European Union and United States officials announced early February 2016 a political agreement to create the “Privacy Shield”, an anticipated solution to the now defunct Safe Harbor framework. Finalizing a solution to avoid a potential cross-border data transfer standstill became urgent after Safe Harbor was invalidated in October 2015 and the EU Data Protection Authorities’ (DPAs’) grace period enforcing unlawful transfers expired on January 31, 2016. Though met with a sigh of relief by many, it may be wise to hold off on the Privacy Shield tickertape parade just yet. Officials expect its details to be released by the end of February (no documents or details accompanied the announcement) but it then must wind its way through the EU’s bureaucratic approval process and will likely be challenged in court after implementation. Nevertheless, there is a strong probability that the Privacy Shield will be the next alternative transfer mechanism available and businesses should pay close attention to it and its context when determining whether to undertake transatlantic data transfers.
Under the EU’s Data Privacy Directive 95/46/EC personal data may only be transferred to a country outside the EU if that country has an “adequate” level of data protection. Lacking this, such transfers are unlawful. The U.S., in this context, does not have “adequate” privacy laws. Under the Data Privacy Directive certain transfer mechanisms are permitted, including Standard Contractual Clauses (SCC) and Binding Corporate Rules (BCR). Still, due to the sometimes cumbersome nature of these, the U.S. and EU created the self-certifying Safe Harbor agreement. This was invalidated by the CJEU in Schrems v. Data Protection Commissioner (Case C-362/14) in October 2015 and the legality of the alternative transfer mechanisms have also been called into question.
In reaction, the EU’s Working Party 29 (WP29) urged the EU and U.S. to find political, legal and technical solutions that would enable data transfers respecting fundamental rights by January 31, 2016. On February 2, 2016, the “political agreement” to create the “Privacy Shield” was announced.
According to the officials, the Privacy Shield is to “protect the fundamental rights of Europeans” in cross-border data transfers to the U.S. By reflecting the requirements outlined in Schrems, it will provide stronger obligations and “vigorous” or “stronger monitoring and enforcement” upon U.S. companies by the Federal Trade Commission, U.S. Department of Commerce, and EU DPAs. The agreement’s specifics remain unknown but three particular elements underpin it:
- Strong obligations on companies handling Europeans’ personal data and robust enforcement;
- Clear safeguards and transparency obligations on U.S. government access; and
- Effective protection of EU citizens’ rights with several redress possibilities.
What exactly the “strong obligations” are and how the enforcement will be “robust” has not been elucidated. Yet the framework will expressly address contractual privacy protections and oversight for the onward transfer of data (transfer by participating U.S. companies to a third party or processed by the company’s agents). It is also clear that EU citizens may now access their personal data and have inaccuracies corrected.
To prevent generalized government access and mass-surveillance there will be new commitments that access by the U.S. government to data for law enforcement and security purposes is subject to clear conditions, limitations and oversight mechanisms. To further appease European privacy concerns the agreement will be a “living framework” subject to an annual joint review by the FTC, Commerce Department, U.S. State Department and EU DPAs. The negotiating-parties stress that the high standards set by Schrems are addressed by “written assurances” of the U.S. that government surveillance will not be indiscriminately conducted on the data transferred. The U.S. is also documenting the multiple constitutional, statutory and policy intelligence-oversight safeguards employed. Finally, if the U.S does not fulfill its commitments a suspension clause may be triggered.
U.S. entities will register under the Privacy Shield with the U.S. Department of Commerce. EU citizens can issue a complaint directly with a U.S. entity transferring data under the Privacy Agreement for its violations and there will be a deadline by which the entity must respond. In the alternative, the EU citizen may elect to undertake arbitration at no cost to the individual. Presumably under the Federal Arbitration Act, the arbitration decision could give rise to judicial review. As under the Safe Harbor agreement, DPAs can still refer any complaints they receive to the FTC for enforcement. Last, an ombudsman is to be created by the U.S. government dedicated to European citizens’ complaints on surveillance. This ombudsman will not be a figurehead but someone actually capable of addressing and acting upon individuals’ complaints regarding surveillance. Yet the U.S. Senate passed the Judicial Redress Act on February 10, 2016. Once enacted, U.S. allies’ citizens, including the EU, will have the right of civil action against the U.S. Government for privacy violations. It is unclear how this Act will affect the ombudsman and whether the two will converge or offer two separate avenues for redress.
Any organization’s current reliance upon the Privacy Shield is premature. For the Privacy Shield to be fully implemented and utilized by companies, the EU Commission must first draft an “Adequacy Decision.” The consulting committee of EU member states and the WP29 must then vet, advise upon and approve the Decision, which can take several months. The WP29 does not expect to provide its results until April 2016 at the earliest. There is an anticipated plenary meeting of the WP29 at the end of March to address this agreement and the other alternative methods of transfer under the Directive because of the Schrems holding. Depending upon the assessment, the College of Commissioners will decide whether to adopt the Privacy Shield Decision. There is also some concern about the legality and lasting viability of the agreement and its enforcement, particularly as administrations and Congress changes. This is because the Privacy Shield is not a treaty but binding commitments outlined in an exchange of letters between the U.S. and the EU.
As we continue to monitor the developments on both sides of the Atlantic, it is important for businesses to consider the following key points:
- Any reliance on Safe Harbor must cease and be reflected on the business’ website. Transfers under Safe Harbor have been unlawful since October 2015 and the FTC will enforce this. The basis for any cross-border transfer must be some other recognized transfer mechanism, such as BCRs, SCCs or, where permissible, informed consent.
- Review and keep current with not only US and EU privacy laws, guidelines and procedures, but also those of the member states and DPAs in which you may have a controller or processor of data. Compliance goes beyond signing an SCC or implementing a BCR. Compliance must be maintained in the practices and procedures for collecting, using, storing, disclosing and destroying data.
- Conduct a privacy assessment of personal data collected to identify their country of origin and avoid unnecessary transfers of personal data by your organization and third-parties.
- Identify an individual to assess and memorialize the legal basis of your entity’s personal data transfers, and to provide recommendations for best alternative transfer mechanisms going forward. Though the DPAs will likely initially seek enforcement against high profile companies, it is critical for all organizations to demonstrate a good faith effort of compliance under the current legal framework, shifting as it may be, as opposed to taking a do-nothing approach.
- Begin ensuring privacy practices comply with the General Data Protection Regulation (GDPR). The Privacy Shield, when finalized, requires tougher standards than the old Safe Harbor framework, thus self-certification must not be blithely undertaken nor inattentively maintained. Though not effective until 2018, the GDPR will remove the patchwork approach to privacy enforcement across the member states under the current directive, replacing them with across-the-board stringent regulations.