will depend largely on the employer’s specific business model, corporate structure, data flows, and employee base in the EU.