WHAT IS THE PURPOSE OF THE PRIVACY SHIELD?

The Privacy Shield was designed by the U.S. Department of Commerce (DoC) and the European Commission (EC) for the purpose of enabling companies on both sides of the Atlantic to comply with EU data protection laws when transferring personal data from the EU to the USA. Apart from this purpose, the Privacy Shield may be useful more generally, for example, by positioning certified US organisations as the consumers’ choice when it comes to cloud services, social media or other “data-heavy” services, or as trusted importers of personal data from within the US or non-EU jurisdictions, such as Canada or Australia.

HOW WILL IT WORK?

In order to become a Privacy Shield organisation (PSO), a US organisation will need to self-certify with DoC and commit to amending its privacy policy and implement the Privacy Shield principles. These principles are as follows:

  • Notice principle relates to informing individuals about the Privacy Shield, their rights, providing a contact for complaints, details of sharing and disclosure of their data (including disclosure to agencies such as the NSA) and the organisation’s liability for data processing.
  • Choice principle means that individuals will have to be given the choice to opt-out, or to opt-in, as far as sensitive data is concerned, in relation to the disclosure of their data to a third party for marketing purposes or for any new use of their data which was not initially contemplated.
  • Accountability for onward transfer principle will require that PSOs put in place a written contract for transfers of data to other controllers or agents (data processors), subject to exceptions such as the occasional travel bookings for employees.
  • Security principle will impose the requirement for reasonable security measures which are appropriate taking into account the nature of the proposed processing and the personal data.
  • Data integrity and purpose limitation principle will mean that data collection has to be limited to what is relevant and data has to be kept accurate, complete, current and reliable.
  • Access principle will allow individuals to access and arrange correction or deletion of their data, unless such an exercise would create a disproportionate burden or cost.
  • Recourse, enforcement and liability principle will require PSOs to put in place an independent and free recourse mechanism for individuals which will be capable of imposing rigorous sanctions. This principle may be satisfied by PSOs submitting to the jurisdiction of a panel of representatives from European data protection authorities (DPAs).

If you are wondering what is missing when compared to the principles in the Data Protection Act 1998, it is the requirement not to keep personal data for longer than necessary. This lack of data retention rules has also been mentioned by MEPs during the meeting of the European Parliament Committee on Civil Liberties, Justice and Home Affairs on 17 March 2016.

Organisations are encouraged to certify early and those that self-certify in the first two months will be granted a nine months’ implementation period to put in place transfer agreements.

WHAT RECOURSE WILL BE AVAILABLE TO EU CITIZENS?

EU citizens will have recourse if they suspect that their personal data is not processed in a compliant way. At first instance, they may file a complaint with the relevant PSO or invoke the independent free recourse mechanisms. They could also choose to complain to their local DPA, which will presumably become the preferred option for many. At the next level, EU citizens could initiate arbitration before an arbitration panel. Claims will be heard by arbitrators drawn from a pool agreed between EC and DoC. Awards will be subject to judicial review.

The Privacy Shield Ombudsperson at the States Department will oversee the implementation of the Privacy Shield and will ensure that complaints are investigated and remedied appropriately. At the regulatory level, DoC and FTC and other agencies (for example, the Department of Transport will oversee how Privacy Shield is implemented by airlines), will oversee how organisations comply with their Privacy Shield obligations.

In a similar context, the Judicial Redress Act which was passed earlier this year gives EU citizens the right to bring lawsuits against U.S. government agencies in U.S. courts in order to access, amend or correct certain records that U.S. agencies may be keeping about them or to seek redress for the unlawful disclosure of those records. However, recent cases of US citizens against agencies have failed due to lack of evidence and the lack of the courts’ power to force disclosure on the part of the agencies. It will be interesting to see how the Act will operate in practice and we wonder if another “Max Schrems” is already waiting for his/her chance to test it.

WHEN WILL THE PRIVACY SHIELD LIKELY BE APPROVED?

Safe Harbour was struck down in October 2015 amidst revelations about NSA spying. The successor Privacy Shield text was published on 23 February 2016 together with a draft adequacy decision for EC to consider. Currently, the Privacy Shield is under review by various European bodies, including Parliament, a committee of Member State representatives and the Article 29 Working Party, which is preparing an opinion on the draft adequacy decision.

According to European Digital Commissioner, Günther Oettinger, the Privacy Shield is expected to come into force in June, but this seems rather optimistic given the unresolved criticism which has been strongly voiced most recently at the meeting of the Parliament committee on 17 March 2016.

UNRESOLVED CRITICISM

The draft adequacy decision relies on the reassurances given by the US President and the NSA that surveillance intelligence collection will always be "as tailored as feasible” , that targeted collection will be preferred over bulk collection and bulk collection will only be used when needed. This commitment has been described as “clear and unprecedented written assurance”  from the US.

However, surveillance laws that allow US agencies to undertake the bulk collection of data, including ‘any information relating to US foreign affairs ’ in relation to foreign citizens remains in force. Only Congress could change it. The reassurance from the US government that these broad surveillance laws will be applied narrowly has perhaps rightly raised the question, “What will they [the reassurances] be worth if they are signed by President Trump?” . The ongoing debate suggests that changes may be proposed to the Privacy Shield and the negotiation is far from over.

WHERE DOES PRIVACY SHIELD STAND IN THE CONTEXT OF OTHER EEA TRANSFER MECHANISMS?

Privacy Shield risks losing out against alternative transfer mechanisms, not least because national DPAs are starting to take action against companies which purport to rely on the now invalid Safe Harbour regime. European businesses have been forced to take action now and they most commonly revert to the following transfer mechanisms, both of which require implementation through relevant internal processes:

  • intra-group transfer agreements covering transfers within a group of companies between controller to controller and controller to processor transfers between the EU, US, but also other jurisdictions; and
  • model clauses which can be simply attached to any service or commercial agreement to cover transfers of personal data to third parties located in the US, as well as in other jurisdictions.

Given the availability of these mechanisms, and the need to take urgent action, one wonders what benefit, if any, Privacy Shield will bring for European businesses.

Privacy Shield will provide a paperwork-free transfer mechanism. However, given the lack of notification obligation on the part of US importers, it is likely that the European exporter will want to put in place an agreement to cover those missing obligations. However, does this not defeat the purpose of a paperwork-free Privacy Shield mechanism? Further, Privacy Shield will only cover EU-US transfers, whereas the above mentioned mechanisms also cover exports to other jurisdictions.

Furthermore, the Privacy Shield will not apply to organisations in the telecoms, insurance and banking sectors which are outside the jurisdiction of the FTC, a prerequisite to self-certification.

Finally, why would an organisation want to sign up to another set of rules enforced by the FTC, which is notorious for its strict approach?

To finish on a positive note, Privacy Shield is a great step forward for the US privacy landscape and we are yet to see how its benefits will translate into EU-US business and consumer relations on a practical level.