On 12 July 2016, the European Commission presented the finalized “EU-US Privacy Shield” to the public. The Privacy Shield is the successor of the “Safe Harbor Framework” which has been declared void in a decision by the European Court of Justice of 6 October 2015. The Privacy Shield shall serve as an instrument to overcome the high requirements that have to be met when transferring personal data from the European Union to the United States of America.
Even though the Privacy Shield has been criticized by a number of European data protection regulators, and may (as has happened with other available cross-border transfer mechanisms) be attacked before European courts in the future, for the time being it serves as valid and easily available mechanism to justify data transfers from the EU to the US. US entities willing to take advantage of the Privacy Shield will have the possibility to self-certify under the Privacy Shield Principles from August 2016 on.
Privacy Shield Principles
Most of the Privacy Shield Principles have already been integrated into the Safe Harbor Framework. However, some of the Principles have been significantly enhanced, making the Privacy Shield more robust than Safe Harbor.
The Privacy Shield Notice requirements are much stricter than under Safe Harbor. While Safe Harbor only required self-certified companies to provide rather generic information on data processing, such as regarding purposes, third party recipients and potential choice options of data subjects, the Notice Principle under the EU-US Privacy Shield is more specific and requests detailed information on 13 different points. A Privacy Shield certified company must inform about
- its participation in the Privacy Shield
- the types of personal data collected and potential entities or subsidiaries of the organization also adhering to the Principles
- its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield
- the purposes for which it collects and uses personal information about them
- how to contact the organization with any inquiries or complaints
- third parties to which it discloses personal information, and the purposes for which it does so
- the right of individuals to access their personal data
- the choices and means the organization offers individuals for limiting the use and disclosure of their personal data
- the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual
- being subject to the investigatory and enforcement powers of a U.S. authorized statutory body
- the possibility, under certain conditions, for the individual to invoke binding arbitration
- the requirement to disclose personal information in response to lawful requests by public authorities
- its liability in cases of onward transfers to third parties
The Privacy Shield Choice Principle remains generally unchanged in comparison with the former Safe Harbor Choice Principle: According to the Choice Principle, affected data subjects have the right to opt out of various data processing activities, such as when personal data shall be transferred to a third party or for a purpose materially different from the purpose for which it was originally collected; in case of sensitive data, for above-mentioned cases express opt in consent will have to be collected.
3. Accountability for Onward Transfer
Substantial new requirements are introduced with respect to Onward Transfers. In particular, the Privacy Shield certified company must conclude contracts with third party controllers to which it transfers data, obligating the third party controller to provide the same level of protection as the Privacy Shield Principles, and to process data only for limited and specified purposes. If the Privacy Shield certified company processes data via a third party agent, a data processing agreement in line with basic EU data protection principles will also have to be concluded with such agent.
The Security requirements under the Privacy Shield are basically the same as under the Safe Harbor regime: self-certified companies must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
5. Data Integrity and Purpose Limitation
The Data Integrity and Purpose Limitation is mostly the same as under Safe Harbor but includes an additional obligation: On top of the Safe Harbor obligations to limit data processing activities to what is relevant for the purposes of processing, and to abstain from activities incompatible with the purposes for which the data has initially been collected or subsequently authorized by the data subject, Privacy Shield now explicitly states the self-certified entity must adhere to the Privacy Shield Principles for as long as it retains the data, even if the self-certification would terminate.
The Access Principle is basically the same as under Safe Harbor: Data subjects must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Privacy Shield Principles.
7. Recourse, Enforcement and Liability
The Recourse, Enforcement and Liability obligations have been significantly strengthened in comparison with Safe Harbor and new recourse mechanisms have been introduced. Inter alia, (i) data subjects will have the right to bring complaints directly to independent dispute resolution bodies, (ii) to European Data Protection Authorities (if HR data is processed or when the self-certified organization has voluntarily submitted to the oversight of European Data Protection Authorities), (iii) the US Department of Commerce has committed to resolve complaints about an organization’s non-compliance with the Privacy Shield Principles, and (iv) as a last resort, EU data subjects may invoke binding arbitration by a “Privacy Shield Panel” composed of at least 20 arbitrators designated by the US Department of Commerce and the European Commission.