March 8, 2016

EU-US Privacy Shield: Substance and Significance

Arnold & Porter Advisory

As we previously reported,1 the European Union (EU) and the United States recently reached political agreement on a replacement for the invalidated EU-US Safe Harbor framework in accordance with the provisions of the EU Data Protection Directive.2 The EU Commission has now announced the details of the newly negotiated mechanism for trans-Atlantic data transfers, branded as the “EU-US Privacy Shield.”3 However, it should be noted that the Privacy Shield is currently in draft form and, as we explain below, there are several hurdles for it to overcome before it can become law.

The announcement from the EU Commission was accompanied by a package of documents, the most significant of which is a draft adequacy decision. If adopted by the EU Commission, this will establish that the United States, “by reason of its domestic law or of the international commitments it has entered in to,” ensures an adequate level of protection for personal data to permit the transfer of such data from the EU. The draft adequacy decision has several annexes, including the set of privacy principles (comprising seven core “privacy principles” and sixteen “supplementary principles”) to which US organisations receiving personal data from the EU must adhere (the “Privacy Principles”). Also annexed are a series of letters from US authorities, including the Federal Trade Commission (FTC), the Department of Transportation (DOT), the Office of the Director of National Intelligence, and the Department of Justice (DOJ), setting out enforcement mechanisms to be implemented by the FTC and DOT, and the roles of other US Government law enforcement and national security legal authorities with respect to protection of and access to personal data.

This Advisory highlights key aspects of the draft Privacy Shield framework that may be most significant for organisations on both sides of the Atlantic involved in the transfer of personal data from the EU.

What Will Be Required of US Companies?

In a similar manner as under the now undermined Safe Harbor framework,4 US organisations wishing to import personal data from the EU under the Privacy Shield will be required to self-certify to the US Department of Commerce (DOC) on an annual basis that their use and handling of such data is compliant with the Privacy Principles. The “supplementary principles” provide guidance on the steps organisations should take to comply with the core principles, and detail additional requirements for special situations such as the handling of sensitive and human resources data, certain journalistic exceptions, and special requirements on the processing of personal data obtained in the pharmaceutical and medical fields.

As part of the self-certification process, organisations must verify their compliance with the Privacy Principles (either in-house or through a third party) and establish that their policies conform to those principles. To ensure compliance, organisations must, for example, implement employee training procedures, conduct periodic compliance reviews, and provide means by which any complaints relating to their processing of personal data are dealt with effectively.

As was the case under Safe Harbor, organisations must make a submission to the DOC to be included on a public list of all self-certifying organisations, the “Privacy Shield List”.

Changes to the Privacy Principles

Companies will note that the structure of the Privacy Principles appears similar to the privacy principles and frequently asked questions under the Safe Harbor framework. However, the standards for data protection have been strengthened in several key areas, including in relation to the accountability of organisations for “onward transfers” of personal data (i.e., transfers of EU personal data by a Privacy Shield organisation to third parties outside the framework, such as parties undertaking sub-processing activities), the availability of recourse mechanisms for EU citizens, and the enforcement of the Privacy Principles against organisations who fail to adhere.

Privacy Principle  What hasn’t changed?  What’s new? 
Notice Data subjects must be informed when their personal data is collected and notified of, amongst other things:
  • Purposes for which it will be used.
  • Types of third parties to which it will be disclosed.
  • Rights of the data subject to access and restrict the use of their data.
Several new notice requirements including:
  • Providing details regarding the independent dispute resolution body designated to address complaints and to provide appropriate recourse free of charge (see “Recourse, enforcement and liability” below).
  • Disclosure of the organisation’s liability for onward transfers to third parties (see “Accountability for onward transfers” below).
  • Increased transparency requirements for Privacy Shield organisations, including:
  • Making their participation in the framework clear.
  • Providing a hyperlink to the Privacy Shield List on their own website.
  • Providing hyperlinks to the Privacy Shield website and the website or complaint submission form of the independent recourse mechanism within their published privacy policy.
  • Data subjects must be allowed to opt-out of their data (a) being shared with third parties or (b) being used for a purpose that is “materially different” from the purpose for which it was collected.
  • Data subjects’ express consent (opt in) is required if “sensitive” personal data (e.g., information specifying medical or health conditions, race, or political opinions) is to be shared with a third party.
No material changes.
Accountability for onward transfer
  • To disclose information to a third party, organisations must apply the Notice and Choice Privacy Principles.
  • Onward transfers to agents (i.e., a sub-processor) will only be permitted in relation to “limited and specific purposes.”
  • Any transfer must be made on the basis of a contract or comparable arrangement, which offers the same level of protection as the Privacy Principles. 
  • Organisations must take “reasonable and appropriate steps” to verify their agent’s compliance (i.e., due diligence and audit).
  • Unless they can prove that they are not responsible for the event giving rise to the damage, organisations will be remain liable for the acts of their agents who fail to adhere to the Privacy Principles.
Security, data integrity and purpose limitation, and access
  • Organisations must take “reasonable and appropriate measures” to safeguard the personal data transferred to them. 
  • Collection of personal data must be limited to what is relevant for the purpose and the data must be reliable for its intended use, accurate, and current. 
  • Subject to limited exceptions, data subjects must be furnished on request with confirmation of whether or not the organisation holds personal data relating to them and must be able to correct, amend or delete inaccurate information or information processed in violation of the Privacy Principles. 
No material changes.
Recourse, enforcement and liability Organisations must have mechanisms in place to:
  • Ensure compliance with the Privacy Principles.
  • Ensure that recourse is available to EU citizens whose personal data has been processed in a non-compliant manner, including readily available independent mechanisms for investigating and resolving complaints and disputes.
Under the Privacy Shield, organisations will be required to:
  • Publicize the contact details of members of their complaints-handling team.
  • Within 45 days of the receipt of a complaint, provide an assessment and information on how (if at all) the problem will be rectified.
  • Designate an independent dispute resolution body to investigate and resolve individual complaints. While organisations are encouraged to use an EU data protection authority (DPA) as their independent dispute resolution body, a US provider is also acceptable. The DOC and the FTC will be notified of any organisation that fails to comply with the finding of an independent dispute resolution body.

Enforcement and Redress

Two new areas within the Privacy Shield framework are (1) better and effective supervision, monitoring, and enforcement by US authorities of organisations’ compliance with the Privacy Principles; and (2) the availability of affordable resolution mechanisms for individual complaints.

To that end, organisations included on the Privacy Shield List will be subject to “regular and rigorous monitoring” by the DOC, and the Privacy Principles will be legally binding and enforceable by the FTC under US law. Any organisation that persistently fails to comply with the Privacy Principles will be removed from the Privacy Shield List and will be required to return or destroy any personal data collected under the Privacy Shield.

In addition, the Privacy Shield will provide data subjects with several avenues of redress. First, citizens who believe that their personal data has been misused will be able to lodge complaints directly with the organisation concerned, which will be required to reply within the 45-day timeline stated above.

Second, as noted above, organisations must designate an independent dispute resolution body to investigate and resolve individual complaints, and to provide recourse free of charge to the individual.

Third, data subjects may direct complaints to their national DPA. The national DPAs will then work with the DOC and the FTC to ensure that unresolved complaints are investigated and resolved expeditiously. To this end, the DOC will have 90 days to issue a response to complaints forwarded from national DPAs. The FTC will also accept complaints from individuals, dispute resolution bodies, and the DOC, as well as from national DPAs. If necessary, the FTC can seek to enforce compliance through the issuance of administrative orders. If these are subsequently ignored, civil penalties against the organisation may be sought, along with preliminary and/or permanent injunctions from a federal court.

Finally, and as a recourse mechanism of “last resort,” complaints that have not been satisfactorily resolved via the other avenues of redress may be submitted by the data subject to the “Privacy Shield Panel.” This panel will consist of one or three (to be agreed by the parties) individuals to be selected from among twenty arbitrators identified on a list to be created by the DOC and the EU Commission. Any decision made by the panel will be binding and enforceable on all parties to the arbitration, but will not be intended to function as persuasive or binding precedent in matters involving other parties.

US Government Access

In an effort to address concerns identified in the Schrems judgement that caused the Safe Harbor mechanism to be invalidated,5 the Privacy Shield framework contains statements from the US Government -- through the DOJ and the Office of the Director of National Intelligence -- regarding limitations imposed on US Government access to personal data. Such limitations, including on access by US public authorities for law enforcement, national security and other public interest purposes, are described in the annexes to the draft adequacy decision. For example, the draft adequacy decision outlines how US intelligence agencies may only access personal data where their request complies with the Foreign Intelligence Surveillance Act or is made by the Federal Bureau of Investigation based on a “National Security Letter.” The draft adequacy decision also points to the increased transparency reporting provisions established by the USA Freedom Act of 2015, under which organisations may voluntarily disclose approximate numbers of government access requests.

The assurances given by the US Government in relation to their access to EU personal data have been balanced against the provisions of the overarching EU-US data protection “Umbrella Agreement”, initialled by the two parties on September 8, 2015.6 While it is yet to be ratified on either side of the Atlantic, the Umbrella Agreement recognises the need for EU-US law enforcement cooperation to respond effectively to common security threats arising from serious crime or terrorism, and provides a framework for the exchange of personal data between EU and US security services for such purposes. The ratification of the Umbrella Agreement in the EU was conditional on EU citizens being given the right to enforce their data protection rights in US courts, regardless of whether or not they reside in the United States. On February 24, 2016, President Obama signed the Judicial Redress Act, which will provide EU citizens the same judicial redress rights as US citizens in case of privacy breaches.

To provide for independent monitoring of access by the US Government to EU personal data, a new role for a Privacy Shield Ombudsperson will be created. The Privacy Shield Ombudsperson will be tasked with investigating “surveillance” complaints made by EU citizens whose personal data has been transferred to the United States under the Privacy Shield as well as the other recognised mechanisms for such transfers: the Standard Contractual Clauses and Binding Corporate Rules.7

Annual Review

As announced by the EU Commission on February 2, 2016, the Privacy Shield includes a joint review mechanism whereby the framework and the assurances given by the US Government will be reviewed on an annual basis. The latest announcement revealed that these reviews will be conducted jointly by the EU Commission and the DOC, who will also involve the national DPAs, the US national security agencies, and the new Privacy Shield Ombudsperson. These reviews will allow the EU Commission to monitor the functioning of the Privacy Shield and suspend the Privacy Shield altogether if it finds that organisations or public authorities are not abiding by their commitments.

Where Do We Go From Here?

Although the release of the draft Privacy Shield framework represents a significant step, several stages remain before the adequacy decision can be finalised and the Privacy Shield becomes law. Before a final decision can be made by the College of Commissioners (the leadership of the EU Commission), the Article 29 Working Party8 must give its opinion, following which a committee composed of representatives of each EU Member State (the Article 31 Committee) will be consulted. To date, the Article 29 Working Party has reserved judgment on the Privacy Shield pending its receipt of the full text of the new framework.9 Following the release of the draft adequacy decision, the Article 29 Working Party confirmed that it will finalise and adopt its opinion on the Privacy Shield at its next plenary meeting on April 12-13, 2016. Once the Article 31 Committee has given its opinion and a final decision has been reached by the College of Commissioners, which does not appear likely to occur before the summer, the adequacy decision will be published in the Official Journal of the European Union. Only then will it enter into force and become operable.

In the meantime, some national DPAs appear to be taking a strict approach to organisations who may be continuing to rely on the now defunct Safe Harbor framework. For example, the French Data Protection Authority, CNIL, issued a formal notice on Facebook directing it to amend its practices of collecting data concerning the browsing activity of Internet users who do not have a Facebook account.10 In addition, press reports indicate that the Hamburg Data Protection Authority in Germany is evaluating the initiation of penalty proceedings against non-compliant organisations.11

We will continue to monitor the development of the Privacy Shield and will provide updates as the data protection landscape evolves.

  1. See Arnold & Porter Advisory, The EU-US Privacy Shield: Agreement Reached on New Framework for Trans-Atlantic Data Transfers (Feb. 2, 2016).

  2. Article 25(6), Directive 95/46/EC.

  3. Available here.

  4. See Arnold & Porter Advisory, Batten Down The Hatches: The US-EU Data Protection Safe Harbor Framework Invalidated (Oct. 7, 2015).

  5. Available here.

  6. Available here.

  7. See Arnold & Porter Advisory, Update: The State of Trans-Atlantic Data Transfers After Safe Harbor (Nov. 12, 2015).

  8. The Article 29 Working Party is an independent advisory body comprised of representatives from all EU Data Protection Authorities, as well as the EU Data Protection Supervisor.

  9. Available here.

  10. Available here.

  11. Available here.

Subscribe Link

Email Disclaimer