On February 29, 2016, the European Commission issued a draft “adequacy decision” introducing the EU-U.S. Privacy Shield (“Privacy Shield”). The Privacy Shield replaces the U.S.-EU Safe Harbor Framework (“Safe Harbor”) as the new data transfer agreement legitimizing transfer of EU personal data to the U.S. by certifying participants. As described and linked to in the Commission’s press release, several U.S. government agencies have provided written commitments to enforce the Privacy Shield. These commitments will be published in the U.S. Federal Register.
The Commission’s adequacy decision, once adopted, will establish that “safeguards provided when data are transferred under the new EU-U.S. Privacy Shield are equivalent to data protection standards in the EU.” Appendix II of the adequacy decision sets forth Privacy Principles issued by the Department of Commerce that Privacy Shield participants must follow. As with the Safe Harbor, participants self-certify with the Department of Commerce and make public commitments to abide by these Privacy Principles. The public commitments made by Privacy Shield participants gives the Federal Trade Commission (“FTC”) ability to enforce violations of these commitments by participants under its jurisdictions through Section 5 of the FTC Act. While these principles are similar to the previous Safe Harbor Privacy Principles, there are some key changes to note.
PRIVACY PRINCIPLES
Notice. A Privacy Shield participant must include in its public privacy policy, “a declaration of the organization’s commitment to comply with the Privacy Shield Principles.” As under Safe Harbor, a Privacy Shield participant must provide in its notice: the purpose for processing personal data, types and third parties to which participant may disclose information, choices for limiting use and disclosure, independent dispute resolution information (if provided), and how to make a complaint or inquiry. Under the Privacy Shield, a participant must also provide notice of: rights of data subjects to access their personal data, the fact that a participant is subject to the FTC or other U.S. statutory body responsible for investigation and enforcement, the possible availability to data subjects of binding arbitration, a participant’s requirements to disclose personal information in response to lawful requests by public authorities; a participant’s liability in cases of onward transfers to third parties. A participant must also provide links to the Department of Commerce’s Privacy Shield website and to the website or complaint submission form of the independent recourse mechanisms that are available to investigate individual complaints.
Choice. A Privacy Shield participant must provide data subjects the option to opt out if their personal data will be disclosed to a third party (other than an agent of the participant) or used for a "materially different" purpose. As with Safe Harbor, in the case of sensitive data, a participant must, except under special circumstances, “obtain the data subject's affirmative express consent (opt in).” Exceptions to and timing considerations under the choice principle are described in supplemental principles, including where data is processed by auditors or by investment bankers and attorneys during the due diligence phase of a potential merger or acquisition.
Accountability for Onward Transfer. A Privacy Shield participant may only conduct a transfer of personal data for “limited and specified purposes” and on the basis of a contract “that provides the same level of protection as the one guaranteed by the Privacy Principles.” Like under Safe Harbor, this principle requires compliance with the Notice and Choice Principle for transfers to third parties other than agents. For onward transfer to third party agents, unlike Safe Harbor which provided other options to contracting, Shield participants must contract with and conduct due diligence of the third party agent to determine that the third party agent meets adequacy requirements. Another important change is that when facing compliance problems with subprocessors, the controller “will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability.” Thus, as compared to Safe Harbor, this new principle increases the potential liability of the data controller.
Security. As under the Safe Harbor, a Privacy Shield participant must take "reasonable and appropriate" security measures, taking into account the risks involved in the processing and the nature of the data.
Data Integrity and Purpose Limitation. A Privacy Shield participant must limit personal data “to what is relevant for the purpose of the processing.” Such processing must not exceed the purposes for which the data was collected unless subsequently authorized by the data subject. Participants must also take “reasonable steps” to ensure that such personal data is reliable for its intended use, accurate, complete, and current.
Access. Under the Privacy Shield, data subjects have a right “without need for justification and only against a non-excessive fee” to obtain from a Privacy Shield participant “confirmation” of whether the participant is “processing personal data related to them and have the data communicated within reasonable time.” As with Safe Harbor, the Privacy Shield provides an exception where the burden or expense of providing access would be disproportionate to the risks. Under this Privacy Shield principle, however, a Privacy Shield participant may only restrict this right in “exceptional circumstances” and any denial of this right “must be necessarily and duly justified.” Further, burden and expense, while important, are not controlling factors in an assessment of reasonableness. A participant also bears the burden of demonstrating these access requirements are fulfilled. Additionally, “[d]ata subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Privacy Principles.”
Recourse, Enforcement and Liability. The Privacy Shield includes a more detailed and complex system of recourse and enforcement than the Safe Harbor. A Privacy Shield participant must provide “robust mechanisms to ensure compliance with the other Privacy Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies.” Companies that voluntarily self-certify must also:
Verify compliance with its published privacy policies and ensuring the privacy policies conform to the Privacy Principles. Such verification includes conducting internal reviews and training employees.
Implement an effective redress mechanism to deal with complaints.
Annually re-certify its participation in the framework.
Keep detailed records on compliance and be prepared to make such records available to authorized investigating bodies.
Note that even if the participant decides to later leave the Privacy Shield Framework, if the participant chooses to keep data formerly obtained as a Privacy Shield participant, the participant must continue to annually certify its commitment to apply the Privacy Principles received under the Privacy Shield Framework or provide adequate protection for the information by another authorized means (e.g., Model Clauses). This requirement to maintain commitments to protect personal data collected under the Privacy Shield also extends to situations involving transfer of data in the event of mergers and acquisitions. If such commitments are not maintained, personal data must be deleted.
Under the Privacy Shield, the Department of Commerce takes a much stronger role in enforcement committing “to robust administration and supervision of the Privacy Shield Framework” including for example to:
Verify prior to finalizing a company’s self-certification that the company has provided all required information and registered with the identified independent recourse mechanism, in instances where the provider requires registration;
Follow up with organizations whose self-certifications lapse or who have voluntarily withdrawn from the Privacy Shield Framework to verify whether the organization will return, delete or continue to apply the Principles to the personal information that they received while they participated in the Privacy Shield Framework;
Search for and address false claims of participation and where appropriate refer matters to the FTC, Department of Transportation or other appropriate enforcement agency; and
Conduct periodic ex officio compliance reviews and assessments of the program participants.
Privacy Shield participants must resolve any complaints of violations of the Privacy Principles within 45 days. Privacy Shield participants must provide a redress mechanism, in the form of independent recourse, for any complaints it does not resolve. Independent recourse may be in the form of voluntary submission to an EU national Data Protection Authority (“DPA”) panel, independent dispute resolution services or, alternatively, participation in a self-regulatory program. Such independent recourse services will be available free of charge to complaining data subjects. If participants fail to comply with the rulings of the dispute resolution or self-regulatory entities, such entities must notify the FTC and the Department of Commerce, or other U.S. authority or court.
In addition to complaints submitted by dispute resolution or self-regulatory entities, the FTC will also respond to complaint referrals from the Department of Commerce, DPAs and data subjects to determine whether Section 5 of the FTC Act has been violated. The FTC may also open investigations on its own initiative. Privacy Shield participants must make public any compliance or assessment reports submitted to the FTC in connection with non-compliance with the Privacy Shield. The Department of Commerce will remove from the Privacy Shield list any Privacy Shield participants engaged in persistent failures. Such non-compliant organizations may be required to disgorge information collected under the Privacy Shield.
Additionally, DPAs may work with the FTC to ensure that unresolved complaints by EU data subjects are investigated and resolved. For investigations concerning processing of human resources data in the employment context or if participants have voluntarily submitted to oversight, Privacy Shield participants must cooperate directly with DPAs in the investigation and the resolution of complaints. Participants must respond to inquiries, comply with the advice given by the, including for remedial or compensatory measures, and provide the DPA with written confirmation that such action has been taken.
If a case is not resolved to the data subject’s satisfaction by any of these means (subject to a few exceptions where the DPAs have authority), as a last resort data subjects will be able to request binding arbitration.
Arbitration is conducted by the "Privacy Shield Panel."
This panel will consist of 1-3 arbitrators selected from a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission.
The proceedings will be governed by standard arbitration rules to be agreed between the Department of Commerce and the Commission.
The Privacy Shield Panel will have the authority to impose "individual-specific, nonmonetary equitable relief.
Companies considering participation can find additional information about the EU-U.S. Shield on the Commission’s dedicated website and additional information about compliance in the Commission’s EU-U.S. Privacy Shield Fact Sheet and EU-U.S. Privacy Shield Q&A. The Department of Commerce also published a fact sheet with details on the key new elements of the EU-U.S. Privacy Shield.
The Commission has also released a Communication “summarising the actions taken over the last years to restore trust in transatlantic data flows since the 2013 surveillance revelations.” Since the EU-U.S. Safe Harbor Deal was announced on February 2, 2016, the U.S. has taken steps to demonstrate a strong commitment to the enforcement of the Privacy Shield. Secretary of State John Kerry established the Privacy Shield Ombudsperson mechanism independent from national security services. On February 24, 2016, President Obama signed the Judicial Redress Act into law extending U.S. privacy rights to EU citizens. Further, the Office of the Director of National Intelligence gave the Commission its first ever written assurance that “any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data.”
NEXT STEPS
Before the College of Commissioners makes a final decision, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion.
The U.S. will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
The Commission will shortly propose the signature of the Umbrella Agreement. After obtaining the consent of the European Parliament, the decision concluding the Agreement should be adopted.