On February 2, 2016, representatives from the European Commission (press release) and the United States (press release) announced a preliminary agreement on the “Privacy Shield,” a framework that legitimizes transfers of personal data from the EU to the U.S.
The Privacy Shield is the result of EU and U.S. negotiations that followed the invalidation of the EU-U.S. Safe Harbor1 under the Schrems case (Court of Justice of the European Union, Case C-362/14) in October 2015. After the Schrems case, EU Data Protection Authorities (DPAs) threatened to begin coordinated regulatory action against U.S. companies if a new “Safe Harbor” arrangement was not created before a January 31, 2016 deadline.
While the Privacy Shield was not announced until February 2, the DPAs stated that their deadline was met and requested that the text of the Privacy Shield be delivered for review by the end of February 2016. The DPAs will meet to form a recommendation on the Privacy Shield at a meeting of the Article 29 Working Party likely to be scheduled in late March 2016.
If the DPAs make a positive recommendation, the Privacy Shield may be adopted into EU law in the following months. If not, the EU and U.S. will likely continue their negotiations over the Privacy Shield, and the DPAs may renew their enforcement threats or begin actions against U.S. companies.
Once the Privacy Shield is adopted and implemented, U.S. companies may receive, store, use and share personal data of EU citizens according to the terms of the framework.
EU-U.S. Privacy Shield, Successor to the EU-U.S. Safe Harbor
The Privacy Shield is intended to legitimize transfers of personal data while satisfying the data protection issues raised by theSchrems case. The Schrems court cited concerns that the Safe Harbor did not provide protection or redress against surveillance by U.S. public authorities.
The Privacy Shield addresses these issues by: 1) obtaining written guarantees from the White House and the U.S. intelligence community with commitments to limit the scope and circumstances of surveillance; 2) requiring the U.S. to create a new “Ombudsperson” to address complaints of EU citizens regarding access of their information by U.S. public authorities; and 3) requiring the EU and U.S. to participate in an annual joint review of the Privacy Shield program, including review of national security access by U.S. public authorities.
The Privacy Shield announcement has been met with criticism, with questions raised about whether the written guarantees of the U.S. government provide meaningful protection for EU citizens, and whether the Privacy Shield can withstand judicial scrutiny. Given the business and political interests involved in protecting the flow of information between the EU and U.S., however, we expect that some form of the Privacy Shield will eventually be adopted into EU law.
Once adopted, the Privacy Shield will continue to face scrutiny in EU courts over surveillance protection and redress issues similar to those of the Schrems case.
Impact on U.S. Businesses
While the full text of the Privacy Shield framework has not been released, U.S. businesses should expect significant operational impact, including:
- Stronger Data Protection Obligations.U.S companies will need to comply with "robust obligations” for how they collect, use, store and share information of EU citizens. According to the Department of Commerce, this includes (i) increased transparency regarding personal data use; (ii) increased data protections (meaning EU citizens will have more rights to control and monitor how U.S. companies use their data); and (iii) more comprehensive requirements to notify EU citizens of their rights.
- Stepped-Up Enforcement in the U.S. The U.S. Department of Commerce will create a “special team with significant new resources to supervise compliance with the Privacy Shield.” The Privacy Shield will also “strengthen cooperation” between the U.S. Federal Trade Commission and EU DPAs to provide “independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.” See here. In addition, U.S. companies must submit to jurisdiction of EU DPAs with regard to human resources data of EU citizens.
- More Redress Rights for EU Citizens. EU citizens will have multiple avenues for bringing complaints, including (i) a no-cost (for the citizen) ADR process between the citizen and U.S. company; (ii) a channel for EU DPAs to refer citizen complaints to the Department of Commerce and FTC; and (iii) a binding arbitration process.
Note that, like the Safe Harbor, the Privacy Shield will not cover use of personal data by EU-based subsidiaries of U.S. companies. EU-based subsidiaries must comply with applicable law of their jurisdiction.
Mitigating Risks In The Meantime
The announcement of the Privacy Shield is a step toward resolving the uncertainty around EU data transfers following theSchrems invalidation of the Safe Harbor. While uncertainty continues in the interim, there are a couple steps U.S. companies can take to mitigate risks:
- Evaluate alternative options to legitimize EU data transfers in the interim
EU DPAs have made it clear that alternative options remain valid in the interim. The best option will depend on a company’s situation and should be evaluated on a case-by-case basis.
The EU DPAs have stated that data transfers under Model Contract (or Standard Contractual Clause) agreements and Binding Corporate Rules (BCRs) will continue to remain lawful in the meantime. However, the DPAs plan on revisiting the validity of Model Contracts and BCRs in light of the Schrems case in their upcoming March meeting. Data transfers also continue to be lawful for more limited cases permitted by “derogations” of EU privacy law, including transfer with user consent or in performance of a contract.
- Plan for compliance with increased obligations of the Privacy Shield
In the long run, the Privacy Shield will likely be the preferred option for U.S. companies. Like the old Safe Harbor, the Privacy Shield will legitimize EU data transfers while limiting U.S. companies’ exposure to EU regulatory action (as opposed to Model Contracts and BCRs, in which US companies agree to the jurisdiction of the EU DPAs).
However, the compliance demands for certifying to the Privacy Shield will be greater than with the Safe Harbor. U.S. companies will have increased obligations to document user consent, to track, update or delete user data held by the company, and to respond to EU citizen complaints. U.S. companies should begin planning early to allow time to build out the necessary IT capabilities and internal compliance processes. U.S. companies should also work with us and their insurance carriers to evaluate their cyber liability coverage and potential future needs.
As the proposed text of the Privacy Shield is released, we expect to learn more about the impact to U.S. companies. Stay tuned for further updates.