Executive Summary In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the program. It also introduces a range of enhanced rights and redress mechanisms for EU citizens. Once finalised, an adequacy decision by the European Commission establishes that the non-EU country (or program) which is the object of the decision ensures an adequate level of protection of personal data and means that personal data can flow to it from any of the 28 EU member states without any further restrictions.
In the latest step toward finalising a replacement for the defunct Safe Harbor program, the European Commission has published its draft adequacy decision, formally supporting its view that the proposed EU-U.S. Privacy Shield will ensure an adequate level of protection for the transfer of personal data from the EU to U.S. companies which enlist in the new program. Once issued, an adequacy decision by the European Commission establishes that a non-EU country ensures an adequate level of protection of personal data and means that personal data can flow from any of the 28 EU member states without any further restrictions.
The draft decision opened up the full details of the Privacy Shield to public and regulatory scrutiny for the first time and is an important milestone towards the approval and adoption of the Privacy Shield, something which the Commission has proclaimed will “restore trust in transatlantic data flows”.
But does the Privacy Shield look set to be a popular replacement for companies which were former Safe Harborites, or is it too onerous? At the same time, will consumers be reassured by the Privacy Shield or will privacy advocates be gearing up to mount legal challenges: Safe Harbor 2.0 meets Max Schrems 2.0?
Adequacy findings The European Commission announced the release of its draft adequacy findings on February 29, 2016, following a review of the features of the Privacy Shield, in the context of U.S. law and practice. It confirmed its view that the safeguards under the proposed Privacy Shield offer data protection standards equivalent to those in the EU, and also satisfy the requirements set out in the Court of Justice of the European Union’s decision in Maximillian Schrems v Data Protection Commissioner (the case which invalidated Safe Harbor).
EU-U.S. Privacy Shield Alongside its adequacy findings, the Commission also released details of the Privacy Shield. So, what do we know so far?
What will be different under the Privacy Shield compared with Safe Harbor?
- Complaints by and redress for individuals: several possible options will exist for aggrieved parties to pursue claims, including (a) directly with the company, (b) through alternative dispute resolution provided by an independent third party, (c) with the EU Data Protection Authority (which will then work with the Department of Commerce and Federal Trade Commission to ensure unresolved complaints by EU citizens are investigated and quickly resolved), (d) the Privacy Shield Panel, which operates as a last resort and provides a binding decision via an arbitration mechanism.
- Privacy Shield certified businesses will have to put in place an effective redress mechanism, including responding substantively within 45 days to complaints received from EU individuals about the treatment of their personal data. Failure to respond to complaints will result in the individuals having recourse to alternative redress mechanisms.
- Businesses joining the Privacy Shield program are required to sign up for alternative dispute resolution, and must designate an independent dispute resolution body to which individuals can address their complaints. Alternatively, individuals can refer complaints directly to their national Data Protection Authorities, which in turn may channel the complaint to the U.S. Department of Commerce, the U.S. authority administering the EU-U.S. Privacy Shield.
- More transparency for individuals is required. Privacy Shield members must provide individuals with notice of the organisation’s participation in Privacy Shield, the type of data affected and the purposes. Individuals must also be informed of any third parties to whom their data will be transferred and “clear, conspicuous, and readily available mechanisms” for opting out of these disclosures to third parties or for preventing use of their personal data for a new purpose. The enhanced levels of individuals’ rights are being described by some as “GDPR equivalent” (referring to the forthcoming EU General Data Protection Regulation).
- The Privacy Shield program requires member companies to be ready to respond promptly to inquiries and requests for information from the Department of Commerce relating to adherence to the privacy principles. The company must also be prepared to keep records (and make them available on request) on the implementation of their privacy policies.
- There will be more stringent oversight mechanisms to bring about compliance by Privacy Shield members. The U.S. Department of Commerce will also publish a list of companies which have been removed or excluded from the Privacy Shield program, along with the reasons for such removal or exclusion. The ‘Choice Principle’ requires businesses to obtain “affirmative express consent” for the transfer of sensitive data, and imposes special rules for direct marketing.
- Lack of compliance by a business could result in sanctions or exclusion from the Privacy Shield program. There is also the threat that personal data received by a U.S. business in reliance on the Privacy Shield will have to bereturned or deleted if the business withdraws, or is ejected, from the program. This could have a far-reaching impact on future business disposals or divestitures by a Privacy Shield number.
- Tightened rules will apply around onward transfers of data by a Privacy Shield member to third parties, whether a data controller or a data processor. If compliance problems arise in this sub-processing chain, the Privacy Shield organisation acting as data controller of the data will face liability unless it can prove that it was not responsible for the event causing the damage.
- The Privacy Shield extends beyond the commercial sector to include access to personal data by U.S. public authorities acting for national security purposes.
- An Ombudsman mechanism independent from the U.S. intelligence services will operate to follow up complaints and inquiries made by individuals in relation to access by the U.S. government for the purposes of national security, e.g. if an individual is concerned that his or her personal information has been used in an unlawful way by U.S. authorities. The complainant will be informed whether the matter has been properly investigated and either that U.S. law has been complied with or, if not, that any non-compliance has been remedied.
- For the first time, the U.S. government has given a series of written assurances about how it intends to enforce the agreement. These include commitments on the safeguards and limitations that will be imposed on public authorities’ access to data. These may not make much difference in the day-to-day running of the program, but they signal a greater openness by the U.S. government to accommodate EU privacy law differences.
- The Department of Commerce will conduct ex officio compliance reviews of self-certified organisations, including sending detailed questionnaires.
- Unlike Safe Harbor, the Privacy Shield program itself will be subject to joint annual reviews by the European Commission and the U.S. Department of Commerce to ensure (a) the adequacy of protection of personal data being transferred, and (b) compliance by U.S. authorities with the representations and commitments made. The Privacy Shield program may be suspended or amended if it no longer guarantees effective protection.
What will stay broadly the same under the Privacy Shield?
- The program should, just as Safe Harbor was intended to, provide a recognisable badge which guarantees adherence to minimum privacy standards compatible with EU law. Therefore, Privacy Shield membership is potentially brand-enhancing and reassuring for consumers and business customers alike.
- As for Safe Harbor, the Privacy Shield will not be available to companies in specific sectors which are outside the jurisdiction of the U.S. Federal Trade Commission or Department of Transportation. This means that companies in the financial services and insurance sectors will not be eligible to join.
- To complete the certification process, companies must show compliance with seven Privacy Principles. These set out compulsory rules in relation to notice, choice, security, data integrity, access, accountability for onward transfers of data and recourse, enforcement and liability. These Principles are substantially similar to those of Safe Harbor, with some adjustments (mentioned above). As for Safe Harbor, organisations can self-assess their compliance or can appoint an outside party to assess compliance. Despite the similarities in the Principles of the respective programs, there are no “grandfathering” provisions in the Privacy Shield allowing the carrying over of Safe Harbor certifications into the Privacy Shield.
- The U.S. Department of Commerce and the U.S. Federal Trade Commission will be the main U.S. enforcers of the Privacy Shield framework.
How soon could the Privacy Shield be ready for use? The next step will be taken by the Article 29 EU Working Party comprising representatives from each EU member state’s Data Protection Authorities, who will review the draft adequacy decision and make recommendations. These are expected in mid-April.
Further, the European Commission will seek an opinion from the Article 31 Committee, including representatives from each of the EU’s member states. Taking this into account, the earliest date upon which the Privacy Shield is likely to be available is June.
Some EU Data Protection Authorities, such as the French CNIL, have stated that they will be very cautious when reviewing the Privacy Shield “arrangement” agreed between the European Commission and the U.S. Department of Commerce.
What kind of companies will the Privacy Shield appeal to most? The Privacy Shield looks set to place significant administrative burdens on its members in terms of EU individuals’ redress rights. This suggests that organisations which already have well-established consumer-facing complaints handling and engagement teams may manage the transition to Privacy Shield more easily than others. For companies contemplating joining the Privacy Shield it is, though, worth bearing in mind the potential for mass (possibly coordinated) complaints by individuals to impose a heavy administrative burden on a Privacy Shield member, similar to that experienced by UK banks dealing with high volumes of data subject access requests in connection with PPI mis-selling. Companies which embrace the Privacy Shield will need to ensure they have the systems and suitable administrative bandwidth to take it on.
U.S. companies which provide data processing handling services for clients including EU-originating data may be attracted by the recognisable “compliance badge” aspects of the Privacy Shield program, which – if it survives possible early legal challenges (and the annual program reviews) – would establish a Privacy Shield member as a “safe” importer of EU data without the need for bilateral arrangements, such as EU model data transfer agreements.
Even once the Privacy Shield program is open to members, which is expected to be in the second half of 2016, some initial caution by businesses is likely. Companies will want to ensure that before they invest in internal compliance to qualify for the Privacy Shield, the program does not fall at the first challenge to its robustness.