From 1 August 2016, the EU-U.S. “Privacy Shield” arrangements are available to allow personal data to be exported to the US. Since the EU Court of Justice invalidated the Safe Harbor system, which had previously permitted such data exports without further formalities, options have been limited, often requiring use of the EU’s Model Contractual Clauses. The arrangements have been formalised on the basis of agreements with – and details on US law and practices provided by – US authorities (taking into account the views of EU data protection authorities and the Member States which led to some reinforcement of the scheme since the initial drafts were published in February 2016).
Personal data may be exported from the EEA (i.e. the EU and Iceland, Liechtenstein and Norway) to participating US organisations on the basis that they provide “adequate” level of protection under the EU Data Protection Directive or – as the EU Court of Justice referred to in the Safe Harbor decision – protections “essentially equivalent” to those in the EU. This option has now been launched by the publication by the EU Commission of the relevant adequacy decision.
1. How does it work?
As with Safe Harbor, US entities wishing to use the scheme for data imports will need to self-certify that they comply. However, participation in the Privacy Shield comes with: (1) more prescriptive data protection principles for participating entities; (2) more effective monitoring from US authorities of compliance; and (3) improved recourse for individuals to complain if their data is misused or incorrectly accessed. Organisations will not be able to rely on compliance with the Safe Harbor rules and will need to undertake the compliance process again.
2. What principles do US participating entities have to comply with?
The 7 key Privacy Shield Principles are as follows (see the full Principles here, from p.19 onwards):
1. Notice: privacy policies need to be adapted to inform EU data subjects of 13 specific things including their rights and how data will be processed, and links to the Department of Commerce’s explanatory website, the public list of self-certified entities (the “Privacy Shield List”) and the website of an alternative dispute settlement provider.
2. Choice: rights to opt out of data being disclosed to third parties or used for different purposes from those for which collected; requirement for express consent (opt-in) for use of sensitive data (i.e. relating to health, race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership or sexual life).
3. Accountability for Onward Transfer: (sub-)processing by a third party agent must be for limited and specified purposes, on terms that guarantee similar protections as the Privacy Shield Principles, and the data importer will be liable for compliance unless it can prove that it was not responsible.
4. Security: reasonable and appropriate security measures to be implemented to protect data against loss, misuse and unauthorised disclosure, alteration and destruction.
5. Data integrity and Purpose Limitation: only data relevant to the intended purpose to be collected; data to be used only for the purpose collected; data to be retained only while they serve the purpose.
6. Access: rights for individuals to access and, if inaccurate or unfairly processed, to correct, amend or delete their personal information.
7. Recourse, Enforcement and Liability: entities must ensure that their privacy policies are in fact complied with through collaboration with authorities, submission to binding complaint resolution mechanisms, and taking primary responsibility for onward transfers.
Supplemental Principles (selected):
- Due Diligence and Audit: personal data may be processed without full compliance with the Privacy Shield Principles where required to meet statutory or public interest audit requirements, or within due diligence where they might prejudice legitimate business interests.
- Human Resources Data: the Privacy Shield Principles apply including in particular Notice and Choice, and modified Access rights. Primary responsibility for compliance will lie with the EU-based employer. US importers of HR data must commit to cooperate with investigations by and to comply with the decisions of EU data protection authorities.
3. How will participation be enforced?
Complaints regarding the Safe Harbor scheme included lack of effective supervision of participation. Improvements under the new scheme include stricter maintenance of the public list of participating entities (including removal and prevention of false claims). The Department of Commerce will review compliance when entities notify certification or re-certification and on an ongoing basis.
The forms of recourse available to individuals will be as follows:
1. Participating entities commit to responding substantially to complaints within 45 days of receipt.
2. Each participating entity will designate an independent dispute resolution body either in the EU or the US (access to which will be free of charge to the individual) which should have powers to impose rigorous sanctions and remedies, and to refer any failure to comply to the Department of Commerce, FTC (or other authority or court).
3. Individuals can take their complaint to EU national data protection authorities that (for HR data or where entities have voluntarily submitted to their oversight) will give binding “advice” through an EU panel of DPAs or otherwise refer the complaint to the Department of Commerce or FTC.
4. The Department of Commerce will have in place procedures to follow up complaints from EU DPAs and in general to monitor compliance.
5. The FTC can enforce the Privacy Shield Principles on the basis of a complaint or on its own initiative.
6. As a “last resort”, individuals may invoke binding arbitration by a Privacy Shield Panel of selected experienced arbitrators (based in the US but with measures designed to improve access by EU data subjects).
7. Regular causes of legal action remain available (tort, fraudulent misrepresentation, unfair or deceptive acts or practices, breach of contract).
4. What about bulk government surveillance?
One of the complaints over the Safe Harbor system was that it did not sufficiently prevent – or give individuals a proper means to challenge – bulk surveillance by US authorities and so was not “adequate” for the protection of EU citizens’ data. As explained in the adequacy decision, collection of “signals intelligence” and data will still be permitted for national security, public interest and law enforcement requirements, but generalized surveillance should be subject to effective institutional legal controls, oversight and remedies for individuals. These remedies include recourse to a new “Privacy Shield Ombudsperson”, independent from US intelligence agencies, who will guarantee that complaints are investigated, and confirm that US laws have been complied with or any non-compliance has been rectified.
5. What now?
US companies can self-certify with the Department of Commerce from 1 August 2016 (see guide to self-certification here). Although there will be a process of adaptation required and new requirements for data importers, there will be some relief that a standard mechanism has emerged enabling Transatlantic data flows without specific authorisation or use of other methods such as the Model Clauses.
On the other hand, there is still sensitivity around compatibility with EU fundamental rights, and whether the system is sufficiently different from the Safe Harbor arrangements to resolve the perceived issues with them, so legal challenges seem almost inevitable. However, the new and improved Privacy Shield seems to have been designed to address all the key issues behind the invalidation of the Safe Harbor program, to give it the best possible chance of being upheld by the EU Court of Justice, including specifically the issues of more effective oversight, limitations on bulk surveillance, opportunity for all individual complaints to be resolved, and regular joint review by the EU Commission and US authorities.
READ THIS NEXT: Infographic – International Data Transfers from the EU