EU-U.S. Privacy Shield: Soon Open for Business
Axel Spies
German attorney-at-law (Rechtsanwalt)
Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).
The EU-U.S. Privacy Shield—the successor to the invalidated Safe Harbor program for transatlantic transfers of EU personal data—was finally approved on July 12, 2016. U.S. organizations will be able to certify compliance with the Privacy Shield principles starting on August 1, 2016, and then be able to receive personal data from EU or EEA-based organizations without special agreements in place with data exporters.
Participation is voluntary, but this option will be welcomed by thousands of U.S. organizations that had previously been Safe Harbor-certified and are looking for replacements. The first draft of the EU-U.S. Privacy Shield was heavily criticized for failing to include sufficient safeguards for the privacy of EU personal data in the hands of U.S. organizations (and, potentially, the U.S. government or U.S. law enforcement).
Successor of the defunct “Safe Harbor”
One needs to wind back many years to understand why the Privacy Shield is an important EU/U.S. achievement (cf. AGI advisories 05/02/16 and 10/13/15). For the EU, the United States is a country with “inadequate” data protection laws. As a result, a data exporter (a company or any other organization) cannot transfer personal information from Europe to the United States unless the company has implemented one of the approved data transfer mechanisms. In 2000, the European Commission and the U.S. Department of Commerce agreed to implement a self-certification program for U.S. organizations to receive personal data sent from Europe, whereby U.S. organizations certified adherence to certain standards of data processing comparable to EU data protection laws. The Safe Harbor program was invalidated by the European Court of Justice (ECJ) in October 2015 with immediate effect. The ECJ found that EU citizens do not have adequate rights of redress where their personal data protection rights are breached by U.S. authorities, which undermines their European data protection rights. On February 29, 2016, the European Commission published a draft adequacy decision to establish the EU-U.S. Privacy Shield as the replacement for the invalidated Safe Harbor program. The EU-U.S. Privacy Shield would be operated by the U.S. Department of Commerce and enforced by the U.S. Federal Trade Commission, as was the Safe Harbor program. The publication of the draft adequacy decision was initially welcomed by the Article 29 Working Party (Article 29 WP), the body advising the European Commission on privacy matters. Following a review of the documentation, however, the Article 29 WP expressed significant concerns that the draft proposal did not give enough protection to European citizens because “. . . massive and indiscriminate data collection is not fully excluded by the U.S. authorities and. . . the powers and position of the Ombudsman have not been set out in more detail.”
EU Commission optimistic, but legal challenges likely
European Commissioners Andrus Ansip and Věra Jourova have declared that it is “fundamentally different from the old Safe Harbor. They state it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.” Some Data Protection Agencies (DPA) and some Members of the European Parliament have deep (in many cases politically motivated) concerns. They expect (and even endorse) legal challenges similar to the challenge that invalidated the Safe Harbor framework. This is important because the ECJ has ruled that any DPAs can investigate complaints about the transfer of personal data outside Europe and, where necessary, suspend such data transfers until those investigations are satisfactorily completed. Whatever may happen on that front, the Privacy Shield will be in force immediately, and U.S. organizations will be able to certify compliance with its principles starting on August 1, 2016.
Privacy Shield principles to keep both sides happy
The key principles of the Privacy Shield are the following:
- Strong obligations on companies handling data. Under the new arrangement, the U.S. Department of Commerce will conduct regular updates and reviews of participating companies to ensure that they follow the rules and that onward transfers are protected to the same levels of protection.
- Better safeguards and transparency obligations on U.S. government access. The United States has given the European Union assurances that the access of public authorities for law enforcement and national security purposes is subject to clear limitations, safeguards, and oversight mechanisms. EU residents will, for the first time, benefit from redress mechanisms in this area. The U.S. Office of the Director of National Intelligence further clarified that bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible.
- Ombudswoman. The U.S. Secretary of State has established a redress possibility in the area of national intelligence for EU residents through an Ombudsman mechanism within the U.S. Department of State. Effective protection of individual rights. Any EU resident who considers that his or her data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms. Ideally, the complaint will be resolved by the company itself or through the Alternative Dispute Resolution solution offered by the company. Individuals can also lodge complaints with their national DPA, which will work with the Federal Trade Commission to ensure that complaints are investigated and resolved. If a case is not resolved by any of the other means, there will be an arbitration mechanism to serve as a last resort. National intelligence matters will be resolved by the Ombudswoman.
- Annual joint review mechanism. This mechanism will monitor the functioning of the Privacy Shield. The European Commission and the U.S. Department of Commerce will conduct the review in association with national intelligence experts from the U.S. and the European DPAs. The European Commission will draw on all other sources of information available and will issue a public report to the European Parliament and the European Council.
Other options for EU data transfers available
There are other options to transfer personal data to the U.S., including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements. In certain cases, these are the only options of U.S. companies because the Privacy Shield is not available for a number of business sections (e.g. telecommunications, certain financial and insurance businesses). The model clauses are very commonly used. Other than in a few European countries, there is no requirement to obtain a specific permit from the applicable DPA to use model clause agreements. The use of model clauses, however, has been recently challenged in new legal proceedings that have been referred to the ECJ by the Irish DPA. Mr. Schrems has also indicated that he may bring proceedings charging that the Privacy Shield does not adequately protect personal data.
Will U.S. companies sign up?
The good news: for many U.S. companies the Privacy Shield is more flexible than the other compliance tools and less costly. For example, the mentioned model clauses can be challenging to administer as all relevant legal entities (data exporters and data importers) may need to sign the clauses (including all data exporters and importers). In addition, certain EU member states require data exporters to submit the agreements for notification or approval. Sometimes, U.S. companies reject the model clauses because they contain mandatory provisions that they find onerous, such as the requirement to submit their facilities to audits by the data exporter and to obtain the exporter’s consent to include subcontractors.
The bad news: the Privacy Shield comes with various potentially burdensome compliance obligations for the data importers that put themselves on the radar screen of the U.S. authorities once they are on the Privacy Shield list. The Federal Trade Commission and the U.S. Department of Transportation are authorized to enforce against violations of the Privacy Shield. Companies that certify and fail to comply with the shield will be subject to enforcement action. Compliance will not be a cake walk: There are various (new and enforceable) requirements for what the company’s Privacy Policy must cover. Moreover, the U.S. data importers must inform individuals about a variety of facts, such as the type or identity of any third parties to which it discloses personal information and the purpose of it. In addition, individuals must be granted an opt-out (with some exceptions) whether their personal information will be disclosed to a third party. It will be interesting to observe how many U.S. companies will actually sign up, in particular small and medium-sized enterprises, and how any shortcoming or lack of compliance on their end will be sanctioned by the U.S. authorities.