29 February 2016
The EC has published details of the EU-US Privacy Shield, including a Communication to the European Parliament and Council and a draft decision of adequacy in relation to personal data transferred in accordance with its principles.
What’s the issue?
The European Commission announced agreement of a new EU-US Privacy Shield to replace the Safe Harbor regime in early February 2016. The announcement was greeted with cautious optimism by businesses and with slightly less optimistic caution by regulators who said they needed to review the details before reaching a decision on the proposals.
What’s the development?
The EC has now published more detail about the Privacy Shield, including a Communication to the European Parliament and Council and a draft decision of adequacy in relation to personal data transferred in accordance with its principles.
The EC claims that the Privacy Shield addresses the issues raised by the it and the CJEU in relation to the previous Safe Harbor regime by introducing:
- strong obligations on companies and robust enforcement;
- clear limits and safeguards with respect to US government access;
- protection of EU citizens’ rights through new redress possibilities; and
- an annual review mechanism to ensure the continuing effectiveness of the scheme.
Key requirements for US companies signing up to the Privacy Shield will be to:
- self-certify annually that they meet their obligations under the Privacy Shield;
- comply with Privacy Principles: these include providing data subjects with key information about their data; allowing them to opt out where data is to be disclosed to a third party; limiting the processing to what is relevant for the purpose; complying with data subject access requests; complying with rules relating to onward transfers of data; keeping personal data secure; providing robust mechanisms to ensure compliance; and providing recourse for EU data subjects;
- reply promptly to any complaints (within 45 days); and
- cooperate and comply with European data protection authorities (DPAs) if handling human resources data.
What does this mean for you?
The Commission itself highlights the fact that the scheme will only have longevity if it is taken seriously, not only by companies signing up to it but by US enforcement bodies, in particular the Federal Trade Commission (FTC) and Department of Commerce and, of course, the US Intelligence agencies.
The next steps are to consult a committee of Member State representatives and for the Article 29 Working Party (WP) to give its opinion before a final decision is made on a finding of adequacy. In the meantime, the Commission expects the US to begin making preparations to put the new framework in place, particularly in connection with the monitoring mechanisms and the new Ombudsman.
The ball is now firmly in the court of the WP to provide its opinion on whether the Privacy Shield can become a reliable mechanism for data exports to the US. If the WP does not approve this package, then any advancement of the Privacy Shield into an EC adequacy decision will be fruitless as the DPAs have the ability to investigate data exports irrespective of an adequacy decision and so the current circle of uncertainty would continue.
Approval from the WP should not be seen as a formality or a ‘given’; instead we would argue that such approval is a pre-requisite for the Privacy Shield to become a viable replacement to US Safe Harbor. While only the Commission has the authority to make adequacy decisions in relation to transfers of personal data, it will be hard pressed to finalise a credible scheme without the support of the WP.
While we wait for the decision from the WP, we also eagerly await further details about what the Privacy Shield mechanism would look like in practice. If there was ever any doubt that the old ‘light touch’ Safe Harbor scheme as we knew it was truly dead and buried, look no further than these EC proposals.
The ICO’s guidance on EU-US data exports
Pending an adequacy decision on the Privacy Shield, the situation remains the same for organisations transferring personal data to the USA; Binding Corporate Rules for intra-group transfers and model contract clauses, remain valid transfer mechanisms.
This was confirmed in the ICO’s updated interim guidance note on EU-US data exports. Interestingly, the ICO took a less definitive approach to Safe Harbor than the WP, saying that “Safe Harbor can still be seen as providing a measure of protection for data transferred from the EU to the USA but businesses should be aware that the certainty of an adequacy decision of the Commission has now been removed and they should make their own assessment of risk to compliance.” The ICO also reminded UK businesses that they are not required to rely on Commission decisions of adequacy and can make their own adequacy assessments.
Essentially, the ICO is still advocating a ‘wait and see’ approach, saying that while it will consider individual complaints, it is sticking to its published enforcement policy. The ICO recognises that legal certainty is still unavailable and appears to be taking a pragmatic stance, emphasising the need to consider transfers carefully in terms of the risks posed to individuals. It is, however, worth noting that other European DPAs are taking a different approach. Although we have not seen any active enforcement measures, the French DPA, the CNIL, has already fired a warning shot across the bows of Facebook.
The Commission claims that the Privacy Shield addresses both its own concerns and those of the CJEU as set out in the Schrems ruling in relation to transatlantic personal data transfers. In particular, it claims that the new arrangement offers:
- strong obligations on companies and robust enforcement – the new regime will be more transparent and contain effective supervision mechanisms. There will be tighter conditions for processing and stricter liability provisions for Privacy Shield companies which transfer EU data, whether in the US or to third countries. The US Department of Commerce will provide oversight and monitoring of companies to ensure they comply with their commitments and will ensure an up to date list is maintained and that any companies which do not comply with their obligations are removed from the list. Monitoring will take place when the Department of Commerce receives specific complaints or where there is credible evidence that a company is not complying. Companies’ commitments will be legally binding and enforceable by the FTC which will have the power to impose sanctions for non-compliance;
- clear limits and safeguards with respect to US government access - the Department of Justice and the Office of the Director of National Intelligence have provided the EU with written representations and assurances that access by public authorities for law enforcement, national security and other public interest purposes, will be subject to clear limitations, safeguards and oversight mechanisms. In addition, there is a commitment that there will be no mass surveillance or indiscriminate gathering of EU personal data. The US will establish a redress mechanism by creating an Ombudsman within the Department of State who will be independent from national security services. The Ombudsman will follow-up on complaints and inform individuals as to whether or not relevant laws have been complied with. These commitments will be published in the US federal register;
- protection of EU citizens’ rights through new redress possibilities – companies will be required to reply to complaints from individuals within 45 days and Alternative Dispute Resolution will be available free of charge. EU citizens will also have the option of going to their own DPAs who will work with the FTC to ensure unresolved complaints are investigated and resolved. If this does not happen, there will be access to a ‘last resort’ Privacy Shield Panel which will offer an arbitration mechanism and ensure an enforceable decision;
- annual joint review mechanism – this will monitor the functioning of the Privacy Shield and US commitments. It will be conducted by the EC and the US Department of Commerce in association with national intelligence experts from the USA and EU DPAs. There will be an annual privacy summit with stakeholders and a public report by the EC to the European Parliament and Council based on the annual review and any other relevant sources of information. The Commission may decide to suspend the arrangement if it finds that it is not being complied with.
In addition, the Commission has said that once the Judicial Redress Act comes into force, it will propose agreement of the Umbrella Agreement which puts in place a data protection framework for data transferred to the US for law enforcement purposes. The Judicial Redress Act gives EU citizens access to US courts to enforce privacy rights in relation to the transfer of such data.