The European Commission has released the legal texts that will constitute the EU-US Privacy Shield which will replace the Safe Harbour framework, which was declared invalid by the Court of Justice (CJEU) last October. Unlike its predecessor, the Privacy Shield covers not only commitments in the commercial sector, but also access to personal data by public authorities for national security purposes.
The documents released include the draft “adequacy decision”, the Privacy Shield Principles which will apply to all US companies providing services on the EU market, as well as written commitments by the US Government on the enforcement of the Privacy Shield, including safeguards and limitations concerning access to data by US national intelligence agencies.
The Privacy Shield aims to provide European citizens with more transparency about transfers of their personal data to the US and stronger obligations on US companies to protect their data. It requires stronger monitoring and enforcement by the US Department of Commerce (DoC) and the Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities (DPAs). It also provides several redress possibilities for individuals in case of complaints either directly with companies, or with the help of their local DPA.
How will the Privacy Shield work?
US companies will register to be on the Privacy Shield List and self-certify annually that they meet the requirements set out. The DoC will administer the programme and verify that companies' privacy policies are presented in line with the relevant Privacy Shield Principles and are readily available on their websites.
The DoC will monitor compliance of self-certified companies with the Privacy Shield Principles on an ongoing basis, including through detailed questionnaires. These reviews will take place when the DoC receives specific complaints, when a company does not provide satisfactory responses, or when there is credible evidence suggesting that a company may not be complying with the Privacy Shield Principles. If companies do not comply in practice they will face sanctions and removal from the list.
How will the Privacy Shield be enforced?
The FTC will be responsible for enforcing the programme. The European Commission and the DoC will also conduct an annual joint review, along with US national intelligence experts and European DPAs, to monitor the functioning of the Privacy Shield. This will enable the US to be held accountable to its commitments. In cases where US companies or public authorities are not abiding by their commitments, the Commission may activate the process to suspend the Privacy Shield. The Commission will also issue a public report to the European Parliament and Council on the basis of the review and other relevant sources of information (such as transparency reports by companies). In addition, the Commission will hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of US privacy law and their impact on European citizens.
Will mass surveillance be allowed by US national intelligence agencies?
The Director of US National Intelligence has given the EU a written assurance that no indiscriminate or mass surveillance will occur, stating that any access by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanism.
In addition, the US Secretary of State has committed to establishing an Ombudsperson, within the Department of State, who will be independent from the national security services, and to whom European citizens can complain or make enquiries about possible access by national intelligence authorities. This right will apply not only to Privacy Shield transfers but to all personal data transferred to the US for commercial purposes, irrespective of the basis used to transfer those data (i.e. standard model clauses or binding corporate rules). These written commitments will be published in the US federal register.
A letter released by the European Commission, from Robert Litt, General Counsel of the Office of the Director of National Intelligence, highlights that following the Snowden revelations, in January 2014, President Obama issued Presidential Policy Directive 28 (PPD-28) which imposes limitations for intelligence operations. The PPD-28 requires data collection by the intelligence services to be targeted. It limits the bulk collection of data to six specific national security purposes: detecting and countering certain activities of foreign powers; counterterrorism; counter-proliferation; cybersecurity; detecting and countering threats to US or allied armed forces; and combating transnational criminal threats, including sanctions evasion.
Robert Litt's letter also highlights that the USA Freedom Act, signed into law in June 2015, significantly modified U.S. surveillance and other national security authorities, and allows companies to issue transparency reports on the approximate number of government access requests.
What redress possibilities do European citizens have in the US if their data is misused by commercial companies?
Any European citizen who considers that their data has been misused will have several redress possibilities:
- Lodge a complaint with the company - Companies commit to respond to complaints within 45 days. In addition, any company handling human resources data from Europe has to commit to cooperate and comply with decisions by the competent European DPA, while other companies may voluntarily make such a commitment.
- Complain to their ‘home’ DPA: The DPA will then refer the complaint to the DoC, who will respond within 90 days, or the FTC, if the DoC is unable to resolve the matter.
- Alternative Dispute Resolution: On self-certifying to the Privacy Shield, companies must designate an independent dispute resolution body (either in the US or the EU) to investigate and resolve individual complaints free of charge. Companies will be required to include information in their published privacy policies about the independent dispute resolution body where consumers can address their complaints. They must provide a link to the website of their chosen dispute resolution provider and the DoC will verify that companies have implemented this obligation.
- Arbitration - If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Individuals will be able to have recourse to the Privacy Shield Panel, a dispute resolution mechanism that can take binding decisions against US self-certified companies.
- Ombudsperson – As mentioned above, for complaints on possible access by national intelligence authorities a new Ombudsperson will be created, providing a further avenue for redress.
In addition, as we previously reported President Obama has signed the Judicial Redress Act into law, which grants European citizens the right to enforce their data protection in US courts against US law enforcement agencies which misuse their data.
What happens next?
The Article 29 Working Party (WP29) (consisting of representatives from the European DPAs) will now consider the legal texts pertaining to the Privacy Shield and deliver an Opinion as to whether it addresses the concerns set out in the CJEU’s ruling.
The proposed Privacy Shield contains a number of important improvements, compared to the previous Safe Harbour framework, but we will have to wait and see whether the European DPAs view the proposal as providing "essential equivalence" of European data protection in the US.
After the WP29 have delivered their Opinion, a final decision on the Privacy Shield will be given by the College of EU Commissioners. In the meantime, the US is expected to make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsperson mechanism.