On February 29, 2016, the European Commission (“Commission”) published a draft adequacy decision and related documents that are intended to implement the EU-U.S. Privacy Shield (“Privacy Shield”). Upon adoption, the Privacy Shield will serve as a new legal mechanism for transatlantic data flows replacing the U.S.-EU Safe Harbor Framework, which the European Court of Justice (“CJEU”) struck down in its Schrems decision on October 6, 2015. According to the Commission, the Privacy Shield reflects the requirements set out in the Schrems decision, and the draft adequacy decision expressly concludes that the U.S. ensures an adequate level of protection for personal data transferred from the EU[1] to organizations in the U.S. under the Privacy Shield. The internal adoption period of the adequacy decision in the EU is currently expected to conclude in June 2016. In this post, we provide an overview of the Privacy Shield, outline its framework and summarize the major obligations and protections it will provide.
The new legal framework
The Privacy Shield is composed of a series of separate documents rather than one all-encompassing document. There is a key document setting out the actual privacy principles to be adhered to by Privacy Shield participants. This document is complemented by six letters containing official representations and commitments by various U.S. authorities on how the Privacy Shield will be enforced and how EU personal data will be safeguarded from government access (see below for details). The letter format is a result of the pragmatic and unique approach that the U.S. and EU representatives are taking to reach a working compromise and interoperability between each jurisdiction’s different legal system. As with the prior Safe Harbor arrangement, the parties stopped short of trying to reach a formal legal treaty (as opposed to the EU-U.S. Data Protection Umbrella Agreement, which will be a formal treaty once signed and concluded), which could have taken years longer to negotiate, and instead informally agreed on unilateral commitments by the U.S. (in the form of the Privacy Shield materials) and the EU (in the form of the adequacy decision). As a result, there is no mutual right to enforcement via international public law. If either side feels the other reneges or fails on its commitments, it can discontinue its own cooperation, as the EU did with respect to the Safe Harbor arrangement when the CJEU invalidated the respective adequacy decision. However, as long as each side meets its commitments, agencies and courts in each jurisdiction will be bound by the rules and commitments undertaken. For example, if the U.S. Federal Trade Commission (“FTC”) pursues a potential violation of the Privacy Shield pursuant to the FTC’s Section 5 authority, U.S. courts will enforce the promises made by the relevant company pursuant to the Privacy Shield.
Where to find what information
The draft adequacy decision, which will implement the Privacy Shield, consists of a 34-page main body and seven Annexes that incorporate the Privacy Shield documents mentioned above. The following list provides an overview of the different sections of the draft adequacy decision. The main body and Annex II of the adequacy decision contain the key information from a commercial sector perspective:
- The main body of the draft adequacy decision, in 129 recitals, (i) summarizes the obligations to be imposed on U.S. companies and the protections afforded to personal data transferred from the EU to the U.S. under the Privacy Shield, (ii) describes how the requirements set by the CJEU in Schrems are met, (iii) concludes that the U.S. ensures an adequate level of protection for European personal data transferred under the Privacy Shield and (iv) outlines the review process for the adequacy decision.It then sets outthe actual adequacy decision.
- Annex I contains a letter from the U.S. Department of Commerce (“DOC”) to the Commission transmitting the Privacy Shield materials (listed in the following Annexes).
- Annex II contains the EU-U.S. Privacy Shield Framework Principles issued by the DOC.
- Annex III contains a letter from the U.S. Secretary of State setting out a new Ombudsperson mechanism to be implemented in order to respond to complaints and enquiries from individuals regarding U.S. intelligence/surveillance practices.
- Annex IV contains a letter from the FTC setting out how it will enforce the Privacy Shield.
- Annex V contains a letter from the Department of Transportation describing its role in enforcing the Privacy Shield.
- Annex VI contains a letter from the Office of the Director of National Intelligence explaining the safeguards and limitations imposed on U.S. national security authorities regarding their intelligence/surveillance collection activities.
- Annex VII contains a letter from the U.S. Department of Justice setting out the safeguards and limitations on U.S. government access to commercial data and other records for criminal law enforcement and public interest purposes.
How will the Privacy Shield work?
As was the case with Safe Harbor, the Privacy Shield will function through a self-certification process by which U.S. companies agree to adhere to a set of Privacy Principles and Supplemental Principles (collectively, the “Privacy Shield Principles”). The DOC will maintain and make publicly available an up-to-date list of Privacy Shield participants. This list will reflect voluntary withdrawals and failures to re-certify. Overall, enforcement of the Privacy Shield is projected to be more stringent than under the Safe Harbor Framework. The FTC and DOC will each play a role in enforcing the Privacy Shield. The Privacy Shield affords greater oversight and enforcement powers to those agencies and they have pledged to make use of them.
What are the commercial obligations under the Privacy Shield?
U.S. companies that self-certify under the Privacy Shield will be required to comply with the Privacy Shield Principles, which build on and are similar in many ways to the commercial protections for personal data originally codified in the Safe Harbor Framework. The Privacy Shield Principles contain the following seven core principles (“Core Principles”) which are supplemented by additional requirements for certain types of data or specific circumstances (contained in the Supplemental Principles): 1. Notice Principle. Organizations must notify data subjects about thirteen specific data points including details such as the type of data collected and purposes of processing, details about the possibility of invoking binding arbitration (a new procedural recourse for data subjects) and details about the organization’s liability for onward transfers. 2. Choice Principle. Organizations must offer individuals the opportunity to opt out of the disclosure of their personal data to third parties or the use of such data for a materially different purpose than the purpose of collection. Sensitive data is subject to additional requirements. 3. Accountability for Onward Transfer Principle. Onward transfers to third party controllers must only take place for limited and specified purposes and on the basis of a contract between the transferor and the transferee in which the transferee commits to provide the same level of protection as afforded by the Privacy Shield Principles. 4. Security Principle. Organizations must implement reasonable and appropriate security measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. 5. Data Integrity and Purpose Limitation Principle. Organizations must adhere to the concept of data minimization and not process personal data in ways incompatible with the purposes of collection or as subsequently authorized by data subjects. Organizations must further ensure that personal data is reliable for its intended use, accurate, complete and up-to-date. 6. Access Principle. Subject to limited exceptions, organizations must give individuals access to personal data they hold about them and enable them to have that data corrected, amended or deleted if it is inaccurate or has been processed in violation of the Privacy Shield Principles. 7. Recourse, Enforcement and Liability Principle. Organizations must implement readily available independent recourse mechanisms to resolve complaints at no cost to individuals. They must also verify periodically (by way of internal or external reviews and audits) that their published privacy policies conform to the Privacy Shield Principles and are in fact complied with.
What protections does the Privacy Shield offer against U.S. government access to European personal data transferred to the U.S.?
The Privacy Shield delivers the protections requested by the CJEU on the issue of U.S. government access to European personal data. In particular:
- the Office of the Director of National Intelligence has given written assurances that any access to data by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms;
- the U.S. Department of State has committed to establish a new Privacy Shield Ombudsperson who is independent from the intelligence community and responsible for responding to complaints and enquiries from individuals regarding U.S. intelligence/surveillance practices; and
- the U.S. Department of Justice has provided assurances regarding safeguards and limitations on U.S. Government access and use of data for law enforcement and public interest purposes.
In addition, the Judicial Redress Act has been signed into law by President Obama after having been adopted by both the U.S. House of Representatives and the U.S. Senate. In essence, the Judicial Redress Act confers upon citizens of designated countries (like EU countries) certain rights to bring suit against U.S. government agencies in U.S. courts in order to access, amend or correct certain records that U.S. agencies may be keeping about them or to seek redress for the unlawful disclosure of those records.
What are the redress mechanisms for EU residents?
In case of an alleged misuse of their data, EU residents will be able to resort to a range of redress mechanisms under the Privacy Shield. These include lodging a complaint with the U.S. company (which must put in place effective redress mechanisms and commit to responding to complaints within 45 days), making a complaint to the local data protection authority that will work with the DOC or FTC to resolve the matter, submitting the issue to an alternative dispute resolution body to which Privacy Shield participants must sign up, or as a last resort invoke binding arbitration.
What review mechanisms will be put in place?
As discussed extensively to date, the Privacy Shield will be subject to an annual joint review to be undertaken by the DOC and the Commission in order to monitor and guarantee the functioning of the Privacy Shield over time. Further, the Commission will periodically review its adequacy decision (if and when adopted) to confirm it continues to be factually and legally justified.
Is there any transition period available for U.S. organizations?
The Privacy Shield is generally silent regarding a transition period or mechanism for Safe Harbor certified companies to transition to the Privacy Shield. There is, however, a limited transition period with respect to third party contractual relationships. Specifically, the Privacy Shield provides that if an organization certifies to the Privacy Shield within two months of the framework’s effective date (i.e., the date that the Commission formally adopts its adequacy decision), the organization will have up to nine months from the date upon which it certifies to bring such relationships with third parties in line with the Accountability for Onward Transfer Principle. This provides organizations with an incentive to evaluate the Privacy Shield on an expedited basis and make decisions about certification promptly.
What should companies do next?
As the Privacy Shield continues its way through the EU adoption process, companies need to think about their short-term as well as medium to long-term EU/U.S. data transfer strategy. In the short term, both European and U.S. companies will need to rely on alternative transfer mechanisms, while considering what might be the best medium to long-term option. This will likely require a thorough assessment of the Privacy Shield obligations and an evaluation as to whether the Privacy Shield (as perhaps a less formal transfer mechanism compared to standard clauses and other mechanisms) or alternative transfer mechanisms would be the most suitable transfer mechanism for a company. Given the uncertainty in this space with potentially all data transfers from the EU to the U.S. at risk of being challenged, organizations may find it beneficial to establish more than one mechanism to address cross-border transfer restrictions.
[1] For the purposes of this post, the term “EU” shall also cover the EEA (which will, however, need to formally adopt the adequacy decision once it has been adopted by the EU).
