EU-US Privacy Shield: Substance and Significance

As we previously reported,¹ the European Union (EU) and the United States recently reached political agreement on a replacement for the invalidated EU-US Safe Harbor framework in accordance with the provisions of the EU Data Protection Directive.² The EU Commission has now announced the details of the newly negotiated mechanism for trans-Atlantic data transfers, branded as the “EU-US Privacy Shield.”³ However, it should be noted that the Privacy Shield is currently in draft form and, as we explain below, there are several hurdles for it to overcome before it can become law.

The announcement from the EU Commission was accompanied by a package of documents, the most significant of which is a draft adequacy decision. If adopted by the EU Commission, this will establish that the United States, “by reason of its domestic law or of the international commitments it has entered in to,” ensures an adequate level of protection for personal data to permit the transfer of such data from the EU. The draft adequacy decision has several annexes, including the set of privacy principles (comprising seven core “privacy principles” and sixteen “supplementary principles”) to which US organisations receiving personal data from the EU must adhere (the “Privacy Principles”). Also annexed are a series of letters from US authorities, including the Federal Trade Commission (FTC), the Department of Transportation (DOT), the Office of the Director of National Intelligence, and the Department of Justice (DOJ), setting out enforcement mechanisms to be implemented by the FTC and DOT, and the roles of other US Government law enforcement and national security legal authorities with respect to protection of and access to personal data.

This Advisory highlights key aspects of the draft Privacy Shield framework that may be most significant for organisations on both sides of the Atlantic involved in the transfer of personal data from the EU.

What Will Be Required of US Companies?

In a similar manner as under the now undermined Safe Harbor framework,⁴ US organisations wishing to import personal data from the EU under the Privacy Shield will be required to self-certify to the US Department of Commerce (DOC) on an annual basis that their use and handling of such data is compliant with the Privacy Principles. The “supplementary principles” provide guidance on the steps organisations should take to comply with the core principles, and detail additional requirements for special situations such as the handling of sensitive and human resources data, certain journalistic exceptions, and special requirements on the processing of personal data obtained in the pharmaceutical and medical fields.

As part of the self-certification process, organisations must verify their compliance with the Privacy Principles (either in-house or through a third party) and establish that their policies conform to those principles. To ensure compliance, organisations must, for example, implement employee training procedures, conduct periodic compliance reviews, and provide means by which any complaints relating to their processing of personal data are dealt with effectively.

As was the case under Safe Harbor, organisations must make a submission to the DOC to be included on a public list of all self-certifying organisations, the “Privacy Shield List”.

Changes to the Privacy Principles

Companies will note that the structure of the Privacy Principles appears similar to the privacy principles and frequently asked questions under the Safe Harbor framework. However, the standards for data protection have been strengthened in several key areas, including in relation to the accountability of organisations for “onward transfers” of personal data (i.e., transfers of EU personal data by a Privacy Shield organisation to third parties outside the framework, such as parties undertaking sub-processing activities), the availability of recourse mechanisms for EU citizens, and the enforcement of the Privacy Principles against organisations who fail to adhere.

Enforcement and Redress

Two new areas within the Privacy Shield framework are (1) better and effective supervision, monitoring, and enforcement by US authorities of organisations’ compliance with the Privacy Principles; and (2) the availability of affordable resolution mechanisms for individual complaints.

To that end, organisations included on the Privacy Shield List will be subject to “regular and rigorous monitoring” by the DOC, and the Privacy Principles will be legally binding and enforceable by the FTC under US law. Any organisation that persistently fails to comply with the Privacy Principles will be removed from the Privacy Shield List and will be required to return or destroy any personal data collected under the Privacy Shield.

In addition, the Privacy Shield will provide data subjects with several avenues of redress. First, citizens who believe that their personal data has been misused will be able to lodge complaints directly with the organisation concerned, which will be required to reply within the 45-day timeline stated above.

Second, as noted above, organisations must designate an independent dispute resolution body to investigate and resolve individual complaints, and to provide recourse free of charge to the individual.

Third, data subjects may direct complaints to their national DPA. The national DPAs will then work with the DOC and the FTC to ensure that unresolved complaints are investigated and resolved expeditiously. To this end, the DOC will have 90 days to issue a response to complaints forwarded from national DPAs. The FTC will also accept complaints from individuals, dispute resolution bodies, and the DOC, as well as from national DPAs. If necessary, the FTC can seek to enforce compliance through the issuance of administrative orders. If these are subsequently ignored, civil penalties against the organisation may be sought, along with preliminary and/or permanent injunctions from a federal court.

Finally, and as a recourse mechanism of “last resort,” complaints that have not been satisfactorily resolved via the other avenues of redress may be submitted by the data subject to the “Privacy Shield Panel.” This panel will consist of one or three (to be agreed by the parties) individuals to be selected from among twenty arbitrators identified on a list to be created by the DOC and the EU Commission. Any decision made by the panel will be binding and enforceable on all parties to the arbitration, but will not be intended to function as persuasive or binding precedent in matters involving other parties.

US Government Access

In an effort to address concerns identified in the Schrems judgement that caused the Safe Harbor mechanism to be invalidated,⁵ the Privacy Shield framework contains statements from the US Government -- through the DOJ and the Office of the Director of National Intelligence -- regarding limitations imposed on US Government access to personal data. Such limitations, including on access by US public authorities for law enforcement, national security and other public interest purposes, are described in the annexes to the draft adequacy decision. For example, the draft adequacy decision outlines how US intelligence agencies may only access personal data where their request complies with the Foreign Intelligence Surveillance Act or is made by the Federal Bureau of Investigation based on a “National Security Letter.” The draft adequacy decision also points to the increased transparency reporting provisions established by the USA Freedom Act of 2015, under which organisations may voluntarily disclose approximate numbers of government access requests.

The assurances given by the US Government in relation to their access to EU personal data have been balanced against the provisions of the overarching EU-US data protection “Umbrella Agreement”, initialled by the two parties on September 8, 2015.⁶ While it is yet to be ratified on either side of the Atlantic, the Umbrella Agreement recognises the need for EU-US law enforcement cooperation to respond effectively to common security threats arising from serious crime or terrorism, and provides a framework for the exchange of personal data between EU and US security services for such purposes. The ratification of the Umbrella Agreement in the EU was conditional on EU citizens being given the right to enforce their data protection rights in US courts, regardless of whether or not they reside in the United States. On February 24, 2016, President Obama signed the Judicial Redress Act, which will provide EU citizens the same judicial redress rights as US citizens in case of privacy breaches.

To provide for independent monitoring of access by the US Government to EU personal data, a new role for a Privacy Shield Ombudsperson will be created. The Privacy Shield Ombudsperson will be tasked with investigating “surveillance” complaints made by EU citizens whose personal data has been transferred to the United States under the Privacy Shield as well as the other recognised mechanisms for such transfers: the Standard Contractual Clauses and Binding Corporate Rules.⁷

Annual Review

As announced by the EU Commission on February 2, 2016, the Privacy Shield includes a joint review mechanism whereby the framework and the assurances given by the US Government will be reviewed on an annual basis. The latest announcement revealed that these reviews will be conducted jointly by the EU Commission and the DOC, who will also involve the national DPAs, the US national security agencies, and the new Privacy Shield Ombudsperson. These reviews will allow the EU Commission to monitor the functioning of the Privacy Shield and suspend the Privacy Shield altogether if it finds that organisations or public authorities are not abiding by their commitments.

Where Do We Go From Here?

Although the release of the draft Privacy Shield framework represents a significant step, several stages remain before the adequacy decision can be finalised and the Privacy Shield becomes law. Before a final decision can be made by the College of Commissioners (the leadership of the EU Commission), the Article 29 Working Party⁸ must give its opinion, following which a committee composed of representatives of each EU Member State (the Article 31 Committee) will be consulted. To date, the Article 29 Working Party has reserved judgment on the Privacy Shield pending its receipt of the full text of the new framework.⁹ Following the release of the draft adequacy decision, the Article 29 Working Party confirmed that it will finalise and adopt its opinion on the Privacy Shield at its next plenary meeting on April 12-13, 2016. Once the Article 31 Committee has given its opinion and a final decision has been reached by the College of Commissioners, which does not appear likely to occur before the summer, the adequacy decision will be published in the Official Journal of the European Union. Only then will it enter into force and become operable.

In the meantime, some national DPAs appear to be taking a strict approach to organisations who may be continuing to rely on the now defunct Safe Harbor framework. For example, the French Data Protection Authority, CNIL, issued a formal notice on Facebook directing it to amend its practices of collecting data concerning the browsing activity of Internet users who do not have a Facebook account.¹⁰ In addition, press reports indicate that the Hamburg Data Protection Authority in Germany is evaluating the initiation of penalty proceedings against non-compliant organisations.¹¹

We will continue to monitor the development of the Privacy Shield and will provide updates as the data protection landscape evolves.