On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield, including a draft adequacy decision of the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken over the last few years to restore trust in transatlantic data flows. The new EU-U.S. transatlantic data transfer arrangement (the “Arrangement”), known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data under the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission states that the new arrangement reflects the requirements that were set by the Court of Justice of the European Union (the “CJEU”) in the Schrems case.
The EU-U.S. Privacy Shield
The Arrangement provides a response to the concerns that have been raised by the European Commission and the CJEU with respect to transatlantic data transfers. It contains stronger commitments that must be undertaken by companies in the commercial sector, but also significant commitments with respect to the accessibility of personal data to U.S. government authorities. The four most important achievements of this new Arrangement are as follows:
Stronger obligations on companies and robust enforcement. Companies that are willing to transfer personal data from the EU to the U.S. must accept more stringent obligations regarding the processing of personal data and how individuals’ rights are guaranteed. Among other limitations introduced by the Arrangement, onward data transfers will be subject to stricter conditions and liability provisions.
In addition, the Arrangement will contain stricter oversight mechanisms to ensure companies abide by the rules they have legally committed to, including regular monitoring by the U.S. Department of Commerce. In addition, companies face severe sanctions or exclusion from the Arrangement if they fail to comply.
Limits and safeguards covering access to personal data by the U.S. government. The European Commission has obtained written assurances from the U.S. government (i.e., the Department of Justice and the Office of the Director of National Intelligence) that access to personal data by government authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.
Effective protection of EU citizen’s privacy rights and redress possibilities. Several affordable mechanisms to obtain individual redress will be available to individuals who think their personal data has been misused under the new Arrangement, whether via a direct complaint to the company or their national data protection authority (“DPA”) where their complaints will be referred to the Department of Commerce and the Federal Trade Commission for investigation. When receiving a complaint directly from individuals, companies must reply within 45 days. Companies handling human resources personal data from European individuals will have to comply with the decisions of the competent DPA.
In addition, companies also must designate an independent dispute resolution body to investigate and resolve individuals’ complaints and provide recourse free-of-charge to the individuals.
Further, in the context of a company’s certification, the Department of Commerce will verify that the company complies with the Privacy Principles of the Privacy Shield, and that it has designated an independent recourse mechanism.
As a last resort, individuals will be able bring their complaints to the Privacy Shield Panel, a dispute resolution mechanism that can take binding and enforceable decisions against U.S. Privacy Shield companies.
EU citizens also will have a redress mechanism in the national security context. In particular, an independent Ombudsperson will be responsible for handling complaints and inquiries received from EU individuals regarding access to their data by national intelligence authorities. This redress mechanism will be extended beyond the EU-U.S. Privacy Shield and will be available to individuals for all data transfers to the U.S. for commercial purposes.
Annual joint review mechanism. The European Commission will annually monitor the functionality of all aspects of the EU-U.S. Privacy Shield, together with the U.S. Department of Commerce, EU DPAs, U.S. national security authorities and the Ombudsperson. Other sources of information, such as voluntary transparency reports, also will be used for monitoring the functionality of the EU-U.S. Privacy Shield. In the event that companies or public authorities do not comply with their commitments, the European Commission can activate the process to suspend the Privacy Shield.
The Commission encourages companies to prepare for the Privacy Shield to be in a position to self-certify for the new Arrangement as soon as an adequacy decision is adopted by the Commission. In general, the following actions will be required from the different actors of the EU-U.S. Privacy Shield:
U.S. Companies. Companies must commit to comply with seven privacy principles, including (1) the Notice Principle, (2) the Choice Principle, (3) the Security Principle, (4) the Data Integrity and Purpose Limitation Principle, (5) the Access Principle, (6) the Accountability for Onward Transfer Principle and (7) the Recourse, Enforcement and Liability Principle. In addition, the European Commission encourages companies to opt for EU DPAs as their mechanism to resolve individuals’ complaints under the Privacy Shield, as well as to publish transparency reports on national security and law enforcement access requests concerning EU personal data.
U.S. Authorities. U.S. authorities will be responsible for enforcing the Arrangement and respecting the limitations and safeguards established regarding access to personal data for law enforcement and national security purposes. U.S. authorities also must handle complaints received from EU individuals in a timely and effective manner.
EU Data Protection Authorities. EU DPAs must ensure that individuals can exercise their rights effectively, including by transferring their complaints to the competent U.S. authority, as well as cooperating with the relevant U.S. authority. In particular, EU DPAs must assist complainants with cases brought in front of the Privacy Shield Panel, exercise oversight over transfers of EU HR personal data and trigger the Ombudsperson mechanism.
European Commission. The European Commission will adopt an adequacy decision that will be reviewed regularly, allowing the Arrangement to be consistently monitored, in contrast with the previous Safe Harbor.
An extraordinary plenary meeting of the Article 29 Working Party (the “Working Party”) will be organized at the end of March. After obtaining the non-binding opinion of the Working Party and consulting a committee composed of representatives of the EU Member States, a final decision of the College of Commissioners will be made. In the meantime, the U.S. authorities will prepare for the implementation of this new arrangement.
FTC Chairwoman Edith Ramirez also issued a statement in response to the release of the new Arrangement. She said that “[t]he EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, it benefits both consumers and business in the global economy.” Chairwoman Ramirez also emphasized the FTC’s role, saying that “the FTC will make enforcement of the new framework a high priority, and we will work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.”
Read the Press Release of the European Commission.
Read the Fact Sheet on the EU-U.S. Privacy Shield.