A large company with offices in Europe and the United States had self-certified to adhere to the EU-US Safe Harbor framework and relies on the framework for its intra-company transfers of data. Then the Safe Harbor framework is struck down by the Court of Justice of the European Union. The company’s general counsel is pleased to learn that a new framework, the EU-US Privacy Shield, has been proposed, but isn’t sure what the company will need to do to comply with the new Privacy Shield if the new framework is formally adopted.
In October 2015, the Court of Justice of the European Union ("CJEU") held that transfers of personal data from Europe to the United States made under the so-called EU-US Safe Harbor scheme were invalid, as those transfers did not ensure an adequate level of protection under European data protection law. The case was filed by Max Schrems, a Facebook subscriber from Austria, who complained that the Safe Harbor framework failed to adequately protect his data when it was transferred by Facebook from Ireland to the United States.
In the aftermath of the decision, the Article 29 Working Party (the organization that represents the data protection authorities of the European Union) set the end of January as the deadline by which representatives of the European Union and the United States had to find solutions to address the CJEU’s decision in Schrems. Negotiations between the European Union and the United States to improve the Safe Harbor framework had been ongoing since the framework first came under scrutiny after Edward Snowden’s revelations concerning US surveillance.
Announcement of New Privacy Shield
On February 2, 2016, the European Commission announced that it had reached a high-level agreement on a series of measures with the United States to resolve the issues identified in the CJEU’s ruling. The new framework is called the EU-US Privacy Shield, and it includes the following commitments:
- An organization must publicly commit to the manner in which, and the purposes for which, it will process personal data in the United States and agree to comply with enhanced requirements about the manner in which personal data will be processed by it. Existing restrictions concerning onward transmission of personal data from the United States to other countries will be tightened.
- Each organization that certifies that it complies with the EU-US Privacy Shield scheme will have its compliance with the scheme monitored and reviewed by the US Department of Commerce. If an organization is found not to have complied with its commitments, sanctions will be applied against that organization by the US Federal Trade Commission and it may be removed from the EU-US Privacy Shield scheme certified list.
- If an individual has a complaint with respect to the way in which his or her personal data has been processed by an organization, the complaint must be considered by the organization within a limited time frame and at no cost to the individual. If that complaint is not resolved, the individual concerned may refer the complaint to the appropriate European data protection authority, again at no cost, which may decide to refer the complaint to the US Department of Commerce and Federal Trade Commission for their consideration. The US Department of Commerce and Federal Trade Commission will be required to investigate and resolve the complaint within a reasonable, but limited, time frame. If the complaint is not resolved to the individual's satisfaction, the complaint can be referred to arbitration for final resolution.
- The US Director of National Intelligence will provide a binding, written assurance to the European Union that access to personal data about European citizens for national security and law enforcement purposes will only occur to the extent it is necessary and proportionate, that the access will be subject to clear limitations, safeguards and oversight mechanisms and that no indiscriminate or mass surveillance on personal data transferred to the United States under the new scheme will occur.
- President Obama recently signed the Judicial Redress Act into law. This Act was significant to the negotiations over the Privacy Shield because it provides European citizens with the same rights of redress as US citizens with respect to unlawful access of their personal data by US public bodies. Separate from the rights allowed by the Judicial Redress Act, the Privacy Shield would require that any complaints about access to personal data by US national intelligence authorities that have been referred to the United States by European data protection authorities will be heard by an ombudsman to be appointed in due course. The Ombudsman will operate independently of the US national security authorities.
- There will be a joint annual review of and report into the functioning and compliance with these arrangements by the European Commission and US Department of Commerce.
Will it be Final?
The agreement that was announced is an agreement in principle. The drafting of the respective commitments will take some time, and the European Commission anticipates that it will take three months (i.e., until May 2016) for the European and US authorities to finalize and put into place the arrangements, which will include obtaining the advice of the Article 29 Working Party.
What To Do Next?
Companies receiving data from Europe should immediately review the types of personal data being transferred and processed and the purposes for which that personal data are being transferred and processed. If personal data is being transferred under the Safe Harbor framework, then the company should determine if it is possible to suspend the processing of personal data or conduct it in the European Union. Companies can also consider alternative mechanisms for transferring that personal data, such as Standard Contractual Clauses. As there may be future legal challenges to the new Privacy Shield, or to the alternative methods of transferring data, and we cannot predict how the European courts will respond, it is suggested that companies follow any new developments closely.