On February 29, 2016, the European Commission published the documents describing the new EU-US Privacy Shield, the framework that organizations can commit to in order to legally transfer data from the European Union to the United States. The Privacy Shield was announced as an agreement in principle by the European Commission earlier this year (Renewing Transatlantic Data Transfers: How Close Are We to a Revised Safe Harbor Agreement), and is intended to replace the Safe Harbor framework invalidated in October 2015 by the Court of Justice of the European Union in Maximilian Scrhems v. Data Protection Commissioner case (C-362-14). This new Privacy Shield framework includes strengthened commitments to protect the privacy of EU individuals as well as greater transparency obligations on US government access to personal data.
What does the EU-US Privacy Shield mean for US organizations?
In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU, an organization must self-certify its adherence to its principles to the US Department of Commerce. While participation in the Privacy Shield is entirely voluntary, compliance with the principles is mandatory for organizations that self-certify to the Department of Commerce. One condition for entering the Privacy Shield is that an organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (the “FTC”), the US Department of Transportation or another statutory body that will effectively ensure compliance with the principles. This was also the case for participation in the Safe Harbor framework and has historically limited the number of industries that could participate. For example, banks and insurance compa- nies are generally excluded from the FTC’s jurisdiction under the Federal Trade Commission Act and were unable to participate in the Safe Harbor framework.
The European Commission recently published three sets of documents in support of the Privacy Shield: (1) a communication to the European Parliament and Council giving an overview of the basis for the Privacy Shield; (2) a draft adequacy decision by the Commission on the Privacy Shield; and (3) US govern- ment documents that detail the commitments applicable to both agencies and private organizations under the Privacy Shield. Some of the most significant commitments in these documents come from the US Office of the Director of National Intelligence and the US Department of State and address issues around US surveillance of personal data. Documents from the Department of Commerce describe “Supplemental Principles” that impose stronger obligations on US organizations to protect personal data belonging to EU citizens. These obligations track the seven prin- ciples of data protection that were part of the original Safe Harbor framework, but the new “Supplemental Principles” increase those obligations or provide greater detail about how those obligations should operate.
These Privacy Shield principles differ from the obligations of US organizations under the Safe Harbor framework in three primary ways:
- US companies are under enhanced commitments to protect data.
- New Notice Obligations. The Privacy Shield requires additional information to be included in the notices provided by organizations to their data subjects, including a declaration of the US organization’s participation in the Privacy Shield, and the identi- fication of the independent dispute resolution body on its website.
- New Restrictions on Onward Transfer. The Privacy Shield strengthens protections of personal data that is transferred from a US organization to a third party controller by requiring the parties to enter into a contract that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual, and that the recipient will provide the same level of protection as obligated under the Privacy Shield. The Privacy Shield also strengthens protections of personal data that is transferred from a US organization to a third party agent, including by requiring a US organization to take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the Privacy Shield principles.
- New Purpose Limitation. The Privacy Shield includes a new requirement that US organizations must limit personal information they obtain to the information that is relevant for the purposes of their processing.
- Detailed Access Principle. The Privacy Shield lays out a thorough process by which individuals can verify the accuracy of the information held about them by US organizations, and the appropriate instances in which US organizations can restrict that access.
- US organizations are under increased oversight by both US and EU authorities.
- Greater Transparency. Increased transparency is one of the main methods through which the Privacy Shield seeks to ensure US organizations are accountable to their Privacy Shield requirements. There are a range of transparency requirements throughout the principles, including the require- ment that organizations make publicly available relevant Privacy Shield compliance or assessment reports submitted to the FTC if subject to an FTC or court order for non-compliance.
- Internal Compliance. US organizations must certify annually that they meet the Privacy Shield’s require- ments. US organizations must provide procedures for verifying their commitments to the Privacy Shield, which can be satisfied either through self-assessment or outside compliance procedures.
- External Oversight. The Department of Commerce commits to strengthening the administration and supervision of the Privacy Shield through various methods, including by maintaining, verifying, and publishing a list of companies that self-certify, annually, to the Privacy Shield. US organizations can also elect to cooperate with a particular Data Protection Authority (“DPA”), which is required of companies processing Human Resource data of EU individuals. Finally, the FTC has committed to reviewing on a priority basis referrals from self-regulatory organizations, independent dispute resolution bodies, the Department of Commerce, and the EU Member States alleging non-compliance with the principles.
- US companies are obligated to provide redress to EU data subjects.
- Redress Options. The Privacy Shield sets forth a multi-step process by which EU data subjects can obtain redress against US organizations for alleged violations of their commitments under the Privacy Shield. First, a data subject can raise any complaint they have with the organization directly, who must respond within 45 days of receiving the complaint. In addition, the organization must provide a fair and freely available alternative dispute resolution procedure. An EU citizen can also go to their national DPAs, who will work with the Department of Commerce and the FTC to ensure that unresolved complaints by EU citizens are investigated and resolved. Finally, an arbitration option is available for any remaining claims. Under this arbitration option, the Privacy Shield Panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non- monetary equitable relief.
What does the EU-US Privacy Shield mean for EU organizations?
For organizations wishing to rely on Privacy Shield in the future, there is still some time to wait before the framework is officially adopted. However, for EU organizations the greatest challenge is still to come – compliance with the General Data Protection Regulation should be of paramount importance.
What happens next?
The Privacy Shield is not currently in force and is under review. Clients should not rely on the Safe Harbor or the Privacy Shield as the legal basis for transfers of data from the EU. Rather, organizations should continue to rely on the changes they made to data transfers in light of the Schrems decision, whether those are Standard Contractual Clauses, Binding Corporate Rules, or an alternative method.
At its meeting in mid-April, the EU’s Article 29 Working Party, will likely offer its non-binding opinion on whether the Privacy Shield satisfies “four essential guarantees” required for transferring personal data outside the EU:
- data processing should be based on clear, precise and accessible rules;
- data collection should be proportionate;
- an independent oversight mechanism should be in place; and
- effective remedies should be available to data subjects.
In parallel, a committee composed of representatives of the Member States will be consulted, before a final decision is made by the College of Commissioners. In the meantime, the US government will make the necessary preparations to put in place the new framework.
In general, there is no grace period for organizations if the Privacy Shield becomes finalized, and companies are expected to comply immediately upon certification. However, companies that certify to the Privacy Shield framework in the first two months following the framework’s effective date have nine months in which to bring existing commercial relationships with third parties into conformity with Privacy Shield principles.