In a development eagerly anticipated by businesses on both sides of the Atlantic, the European Commission has published the legal instruments needed to put in place the “EU-U.S. Privacy Shield” for transfers of personal data from Europe to the United States. The issued documents include a draft adequacy decision by the Commission finding that the Privacy Shield provides an adequate level of protection for data transferred under the arrangement and a series of annexes that set out the applicable details and procedures as well as commitments undertaken by the U.S. government to ensure the Privacy Shield’s proper functioning. If formally approved, the Privacy Shield will provide a framework for companies in the United States to receive personal data from Europe in compliance with EU data protection law.
Background
The Privacy Shield is the result of some two years of negotiations between the EU and the U.S. aimed at correcting what the Commission identified in November 2013 as defects in the operation of the EU-U.S. Safe Harbor framework. (2013 Commission Communication on the Functioning of the Safe Harbor) Last year, the negotiations were given special urgency by the European Court of Justice’s October 6, 2015 judgment invalidating the Safe Harbor.
Overview of the Privacy Shield
Like the Safe Harbor program, the Privacy Shield will require participants to self-certify annually with the U.S. Department of Commerce (DOC) that they comply with certain fair information practices. The core “Privacy Shield Principles” are: (i) Notice; (ii) Choice; (iii) Security; (iv) Data Integrity and Purpose Limitation; (v) Access; (vi) Accountability for Onward Transfers; and (vii) Recourse, Enforcement and Liability. Additional “Supplemental Principles” establish more specific requirements concerning these and other matters, such as sensitive data, personal data processed in connection with due diligence, and employment data. The Privacy Shield Principles and Supplemental Principles are set forth in the Annex II to the adequacy decision and are discussed in broad terms in the decision’s recitals.
Briefly, as compared to the Safe Harbor, the Privacy Shield introduces the following innovations:
- Stronger obligations on companies and more robust enforcement. In order to make compliant onward transfers to third parties, for example, participants must execute contracts guaranteeing that transferred data are subject to protection equivalent to that required under the Privacy Shield. The DOC will monitor compliance by carrying out reviews of participants’ adherence to Privacy Shield Principles and referring false claims of compliance to the Federal Trade Commission (FTC) or another appropriate authority for enforcement. The DOC will maintain a website list of Privacy Shield registrants and will strike companies from the list that are found to have failed persistently to comply with Privacy Shield commitments.
- Enhanced recourse for data subjects. The Privacy Shield establishes multiple avenues for individuals to seek redress if they believe their personal data have not been treated in keeping with the Privacy Shield Principles. Individuals may complain directly to the company concerned, which must respond within 45 days, or to their national data protection authority (“DPA”), which will refer complaints to DOC or FTC. Privacy Shield participants transferring the employment data of Europeans must undertake to comply with DPA decisions concerning such data. In addition, in order to be certified, Privacy Shield organizations must designate an independent dispute resolution provider, and the DOC must verify compliance with this obligation. As a last resort, individuals have recourse to the “Privacy Shield Panel,” which will be set up with powers to take binding decisions against participants.
- Safeguards and transparency obligations on U.S. government surveillance. The U.S. government has provided written assurances from the Office of the Director of National Intelligence that access to personal data by public authorities for national security purposes will be subject to limitations, safeguards and oversight. An independent Ombudsman will be established to address complaints and queries from individuals concerning access to personal data by U.S. intelligence agencies.
- Annual Review. A joint review mechanism comprising the Commission, the DOC, the EU DPAs and U.S. national security authorities will monitor the functioning of the Privacy Shield on an annual basis, including safeguards and transparency obligations on U.S. government surveillance. Based on the annual reviews and other sources of available information, the Commission will issue public reports to the European Parliament and the Council of Ministers on the functioning of the Privacy Shield.
Further Steps
The Commission must formally approve the Privacy Shield before it may be put into operation and made available to U.S. companies. The Commission must first consult a panel of Member State representatives established under Article 31 of the Data Protection Directive and also obtain a (non-binding) opinion of the Article 29 Working Party, a consortium of national DPAs provided for under the Directive. Based on these inputs and their review of the Privacy Shield documents, the College of Commissioners must take a formal decision that the United States ensures an adequate level of protection for personal data transferred to Privacy Shield participants.
As the Commission proceeds with its review, companies will need to assess whether the Privacy Shield offers a viable mechanism for them to transfer personal data from Europe to the United States in light of their data requirements and information practices, Privacy Shield compliance obligations and existing alternative transfer mechanisms, such as EU Model Clauses and Binding Corporate Rules.
The Commission’s press release on the Privacy Shield may be accessed at http://europa.eu/rapid/press-release_IP-16-433_en.htm
A set of FAQs from the Commission may be accessed at: http://europa.eu/rapid/press-release_MEMO-16-434_en.htm