EU-US Privacy Shield Adopted: Where Do We Go From Here?

On July 12, 2016, the EU Commission formally adopted a new mechanism for the transfer of personal data from the European Union to the United States. The final details of the new framework, branded the “EU-US Privacy Shield” (Privacy Shield), are set out in an EU Commission “adequacy decision”, which establishes that the United States “ensures an adequate level of protection for personal data transferred under the EU- US Privacy Shield”. As of August 1, 2016, US companies will be able to “sign up” to receive personal data under the protection of the Privacy Shield, by certifying with the US Department of Commerce (DOC) their commitment to comply with the framework’s terms.

The Privacy Shield seeks to build upon the now-defunct Safe Harbour framework, which was rendered invalid by the Court of Justice of the European Union (CJEU) in its decision in the Schrems case¹ following the revelations of mass surveillance by US authorities brought to the fore by Edward Snowden. Organisations are no longer able to rely on the Safe Harbour framework following the Schrems decision and the national data protection authorities in the EU (DPAs) are taking action against companies that have not adjusted their processes accordingly. On February 9, 2016, the French data protection authority issued a formal notice to Facebook to, amongst other points, cease its alleged continued reliance on Safe Harbour to transfer data to the United States, and on June 6, 2016, the Hamburg Commissioner fined several companies for their continued reliance on the Safe Harbour mechanism, only six months after its invalidation.

As we previously reported, political agreement on the Privacy Shield was reached by the European Union and the United States on February 2, 2016² and a draft adequacy decision was published by the EU Commission on February 29, 2016.³ In accordance with the European Union’s usual review procedure, opinions were then sought from the Article 29 Working Party⁴ and the Article 31 Committee.⁵ In addition, several other key EU data protection stakeholders, such as the European Parliament and the European Data Protection Supervisor, reviewed the draft adequacy decision and published their views on it.

With the approval process now complete, questions remain about whether the Privacy Shield is a meaningful improvement over Safe Harbour, what companies need to do to make use of it, and whether the concerns raised by the various stakeholders in the process of its development have been addressed.

Despite criticisms from various EU stakeholders (see Have Concerns Been Addressed? below for more details), the final text of the Privacy Shield is not drastically different from the draft published by the EU Commission in March 2016.

As originally proposed and as was the case with Safe Harbour, the Privacy Shield remains a self-certifying mechanism for US entities, whether they are data controllers or processors, who are willing to commit to all of the “privacy principles” (contained in Annex II to the adequacy decision⁶), which are largely the same as under the Safe Harbour framework and earlier versions of the Privacy Shield. Although in the future organisations will be required to adhere to all of the principles from the moment they decide to commit to the Privacy Shield, the final version of the adequacy decision provides some leeway where US organisations receive personal data from the European Union and transfer it on to third parties (this is known as the “Accountability For Onward Transfer Principle”).⁷ Provided self-certification takes place within two months of July 12, 2016, organisations with pre-existing commercial relationships with data recipients in the United States are permitted a nine-month period following self-certification to ensure that the onward data transfers comply with the new requirements.. It is therefore imperative for organisations that wish to rely on the Privacy Shield rather than the other existing data transfer mechanisms (see What Other Data Transfer Mechanisms Are There? below), to make quick decisions on whether to subscribe to the Privacy Shield.

The final Privacy Shield also clarifies that the Accountability For Onward Transfer Principle applies to onward transfers to any third parties, irrespective of whether they are located in the United States or elsewhere. In order for a certified Privacy Shield organization to make an onward transfer to a third party, that third party must, in its contract with the certified organization, agree to notify the certified entity if it is no longer able to meet its contractual data protection obligations. Finally, it has also been clarified that the Accountability For Onward Transfer Principle must be read in light of the Purpose Limitation Principle,⁸ which, in effect, means that US organisations should ensure that any onward transfers of EU-originated personal data to third parties are only carried out within the scope of the purpose for which such personal data was originally collected or subsequently authorised by the data subject.

The final version of the adequacy decision also elaborates on the recourse mechanisms for EU data subjects, which have been the subject of much criticism, particularly from the European Parliament (see Have Concerns Been Addressed? below for more details). With respect to the various avenues individuals could take to obtain redress against US companies under the Privacy Shield,⁹ the final adequacy decision sets out the following “logical order to follow”:

1. Bringing a complaint directly with the US self-certified company (As we previously reported, companies must provide a response within 45 days. However, it is now clear that organisations will also be obliged under the Recourse, Enforcement and Liability Principle to provide EU data subjects with independent mechanisms by which complaints and disputes can be investigated and resolved free of charge);

2. Bringing a complaint to the independent dispute resolution body designated by the US self-certified company (which can be in the European Union or the United States);

3. Referring the matter to the relevant DPA, with the DPA responding within 60 days;

4. Referring the matter to the DOC;

5. Asking for the US Federal Trade Commission (FTC) to grant an administrative order enforcing compliance (also known as a “consent order”); or

6. As a “last resort” in case none of the other mechanisms have satisfactorily resolved the dispute, referring the matter to the “Privacy Shield Panel”, constituted of one or three (to be agreed by the parties) individuals to be selected from among 20 arbitrators designated by the DOC and the EU Commission, for binding arbitration.

The final adequacy decision also highlights that additional avenues for judicial redress may be available under US law. Further, DPAs will be able to exercise their enforcement powers vis-à-vis EU data exporters, where they find that data transfers to the United States are being carried out in breach of EU data protection law. This would include a power to suspend data transfers altogether.

Given the scepticism of the majority of stakeholders regarding the US government’s assurances contained in the initial draft of the Privacy Shield that its intelligence community would not undertake mass collection of personal data, the final version of the Privacy Shield has been bolstered with additional detail on the legislative and executive protections afforded to EU citizens with regards to their personal data. Having thoroughly examined these protections, including the US President’s Executive Order 12333 and US Presidential Policy Directive 28, which both set limitations on the collection of personal data by the intelligence services, as well as of the recent USA FREEDOM Act, which requires the use of specific “selection terms” by intelligence services when attempting to collect personal data, the EU Commission appears to be satisfied that the US government’s assurances are backed by due legal process.

Whilst the adoption of an adequacy decision by the EU Commission brings to a close months of uncertainty following the invalidation of the Safe Harbour framework, the question remains whether the amendments that have been made in the final version have addressed the significant concerns raised by EU data protection stakeholders en route to its adoption.

In its Opinion of April 13, 2016, the Article 29 Working Party, despite noting the major improvements offered by the Privacy Shield compared to the invalidated Safe Harbour, expressed a number of concerns with the new framework, especially in relation to the assurances given by the US government in relation to the collection of massive and indiscriminate data. The Article 29 Working Party also questioned the independence of the new Privacy Shield Ombudsperson, who will be nominated by the US government and will be tasked with investigating “surveillance” complaints by EU citizens, operating as an independent oversight mechanism for national security interference. The lack of clarity in the language used in the draft adequacy decision was also a source of criticism, particularly with regards to onward data transfers. As noted above, the draftsmen have made efforts in the final version of the Privacy Shield to bring greater clarity to the Accountability For Onward Transfer Principle (see Privacy Principles above). In addition, attempts have been made, both in the main body of the adequacy decision and in the letter from the US Secretary of State contained in an annex to it, to demonstrate the independence of the Ombudsperson, including by making clear that the Ombudsperson reports directly to the Secretary of State, who will ensure that the Ombudsperson carries out his or her function objectively and free from improper influence.

The European Parliament made similar criticisms in a non-legislative resolution passed on May 26, 2016. Whilst welcoming the Privacy Shield and its “substantial improvements” compared to Safe Harbour, it nonetheless criticised the new framework, expressing regret at the complexity of the redress mechanism for individuals and calling for periodic “robust reviews”. Although the latter may have been addressed by additions to the annual review mechanism (the US government has committed to keep the EU Commission up-to-date on any material developments in US law relevant to the Privacy Shield, and the limitations and safeguards applicable to access to personal data by public authorities, and the EU Commission will assess the level of protection provided by the Privacy Shield as EU law evolves, including with the application of the General Data Protection Regulation as of May 2018), it remains to be seen whether these will satisfy critics of the Privacy Shield.

Criticism was also levelled at the Privacy Shield by the European Data Protection Supervisor in his Opinion of May 30, 2016, who considered that the draft needed “significant improvements”, particularly in relation to assurances by the US government against indiscriminate surveillance and mass collection of personal data. As noted above, attempts have been made in the final version of the adequacy decision to bolster the assurances given by the US government (see US Government Access above). However, this may be an avenue for a future challenge to the Privacy Shield.

With these criticisms in mind, commentators have suggested that there is a real possibility that the Privacy Shield will be challenged in litigation post-adoption. Max Schrems, the architect of Safe Harbour’s downfall, has already intimated that he expects another challenge to be brought to the CJEU, this time in relation to the Privacy Shield. Such a challenge is likely to be based on the various criticisms expressed by the EU data protection stakeholders.

Privacy Shield aside, there are two other recognised mechanisms for transferring data from the European Union to the United States on which organisations continue to be able to rely:

• Binding Corporate Rules (BCRs), a set of legally enforceable corporate rules covering transfers of personal data carried out by an EU organisation to a subsidiary or member of its group of companies based outside the European Union. BCRs are specific to an EU organization and must be specifically approved by the relevant DPA; and
• Standard Contractual Clauses, a set of contractual clauses approved by the EU Commission which can be used as a stand-alone document or incorporated into a commercial agreement between a data exporter and a data importer.

Indeed, the final adequacy decision specifically states that organisations can rely on the Standard Contractual Clauses to transfer data to the United States if they withdraw from the Privacy Shield.¹⁰

However, whilst the Standard Contractual Clauses and the BCR mechanism for demonstrating adequate data protection remain valid and have been approved by the EU Commission and the Article 29 Working Party respectively, data exporters should watch carefully for possible challenges to their validity in the future. On May 25, 2016, the Irish Data Protection Commissioner announced that it would seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. Furthermore, the Hamburg Commissioner for Data Protection and Freedom of Information declared in a press release on June 6, 2016 that a decision must be made on the admissibility of Standard Contractual Clauses.

The timing of the entry into force of Privacy Shield coincides with the announcement of Theresa May as the UK’s new Prime Minister, who took office on Wednesday July 13, 2016. It remains uncertain as to when the UK will formally start proceedings to exit the European Union and, for the time being, nothing changes as the UK remains a member of the European Union subject to EU law. The triggering of the withdrawal process (which may not occur for some time) sets in motion a two-year period (which can be extended up to five years) of negotiation between the UK and the remainder of the European Union concerning the withdrawal process and the arrangements that will govern the UK’s future relationship with the European Union. During that negotiation period, the Privacy Shield will continue to be applicable in the UK.

Unless it is agreed otherwise as part of the negotiations, once the UK has left the European Union, the Privacy Shield will not cover the UK. As a result, data transfer mechanisms may need to be put in place between the UK and the European Union, and between the UK and other non-EU countries, including the United States. Experience with the Privacy Shield shows that negotiating this afresh is unlikely to be a simple process and the UK may therefore propose following whatever solution works for the rest of the European Union. This might, in any event, be required by the European Union as part of its negotiations with the UK, since the EU regulators will probably want to ensure proper protections for personal data that is transferred from the European Union to the UK, and which the UK then transfers on to non-EU countries. As a result, despite the fact that the UK post-Brexit framework for data transfers is likely to be separate from the EU mechanism, if current data protection practices are anything to go by, it is likely that the UK will adopt a similar, although slightly lighter-touch, approach.

As noted, organisations who wish to rely on the Privacy Shield rather than the existing mechanisms for EU- US data transfers will need to make a relatively quick decision on whether to adhere to the Privacy Shield if they want to benefit from the nine-month transition period for complying with the Accountability For Onward Transfer Principle. However, in light of the potential challenges to the Privacy Shield, organisations that now rely on the Standard Contractual Clauses and BCRs may wish to continue that reliance for the time being.

We will continue to monitor developments surrounding the Privacy Shield and will provide updates as the data protection landscape evolves.