The European Commission has today adopted the Privacy Shield. The Privacy Shield is intended to provide a framework for EU-US data transfers.
What is the Privacy Shield?
European data protection law restricts the transfer of personal data outside the European Economic Area (EEA) unless the country to which the data is transferred ensures an adequate level of data protection. The Privacy Shield is a mechanism for overcoming this restriction and legitimising the transfer of personal data to some US companies.
Why do we need the Privacy Shield?
Until 6 October 2015, over 4,000 US companies relied on the Safe Harbour regime to legitimise the transfer of personal data to the US. The Safe Harbour regime was declared invalid by the Court of Justice of the EU (CJEU) on 6 October 2015. The Privacy Shield will replace the Safe Harbour regime.
After the CJEU's ruling many US companies turned to the Model Contractual Clauses to legitimise their transatlantic data transfers. The approval of the Privacy Shield will be welcomed by multinational companies, particularly as the Irish Data Protection Commissioner recently sought a referral to the CJEU to determine the legal status of data transfers under Model Contractual Clauses. However, Model Contractual Clauses remain a valid method of transatlantic transfer unless declared invalid by the CJEU, which may not be determined for up to another two years.
Announcing the adoption of the Privacy Shield today, the European Commission stated that:
"The new arrangement will impose stronger obligations on companies in the U.S. to protect the personal data of individuals and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including an increased cooperation with the European Data Protection Authorities. The new arrangement includes written commitments and assurance by the U.S that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context".
How does the Privacy Shield seek to address the requirements set out by the CJEU last October 2015?
- Stronger obligations on US companies' handling of data and robust enforcement, including oversight mechanisms to assess compliance with the Privacy Shield Principles, sanctions or exclusion if they do not comply, and tightened conditions for onward transfers.
- Limitations on US Government access to personal data for national security purposes. Written commitments from the Office of the Director of National Intelligence (White House) ruling out indiscriminate mass surveillance on data transferred under the Privacy Shield. In addition the US Secretary of State has committed to establishing an Ombudsperson to deal with complaints from individuals if they fear that their personal information has been used unlawfully by US authorities in the area of national security.
- Several redress possibilities for EU citizens in case of misuse of their data by US companies, which are discussed below.
- Annual joint review conducted by the European Commission and the US Department of Commerce, associating national intelligence experts from the US and European Data Protection Authorities.
How will the Privacy Shield work in practice?
US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will be required to renew their registration annually. While a company's decision to self-certify will be voluntary, once a company publicly commits to the Privacy Shield, its commitment is enforceable under US law by either the Federal Trade Commission or Department of Transportation.
The US will maintain a list of Privacy Shield members, removing companies that leave the arrangement.
What redress options does the Privacy Shield provide for EU citizens in the US if their data is misused by Privacy Shield certified companies?
Any individual who considers that his/her data has been misused has several redress possibilities, including:
- Lodge a complaint directly with the company itself, who must respond to an individual within 45 days;
- Take their complaint to their national Data Protection Authority, who will work with the U.S. Department of Commerce and Federal Trade Commission to swiftly investigate and resolve complaints by EU citizens. If handling human resources data, US companies will be required to co-operate and comply with European Data Protection Authorities. Otherwise compliance by US companies with the advice of European Data Protection Authorities is a voluntary commitment;
- Alternative Resolution free of charge. US companies will be required to provide details in their published privacy policies of an independent dispute resolution body where consumers can address their complaints, including providing a link to the website of their chosen dispute resolution provider. The Department of Commerce is responsible for verifying that companies have implemented this obligation; and
- Recourse to the Privacy Shield Panel. If a case is not resolved by any other means, as a last resort there will be an arbitration mechanism. The Privacy Shield Panel will be able to take binding decisions against US self-certified companies. In order to ensure that individuals are not discouraged from using the Privacy Shield Panel, it is intended that access to the Privacy Shield Panel will be at no cost to individuals. There will be a possibility to participate by video-conference and free of charge translation and interpretation.
Can the Privacy Shield be challenged?
It remains to be seen whether privacy activists or European Data Protection Authorities will challenge the Privacy Shield, which can only be invalidated by the CJEU. Although the Privacy Shield was approved by representatives of most EU Member States last Friday, it is notable that some countries reportedly abstained from voting, including Austria, Bulgaria, Croatia and Slovenia. In addition, whilst Tech companies have welcomed the Privacy Shield, privacy activists have criticised it for not going far enough to protect the privacy of European citizens when their data is transferred to the US.
The European Commission's "adequacy decision" on EU–US transfers under the Privacy Shield will be notified to Member States today and enter into force immediately. The Privacy Shield agreement will be published in the Federal Register, and the US Department of Commerce will start operating the Privacy Shield. Companies will be able to certify with the Commerce Department starting 1 August 2016.
The European Commission has indicated that it will publish a short guide for citizens explaining the available remedies in case an individual considers that his/her personal data has been used without taking into account the data protection rules.