As of August 1, 2016, U.S. companies can now self-certify compliance to the EU-U.S. Privacy Shield (“Privacy Shield”) to the U.S. Department of Commerce (see https://www.privacyshield.gov/welcome). Privacy Shield is a new legal mechanism that provides “adequate protection” within the meaning of EU data protection laws for transatlantic data flows to the United States. Privacy Shield replaces the U.S.-EU Safe Harbor Arrangement (“Safe Harbor”) as a key mechanism for EU to U.S. data transfers, as the European Court of Justice (“CJEU”) had invalidated the European Commission’s finding of adequacy for Safe Harbor in its Schrems decision on October 6, 2015.
Privacy Shield provides U.S. organizations and their European business partners with a key additional option to address the EU restrictions on personal data flows. More fundamentally, Privacy Shield helps reduce the broader risks for all EU to U.S. data transfers in the wake of the Schrems ruling. Specifically, Schrems had invalidated the Safe Harbor adequacy decision primarily on the basis of the CJEU’s privacy concerns about national security surveillance in the U.S. Although the CJEU’s decision focused on the specifics of the adequacy decision itself, and its view that the EC decision itself did not adequately protect as a procedural matter against U.S. government surveillance, the CJEU’s underlying concerns about U.S. government surveillance arguably would apply equally to other mechanisms for transfers that are subject to the same U.S. law and policy, such as model contracts and binding corporate rules, and also to many other countries’ surveillance practices, including EU member states (for more see our Global Surveillance Law Survey). The Privacy Shield documents provide an updated description of the law and policy in the U.S. on government surveillance, which is more privacy-friendly than the prior circumstances contemplated by the CJEU at the time of Schrems. Privacy Shield also includes new procedural features, including the establishment of a U.S. State Department Ombudsperson to hear complaints about national security practices, to help address these concerns. Taken together, these elements assure a more robust framework of privacy protections in the context of U.S. government surveillance.
Since Schrems, many EU and U.S. organizations have made or are making important strategic decisions about how to approach EU to U.S. data transfers. In particular, many U.S. organizations participating in Safe Harbor have adopted model contracts, initiated the process of applying for binding corporate rules, and taken other approaches to addressing cross-border data transfers. Depending on the specific circumstances, these organizations may now consider the potential advantages and disadvantages of Privacy Shield. The analysis should take into account factors outside Privacy Shield, such as the challenges to the decisions on model contracts at the CJEU, as well as the increased compliance burden under the General Data Protection Directive (effective May 2018) and other factors.
Below, we summarize the key aspects of Privacy Shield, including the core elements of the framework, how it will work, and its key commercial requirements, including the limited grace period available for companies that self-certify within the first 60 days. We also include some considerations about how companies may wish to evaluate Privacy Shield against other options and approaches.
Where to find information
The adequacy decision implementing Privacy Shield consists of a 44-page main body and seven Annexes, as further outlined below. The main body and Annex II of the adequacy decision contain the key information from a commercial sector perspective:
- The main body of the adequacy decision, in 155 recitals, (i) summarizes the obligations to be imposed on U.S. companies and the protections afforded to personal data transferred from the EU to the U.S. under Privacy Shield, (ii) describes how the requirements set by the CJEU in Schrems are met, (iii) concludes that the U.S. ensures an adequate level of protection for European personal data transferred under Privacy Shield and (iv) outlines the review process for the adequacy decision. The actual adequacy decision appears on pages 43 and 44 of the main body document.
- Annex I contains a letter from the U.S. Department of Commerce (“DOC”) to the Commission transmitting the Privacy Shield materials (listed in the following Annexes).
- Annex II contains the EU-U.S. Privacy Shield Framework Principles issued by the DOC.
- Annex III contains a letter from the U.S. Secretary of State setting out a new Ombudsperson mechanism to be implemented in order to respond to complaints and enquiries from individuals regarding U.S. intelligence/surveillance practices.
- Annex IV contains a letter from the FTC setting out how it will enforce Privacy Shield.
- Annex V contains a letter from the Department of Transportation describing its role in enforcing Privacy Shield.
- Annex VI contains a letter from the Office of the Director of National Intelligence explaining the safeguards and limitations imposed on U.S. national security authorities regarding their intelligence/surveillance collection activities.
- Annex VII contains a letter from the U.S. Department of Justice setting out the safeguards and limitations on U.S. government access to commercial data and other records for criminal law enforcement and public interest purposes
How will Privacy Shield work?
As with Safe Harbor, Privacy Shield functions through a self-certification process by which U.S. companies agree to adhere to a set of Privacy Principles and Supplemental Principles (collectively, the “Privacy Shield Principles”). Although a company must apply sufficient resources to build and develop its program, the self-certification mechanism itself is an online process which requires the organization to provide information about its program and pay a fee.
What will happen to the Safe Harbor Program?
The U.S. Commerce Department has stated that it will keep the list of participating organizations for now, but will no longer accept new registrations as of August 1, 2016 and stop to accept re-certifications as of October 31, 2016. Companies that register for Privacy Shield could simultaneously de-certify from the Safe Harbor Program (given that it does not offer its EU business partners and subsidiaries much benefit anymore). Companies that currently participate in Safe Harbor, and decide not to join Privacy Shield, should carefully consider whether to de-certify from Safe Harbor in light of their contractual commitments and other considerations.
What are the commercial obligations under Privacy Shield?
U.S. companies that self-certify under Privacy Shield will be required to comply with the following seven core principles (“Core Principles”) as well as additional requirements for certain types of data or specific circumstances (contained in the Supplemental Principles):
1. Notice Principle. Organizations must notify data subjects about thirteen specific data points including details such as the type of data collected and purposes of processing, details about the possibility of invoking binding arbitration (a new procedural recourse for data subjects) and details about the organization’s liability for onward transfers.
2. Choice Principle. Organizations must offer individuals the opportunity to opt out of the disclosure of their personal data to third parties or the use of such data for a materially different purpose than the purpose of collection. Sensitive data is subject to additional requirements.
3. Accountability for Onward Transfer Principle. Onward transfers to third party controllers must only take place for limited and specified purposes and on the basis of a contract between the transferor and the transferee in which the transferee commits to provide the same level of protection as afforded by the Privacy Shield Principles. Onward transfers to third party data processors/agents require appropriate contractual provisions as well.
4. Security Principle. Organizations must implement reasonable and appropriate security measures to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction.
5. Data Integrity and Purpose Limitation Principle. Organizations must adhere to the concept of data minimization and not process personal data in ways incompatible with the purposes of collection or as subsequently authorized by data subjects. Organizations must further ensure that personal data is reliable for its intended use, accurate, complete and up-to-date.
6. Access Principle. Subject to limited exceptions, organizations must give individuals access to personal data they hold about them and enable them to have that data corrected, amended or deleted if it is inaccurate or has been processed in violation of the Privacy Shield Principles.
7. Recourse, Enforcement and Liability Principle. Organizations must implement readily available independent recourse mechanisms to resolve complaints at no cost to individuals. They must also verify periodically (by way of internal or external reviews and audits) that their published privacy policies conform to the Privacy Shield Principles and comply with the same. In addition to “back stop” enforcement by the U.S. Federal Trade Commission (“FTC”), individual data subjects will also have rights to invoke binding arbitration procedures in certain circumstances if they are not satisfied following FTC action. And, with respect to national security surveillance issues, data subjects will have the opportunity to appeal for redress to the U.S. Department of State Ombudsperson’s Office (“DOS”).
What steps should U.S. companies take to certify to Privacy Shield?
U.S. companies should start by carefully evaluating the Privacy Shield Principles and determining whether the company is able to meet the obligations of Privacy Shield. Companies should ensure that they maintain appropriate documentation of this due diligence process in order to demonstrate, if ever necessary, that the company has undertaken a reasonable due diligence process to address the Privacy Shield Principles. Companies should also:
- prepare appropriate privacy statements to address the Privacy Shield Notice Principle and other transparency requirements;
- establish choice or consent mechanisms to the extent needed to address Privacy Shield rules;
- prepare internal policies or guidelines to instruct appropriate U.S. managers and others about procedures to address the Privacy Shield Principles in practice;
- evaluate current agreements with vendors and other third parties who receive personal data about EU residents and determine whether any revisions to the agreements are required in accordance with the Privacy Shield Onward Transfer Principle;
- determine whether the company will participate in a third party seal program, the EU data protection authority panel, or other program to serve as its independent dispute resolution body;
- prepare an internal verification form signed by a corporate officer or other authorized representative to confirm that the company adheres to the Privacy Shield Principles;
- complete the Privacy Shield online filing with the U.S. Department of Commerce; and
- ensure that the company has in place procedures to reaffirm its ongoing compliance with Privacy Shield at the time of its annual reaffirmation.
What is the European perspective on Privacy Shield?
While there is no one single view on Privacy Shield from a European perspective, the Art. 29 Working Party issued a press release shortly after the adoption of the EU-U.S. Privacy Shield in which it welcomed the improvements brought by Privacy Shield compared to Safe Harbor. A number of concerns raised by the Art. 29 Working Party in its Opinion WP238 appear to remain, such as lack of clarity how the Privacy Shield Principles shall apply to data processors or lack of concrete assurances relating to collection of personal data by U.S. authorities. The Art. 29 Working Party will take the opportunity at the first annual review to further assess the robustness and efficiency of Privacy Shield, thereby indicating that it will not challenge Privacy Shield in the meantime. Such first annual review of Privacy Shield may also have an impact on other transfer tools, such as BCRs or model clauses. At the country level, in Germany, the Commissioner of the Data Protection Authority of Hamburg gave an interview in which he stated that he has serious doubts whether the adequacy decision of the EU Commission relating to Privacy Shield meets the legal requirements of the principle of proportionality and judicial redress highlighted in Schrems. He hopes that the German lawmakers will soon enact a law for the German DPAs to directly challenge the adequacy decision in court and seek a judgment by the CJEU, as opposed to waiting for a claim from an individual challenging the Privacy Shield decision. Even without such a direct right for the German DPAs to challenge the Privacy Shield decision, it is likely just a matter of time until the next challenge to the Privacy Shield decision, which means, when combined with the ongoing challenge at the CJEU level to model clauses and other factors, there will remain uncertainty for companies with respect to cross-border data transfers. The UK Information Commissioner’s Office (ICO) has been less critical and confirmed in a recent blog that “the baton of Safe Harbor has now been passed to the EU-US Privacy Shield, which places stronger privacy requirements on US companies signed up to the scheme (e.g., greater transparency of privacy notices) and gives stronger redress mechanisms for individuals.” Whilst acknowledging that the area of international transfers is still not free from uncertainty, the ICO makes clear that the Shield decision is legally binding and encourages companies to ‘not delay’ in implementing the necessary changes to comply with international transfer obligations.
Do I need to certify to Privacy Shield now?
As of August 1, 2016, companies can begin certifying to Privacy Shield at the Privacy Shield website. While companies can certify to Privacy Shield at any time, there is an important incentive to certify early. Companies that submit their certification to Privacy Shield by September 30, 2016 will be given nine months to bring contractual relationships with third parties in line with the Accountability for Onward Transfer Principle. Otherwise, companies must achieve compliance with the Accountability for Onward Transfer Principle by revising relevant third party contracts before completing the certification process – a step that may significantly delay a company’s certification.
What factors should U.S. companies consider when deciding whether to join Privacy Shield?
As with other legal and risk decisions, there is no one-size-fits-all answer to whether a U.S. company should join Privacy Shield.
Factors that may generally support a determination to join would include elements such as:
- significant online collections directly from EU consumers that may be difficult to address reliably through model contracts or other mechanisms;
- the U.S. company already had a Safe Harbor program that could serve as a baseline for Privacy Shield program;
- the U.S. company is a service provider to EU corporate and commercial customers, such that Privacy Shield may help facilitate the customer contracting process and/or assure broader coverage for customer data transfers;
- the U.S. company is having difficulty assuring full coverage of its EU to U.S. transfers under model contracts or other mechanisms; and
- the U.S. company has regulatory disclosure obligations that could be challenging to meet under model contracts or other solutions; and other factors.
Factors that may generally support a determination not to join Privacy Shield, or to consider joining later, include elements such as:
- the U.S. company already has a complete model contract, binding corporate rules, or other solution in place for all of its EU to U.S. data transfers;
- the U.S. company is concerned that it may not be able to comply with the Privacy Shield rules; and
- the U.S. company has operations in Europe that engage in significant data transfers from the EU to non-U.S. rest of world (ROW) locations, such that the U.S. company will need implement other solutions in any event to cover the EU to ROW transfers, such as binding corporate rules.
For some U.S. companies, it may make sense to choose more than one data transfer mechanism, e.g., to cover different types of data flows or to help protect against ongoing risks of challenge to Privacy Shield, as well as model contracts, and other cross-border data transfer mechanisms.
As noted above, there is no single solution for all companies, and each organization should take into account its individual circumstances to arrive at the best approach for that organization. Please feel free to reach out to the contacts below or your usual Baker & McKenzie partner for assistance with these important cross-border data transfer issues.