Following the decision of the Court of Justice of the European Union (“CJEU”) in Schrems v Data Protection Commissioner1 and the subsequent statement of the Article 29 Working Party2, transfers of personal data from the European Union (“E.U.”) to the United States (“U.S.”) under the Safe Harbor scheme are regarded as potentially unlawful. The European Commission has recently published a draft adequacy decision and detailed provisions for a proposed new data protection framework for the transfer of personal data known as the E.U.-U.S. Privacy Shield (“Privacy Shield”).3 If formally adopted, the adequacy decision is expected to take effect in June 2016. This memorandum provides an overview of the Privacy Shield, a summary of the obligations and protections it aims to provide, and practical guidance for organizations on the steps that can be taken in preparation for its implementation.
Overview of the Privacy Shield
The European Commission draft adequacy decision sets out its view that data transfers pursuant to the Privacy Shield will satisfy the standard for international data transfers under the European Data Protection Directive 95/46/EC.4 While the draft is subject to review by the Article 29 Working Party and still has to be formally adopted by the E.U.’s College of Commissioners, it nonetheless provides a firm indication of the likely structure and content of the replacement framework. To the extent that any changes are required to be made to the proposed Privacy Shield before it can be implemented, they are likely to impose additional requirements rather than a watering down of the current proposals.
The Privacy Shield comprises a statement of framework principles issued by the U.S. Department of Commerce (“DoC”) in consultation with the European Commission, together with supporting letters from six separate U.S. authorities. The letters contain unilateral commitments to enforcement of the scheme and representations with regard to the safeguarding of personal data from U.S. Government surveillance. Like the existing Safe Harbor scheme, the Privacy Shield is not enshrined in a treaty and is not subject to enforcement through international public law, but is dependant upon ongoing E.U. and U.S. co-operation.
In order to rely on the Privacy Shield, an organization will be required to self-certify its adherence to seven core principles (“Privacy Principles”), which are supplemented by additional requirements in the case of transfers of sensitive personal data and in certain other circumstances (“Supplemental Principles”). While participation in the Privacy Shield is voluntary, compliance with the requirements of the scheme is compulsory and will be subject to enforcement by the U.S. Federal Trade Commission (“FTC”) and the U.S. Department of Transportation (“DoT”). Failure to comply will be enforceable under Section 5 of the Federal Trade Commission Act prohibiting unfair and deceptive acts in or affecting commerce (15 U.S.C. § 45(a)) or other equivalent laws or regulations. The DoC will actively monitor compliance by the organizations that have self-certified and make available to the public an authoritative list of the participating U.S. organizations. Annual re-certification is compulsory. The DoC will remove from the list any organization that voluntarily withdraws from the scheme, has not re-certified or which persistently fails to comply with the Privacy Principles. Organizations which leave the Privacy Shield must return or delete any E.U. personal data held or continue to apply the Privacy Principles as long as it is held.
The Privacy Shield will be subject to an annual joint review by the DoC and the European Commission for the purposes of monitoring ongoing compliance and to ensure the proper functioning of the Privacy Shield. The European Commission will also check periodically whether any adequacy decision is still factually and legally justified in light of changes to the U.S. legal order and the protections afforded.
The Privacy Principles
The seven Privacy Principles under the Privacy Shield are summarized as follows:
- Notice: Organizations must notify data subjects of thirteen separate matters, including the types of personal data collected, the purposes for which personal data will be collected and used, the identity of any third parties to which personal data will be disclosed and the right of individuals to access personal data held about them.
- Choice: Organizations must offer individuals the opportunity to opt out of disclosure of their personal data to third parties or usage of such data for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized. Additional requirements apply in relation to the processing of sensitive personal data.
- Accountability for Onward Transfer: Transfers of personal data to third parties (whether acting as controller or processing agent) may only take place for limited and specified purposes and are subject to the implementation of a written agreement that the third party will afford equivalent protections to the Privacy Principles.
- Security: Organizations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Data Integrity and Purpose Limitation: Personal data must be limited to information that is relevant for the purposes of processing and organizations must take reasonable steps to ensure that information is reliable for its intended use, accurate, complete and current (for as long as the personal data is retained).
- Access: Individuals must have access to personal data about themselves that an organization holds and be able to correct, amend or delete that information where it is inaccurate or has been processed in violation of the Privacy Principles.
- Recourse, Enforcement and Liability: Organizations must implement robust mechanisms for assuring compliance with the Privacy Principles and ensure that individuals’ complaints and disputes are investigated and resolved at no cost to them. They must also monitor and verify that representations and attestations contained within their privacy policies are true.
Mechanisms for Redress
The U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have provided written assurances that U.S. public authorities and the U.S. Government will only access E.U. personal data for law enforcement, national security and other public interest purposes, and that such access will be subject to clear limitations, safeguards and oversight. The U.S. Department of State will also establish a new Privacy Shield Ombudsperson who will be responsible for investigating and responding to complaints from data subjects about the conduct and practices of the U.S. intelligence agencies. In addition, the Judicial Redress Act confers upon certain foreign citizens a right of action against certainU.S. authorities in relation to amendment or correction of their personal data or redress for misuse of such data.
Individuals within the European Economic Area who consider that their personal data has been misused will have several avenues of redress under the Privacy Shield. Data subjects will be encouraged to raise any complaint with the participating organization in the first instance, which is then required to respond within 45 days of receiving the complaint. Organizations must also designate an independent body to investigate and resolve complaints, ensuring that recourse is without cost to the individual concerned. In addition, E.U. resident data subjects will be able to file complaints with their local Data Protection Authority, which will work with the DoC or FTC in order achieve a resolution. Participating organizations will also commit to co-operating with E.U. Data Protection Authorities, including in relation to remedial or compensatory measures. For residual claims, data subjects will also have a right to submit their complaints regarding misuse of personal data to binding arbitration by one or three arbitrators.
Preparations for Implementation
While awaiting the conclusion of the E.U. adoption process, organizations will need to consider both their short-term position and future strategy with regard to any overseas transfers of personal data.
In response to the Schrems decision and subsequent Article 29 Working Party Statement, the United Kingdom (“U.K”) Information Commissioner’s Office (“ICO”) indicated that it will not proactively be taking steps with regard to enforcement as “there is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act to quickly prevent.” The ICO will consider any complaints that arise, but its general advice for U.K. organizations is to review their policies and procedures with regard to data processing and transfers to ensure that personal data is adequately protected. This will likely include consideration of other approved methods of overseas transfer, namely Model Contracts and Binding Corporate Rules (although these may also be susceptible to legal challenge). The U.K. position is to be contrasted with that in France and Germany, where enforcement actions are understood to have already been commenced against organizations based upon their continued reliance on Safe Harbor.
Beyond the short-term, organizations will need to evaluate the Privacy Shield and decide whether to adopt it, either instead of another approved method of transfer or as a supplement. The Privacy Principles will apply immediately upon certification. There are no transitional provisions in relation to organizations that are already Safe Harbor registered, although there may be some advantage to early adoption of the Privacy Shield after the effective date. Organizations that certify to the Privacy Shield in the first two months following the framework’s effective date are required to bring existing commercial relationships with third parties into conformity with the ‘Accountability for Onward Transfer’ Principle as soon as practicable, but no later than nine months from the date of certification. Presumably certifications to the Privacy Shield outside of this two month early adopter period will require immediate compliance with all of the Privacy Principles without any period of grace in respect of their existing arrangements.
U.S. organizations intending to join the Privacy Shield scheme should begin reviewing their existing policies and procedures with a view to carrying out a gap analysis against the requirements of the proposed scheme. Organizations will, for example, need to review their data collection processes to ensure that they do not collect more personal data than is necessary and that it is securely protected. Where necessary, the policies and procedures should be updated. Steps should also be taken to ensure that websites are updated to include details of an organization’s privacy policies, which are required to be publicly disclosed under the new framework. U.S. organizations should also undertake a review of any arrangements under which they may transfer personal data to third parties. This may be a particular issue in the technology sector, where a number of functions are routinely outsourced to smaller specialists. In each case, written agreements will need to be implemented to ensure a flow-down of obligations.