EU-US Data Transfers: Update March 2016

Finally we have details of the ‘EU-US Privacy Shield’ arrangements that have been developed to supersede the defunct “Safe Harbor” scheme that previously allowed personal data to be more easily exported from the EU to the USA. On the basis of agreements with – and information on US law and practices provided by – US authorities, the European Commission has published a draft ‘adequacy decision’ which if approved will make this system an option for permitting data transfers to the USA without requiring additional authorisation.

UPDATE: On 16 July 2020, the EU Court of Justice decided that the EU-U.S. Privacy Shield framework could no longer be used to authorise transfers of personal data from the EU/EEA/UK to the USA, and other mechanisms need to be used.

EU-US Data Transfers: Update March 2016

1. How will it work?

As with Safe Harbor, US entities wishing to use the scheme for data imports will need to self-certify that they comply. However, the Privacy Shield will come with: (1) more prescriptive rules for participation; (2) more effective monitoring by US authorities of compliance; and (3) better recourse for individuals to complain if their data is misused.

2. What Privacy Principles will participating entities have to comply with?

tl;dr version (full version here):

1. Notice: privacy policies need to be adapted to inform data subjects of 13 specific things including their rights and how data will be processed.

2. Choice: rights to opt out of data being disclosed to third parties or used for different purposes; requirement for prior consent (opt in) for use of sensitive data.

3. Security: all data users to take reasonable and appropriate security measures.

4. Data integrity and Purpose Limitation: data to be used for the purpose collected, and only relevant data to be collected.

5. Access: rights for individuals to access, correct, amend or delete their personal information.

6. Accountability for Onward Transfer: (sub-)processing must be under a contract and the data controller will be liable for compliance unless it can prove that it was not responsible.

7. Recourse, Enforcement and Liability: entities must ensure that their privacy policies are in fact complied with.

Bonus Principles (selected, not the real title):

  • Human Resources Data: advice of EU data protection authorities is binding; employers must respect employees’ privacy preferences.
  • Due Diligence and Audit: personal data may be processed without consent for these legitimate business purposes.

3. How will participation be enforced?

Safe Harbor suffered from various shortcomings, including lack of effective supervision. Improvements under the new scheme include stricter maintenance of the public list of participating entities (including removal and prevention of false claims). Complaints will be handled directly with the participating entity (who will have 45 days to respond fully), or through free of charge dispute resolution by designated independent bodies. The US Department of Commerce will review compliance when entities notify certification or re-certification and on an ongoing basis, and will follow up complaints transmitted through EU DPAs. The Federal Trade Commission will also retain its enforcement role. Finally, a “Privacy Shield Panel” of arbitrators in the USA will be act as a last resort if an individual’s complaint remains unresolved.

4. What about Government surveillance?

One of the main downfalls of Safe Harbor was that it did not sufficiently prevent – or give individuals a proper means to challenge – surveillance by US authorities and so was not “adequate” for the protection of EU citizens’ data. As explained in the Privacy Shield agreements, there will be still be six national security purposes where bulk collection of “signals intelligence” will be permitted, but generalized surveillance should be limited to where individualized collection is not possible. The Privacy Shield agreement is based on the understanding that surveillance will be subject in any event to effective institutional legal controls as well as controls accessible to individuals including a new “Privacy Shield Ombudsperson” who will guarantee that individual complaints are investigated and confirm that US laws have been complied with or any non-compliance has been rectified.

5. What happens next?

The EU Commission needs to obtain a (non-binding) opinion from the representatives of the EU Data Protection Authorities (“Article 29 Working Party”) and a favourable opinion from a further committee of Member States representatives. A refusal by the data protection authorities or some of them to accept that the new scheme indeed provides “adequate” protection might be a clear signal for a legal challenge in at least those Member States. A refusal from the Member States representatives could lead to delays and a further legal process involving the EU Council. Until these steps are cleared and the Commission’s final decision is published, which may take some months, the Privacy Shield arrangements can’t be relied on.

6. Will it work?

The Privacy Shield seems to have been developed with regard to all the key issues behind the invalidation of the Safe Harbor program, including bulk surveillance by US intelligence. Eden Legal would say that the documents demonstrate a reasonable balance between enabling Transatlantic data flows (which are inevitable and essential for so many businesses) and respecting fundamental rights of EU citizens. So it is to be hoped that even the most protective of DPAs can be convinced of this. On the other hand, it is impossible to legislate for activists and, given the sensitivity around surveillance issues, legal challenges seem almost inevitable. Although no scheme was ever going to be identical to EU data protection laws, at least the Commission seems to have asked all the correct questions – with provision also for periodic reviews – to show the courts that it is justified in designating this one as “adequate”.