On October 18, 2017, the EU Commission published a report (“Report”) on the first annual joint review of the EU-US Privacy Shield framework (“Privacy Shield”), which took place on September 18-19, 2017, in Washington DC. The Report, which reflects input from the US federal government and feedback gathered from relevant stakeholders, found the Privacy Shield to provide an adequate level of protection for the transatlantic transfer of personal data, but it also makes a number of recommendations for improvements.
In 2016, when EU Commission approved the Privacy Shield (which is an agreement between the EU and the US that allows the transfer of personal data from the EU to US companies that certify under the framework and agree to uphold certain protections), the EU Commission committed to closely monitor the functioning of the framework and to review it annually. This Report was a result of that annual review.
While presenting the Report, Vĕra Jourová, commissioner for Justice, Consumers and Gender Equality, stated, “The first review shows that the Privacy Shield works well, but there is some room for improving its implementation. It‘s a living arrangement that both the EU and the US must actively monitor to ensure we keep guard over our high data protection standard.”
In this Legal Update, we discuss the Report and how it supports the Privacy Shield as a valid mechanism to transfer data.
The Privacy Shield Framework
The Privacy Shield was adopted in July 2016 and became operational on August 1, 2016. It is the successor to the EU-US Safe Harbor framework (“Safe Harbor”), which had been one of the primary mechanisms for the transfer of personal data from the EU to the US. After the invalidation of the Safe Harbor by the EU Court of Justice (“EU Court”) in Maximilian Schrems v. Data Protection Commissioner, the EU Commission and the US Department of Commerce (“Department of Commerce”) stepped up their efforts to negotiate a new agreement that could address the EU Court’s concerns. Indeed, the EU Court considered that the Safe Harbor lacked sufficient safeguards to protect an EU citizen’s data from “massive and indiscriminate” bulk surveillance by the US government.
Since the Privacy Shield’s inception, over 2,400 companies have self-certified to it. In order to become Privacy Shield-certified, US companies must self-certify to the Department of Commerce and commit to comply with the framework’s requirements, including with a collection of principles that ensure an adequate level of protection of personal data. The principles require companies to: (a) comply with data retention principles (i.e., limitations on how long a company can keep the data), (b) publish a notice with information on the extent and purposes of their data collection, (c) comply with limitations set out for transferring personal data to a third party (the so-called “onward transfer” principle), and (d) put in place appropriate security measures, among other requirements.
The Privacy Shield also guarantees that EU individuals can access and correct their data, lodge a complaint, and obtain a remedy. An EU individual has at his or her disposal a number of redress mechanisms, which include, inter alia, the ability to use an alternative dispute resolution or to complain before a data protection authority (“DPA”). Moreover, the Privacy Shield created the ombudsperson role within the US Department of State, who is a senior official whose job would be to independently address complaints of EU data subjects regarding the protection of their data by the US government.
Certain privacy advocates have criticized the Privacy Shield, saying that the framework is not sufficient to protect the privacy of individuals in the EU. The EU Parliament put forward a motion expressing concerns about the limitation on the rights of data subjects and the scope for US bulk surveillance. Digital Rights Ireland, a privacy advocacy group, has brought an action against the Privacy Shield before the EU Court because the framework would not provide a level of data protection equivalent to the one established by EU data protection laws. The EU Court has not issued a decision yet. Despite those concerns, the Privacy Shield has survived its first annual review.
Lessons Learned from the Report: A Set of Recommendations
The Report concludes that the Privacy Shield ensures an overall adequate level of protection for the transatlantic transfer of personal data. However, the Report makes a number of recommendations for US companies, regulators on both sides of the Atlantic and the US government.
The EU Commission points out that companies applying for certification under the Privacy Shield should not be allowed to publicly announce that they are certified under the Privacy Shield before the process is finalized. Further, the Report prompts the Department of Commerce to proactively and regularly monitor for false claims to reduce the risks of inaccurate information and help indentify possible compliance issues that may require further attention.
US and EU Regulators
The EU Commission calls for increased cooperation between the Department of Commerce and the DPAs to strengthen EU individuals’ awareness of the Privacy Shield and to develop guidance to clarify the Privacy Shield’s concepts to prevent misinterpretation.
The Report calls for certain reforms of the US laws relevant to the Privacy Shield. In particular, the Report requests that the US administration and Congress enshrine the protection of personal data offered to non-Americans under the Presidential Policy Directive 28 (“PPD-28”) in the Foreign Intelligence Surveillance Act (“FISA”). FISA authorizes the acquisition of foreign intelligence information by targeting non-US persons located outside of the US. The EU Commission hopes that Congress will consider introducing further limitations and safeguards in relation to non-US persons.
The EU Commission further recommends that US authorities provide timely and comprehensive information about developments that could be relevant to the Privacy Shield. Finally, the EU Commission calls on the US administration to fill the position of the ombudsperson as soon as possible and to appoint the missing members of the Privacy and Civil Liberties Oversight Board (PCLOB), which has responsibility for protecting privacy. (Recently, President Donald Trump nominated a PCLOB chair.)
In the coming months, the EU Commission will coordinate with US authorities to ensure follow-up on the issues identified in the Report and the related recommendations. At the same time, the EU Commission will continue monitoring the functioning of the Privacy Shield to ensure that US authorities comply with their commitments.
For US companies who have self-certified, or are considering certifying, to the Privacy Shield framework, the outcome of this Report is a positive indication that the framework is functioning and has support of key constituencies in the EU. While the recommendations suggest that further work needs to be done, most of it is work that the US government, rather than the companies who have certified, would do.