The European Commission today adopted a decision which endorses the EU-US privacy shield. This is the latest step in restoring a stable legal basis for transatlantic flows of personal data, since the Court of Justice of the EU annulled the EU-US Safe Harbor program in its judgment in the Schrems case in October 2015 (Case C- 362/14).
It is possible that as soon as September, US companies will be able to sign up to the revised program. Although the Privacy Shield has somewhat greater compliance burdens than the Safe Harbor, the majority of the 4,500 companies that were previously certified under the Safe Harbor are likely to recertify under the Privacy Shield, and others may be tempted to join in.
What are the main differences since the first draft was released in February? (For commentary on the February draft, click here) The Privacy Shield principles are largely unchanged, with some improvements to address concerns expressed by the national authorities in the EU Member States (the Article 29 working party). The latest amendments to obligations of registering companies are three-fold, covering: (1) onward transfers of data; (2) data retention; and (3) redress, through greater independence for the ombudsperson in the US. With these amendments, the Privacy Shield provides protection of personal data that are significantly closer to EU data protection rules than was the Safe Harbor. In addition, the US intelligence community has made significant new representations regarding the limitations on mass surveillance under US law.
Onward Transfers of Data
These occur when Privacy Shield companies transfer data to a third party or to an agent. The third party controller or agent must undertake, by contract, to: process the data solely for the limited and specified purposes consistent with the data subject’s consent, and provide protection to the data consistent with the Privacy Shield principles. If during the course of processing the third party determines it can no longer meet these obligations, it must inform the transferring company and cease processing or take reasonable and appropriate steps to remediate.
Privacy Shield companies should only keep personal data in a form which identifies or makes identifiable data subjects for as long as it serves a purpose of processing (e.g. customer relations or compliance). Within the EU, retention for longer periods is allowed, where it is necessary, for instance, for journalism or statistical analysis. However, in any case, reasonable and appropriate measures should be taken to comply with the provision, and other Privacy Shield principles may also limit retention.
The new oversight mechanism for national security interference, the Privacy Shield Ombudsperson, is now independent from the intelligence community. The US government also permits individual complaints, which will be “properly investigated and addressed.” Data subjects will “receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the noncompliance has been remedied”. Complaints will be addressed to national authorities in the EU Member States which will submit them to a centralised EU body responsible for forwarding to the US. This method has a dual function and is typical of EU procedures: it addresses foreign language needs, by enabling individuals to contact an authority in their own Member State; it also puts the onus on national authorities to ensure cases are complete.
US Secretary of Commerce, Penny Pritzker, is expected in Brussels on July 12 for a joint signing.
Further details on how companies can sign up to Privacy Shield will be available shortly from the US Department of Commerce and FTC.
As a separate exercise, the European Commission is considering review of all adequacy decisions with third countries. There is no indication as to which decisions will be reviewed first. This is a change in policy, as previously the Commission had been expected to maintain all adequacy decisions until the new EU General Data Protection Regulation applies (i.e. May 25, 2018).
On July 8, Vice-President Ansip and Commissioner Jourova issued a joint statement following the vote by the Article 31 working party (Member State representatives).
More information on the Privacy Shield is available here.