Companies should still ensure that they are lawfully transferring data through an alternative mechanism until the details of the Privacy Shield are released.
The U.S. Department of Commerce and the European Commission (the Commission) announced on February 2 that they have reached an agreement for a new framework to facilitate transatlantic data flows. Called the “EU-U.S. Privacy Shield” (Privacy Shield), the precise scope of requirements for participation by U.S. businesses is not yet known, and a fully binding framework is not expected to be adopted by the European authorities until April. However, the Commission provided an overview of important agreement points, and data protection authorities have confirmed that personal data may still be validly transferred using alternative mechanisms for the time being.
The EU Data Protection Directive prohibits the transfer of personal data to any third country not deemed to provide “adequate” protection of data. The U.S.-EU Safe Harbor (Safe Harbor) was developed by the Department of Commerce and the Commission to provide a mechanism for U.S. companies to ensure that they were transferring data subject to adequate protections. However, in the wake of the revelations by Edward Snowden of U.S. government mass surveillance, the Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Safe Harbor on October 6, 2015 in Schrems v. Data Protection Commissioner. More than 4,000 U.S. companies had previously relied on the Safe Harbor to transfer personal data from Europe to the United States.
On October 16, 2015, the Commission’s Article 29 Working Party — which includes representatives of the various data protection authorities of the EU — issued a press release on the CJEU’s decision. The Working Party stated that, if the United States and the EU were unable to resolve the issues with the Safe Harbor and other data transfer mechanisms affected by the “massive and indiscriminate surveillance” cited as a key element of the CJEU’s analysis by the end of January, EU data protection authorities would take all “necessary and appropriate” actions, including coordinated enforcement actions. This created great uncertainty for businesses on both sides of the Atlantic as to the circumstances under which business-critical data transfers might be allowed after the deadline. Since then, U.S. and EU authorities have been racing to come up with a replacement to the Safe Harbor that would address the deficiencies cited by the CJEU and withstand further legal challenges.
New EU-U.S. Privacy Shield
The new Privacy Shield was announced two days after the expiration of the deadline set by European data protection authorities. Although the Commission did not release the detailed text, it stated that the Privacy Shield will provide for “stronger obligations on companies handling Europeans’ personal data” and “stronger monitoring and enforcement by the U.S. Department of Commerce and the Federal Trade Commission” (FTC). The precise contours of company obligations were not defined, but the Commission called them “robust.”
Similar to the Safe Harbor, companies will be required to publish their policies for adhering to the Privacy Shield, and the FTC will have authority to enforce those commitments under the FTC Act. The Commission also stated that companies handling human resources data from Europe will have to commit to comply with decisions by European data protection authorities. Under the Safe Harbor, companies could choose to abide by the “Enforcement Principle” of the Safe Harbor by agreeing to comply with a private sector enforcement program, such as neutral arbitration; complying with supervisory authorities for the handling of individual complaints; or committing to cooperate with data protection authorities in the EU. It appears that, at least with respect to human resources data, companies may no longer have a choice in how they offer Europeans the right to enforce a company’s compliance with the Privacy Shield.
The Commission also stated that the Privacy Shield would provide for safeguards and transparency on U.S. government access. According to the Commission, the United States has ruled out indiscriminate mass surveillance of data transferred under the Privacy Shield and has provided assurances that access for law enforcement and national security purposes will be subject to “clear limitations, safeguards and oversight.” An ombudsman office will be created in the U.S. Department of State to address European citizen complaints regarding access by U.S. intelligence authorities.
Finally, the Commission stated that the Privacy Shield provides EU citizens with several options for redress of complaints. Alternative dispute resolution will be provided free of charge (presumably paid for by companies participating in the Privacy Shield), and there will be deadlines within which companies must respond to complaints. There will also be the capability for cooperation between U.S. and EU authorities, with European data protection authorities having the ability to refer complaints to the U.S. Department of Commerce and the FTC.
The Commission will continue to work the agreement through the EU approval process. The first step is preparing a draft of its adequacy decision regarding the Privacy Shield, which it will do “in the coming weeks.” The decision will be reviewed by the Article 29 Working Party and the EU member states. EU Justice Commissioner Věra Jourová stated this approval process could take up to three months, meaning the Privacy Shield will not be fully approved and binding until sometime in April.
The Article 29 Working Party issued a statement on February 3, 2016 calling for the Commission to provide the details of the Agreement by the end of February. Once it has received the details, the Article 29 Working Party will evaluate the new Privacy Shield as well as complete its assessment for all personal data transfers to the United States. Pending the completion of its assessment “in the coming weeks” and the announcement of its decision, the Article 29 Working Party confirmed that standard contractual clauses and binding corporate rules are still valid transfer mechanisms. The Article 29 Working Party also reiterated that transfers made under the old Safe Harbor are no longer valid and that it is left it to individual member state data protection authorities to deal with complaints regarding any ongoing transfers made on that basis.
No specific legislative action is required in the United States to adopt the agreement. The U.S. Department of Commerce indicated it will soon provide information regarding the new obligations on U.S. companies that participate in the Privacy Shield. Additionally, the Department of Commerce stated that a number of things are changing from the prior Safe Harbor under the new Privacy Shield, but provided no details. Presumably, the United States will also begin administrative preparations for the new agreement, such as by creating the ombudsman office in the State Department.
Companies that transfer data from Europe to the United States still operate in a world where the Safe Harbor is invalid. Accordingly, companies should still ensure that they are lawfully transferring data through an alternative mechanism, such as binding corporate rules, model contractual clauses, obtaining data subject consent or by anonymizing data prior to transfer until the details of the Privacy Shield are released. Once the details have been released, companies can evaluate the Privacy Shield compliance requirements and determine whether the new agreement provides a framework that will best fit their business and compliance needs.