On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.
From U.S. companies’ perspective, the new framework largely mimics the former Safe Harbor framework. The key innovations in the Privacy Shield relate to regulators’ supervision and evaluation of the framework’s efficacy and the EU nationals’ possibilities to seek redress for possible infringements.
In addition, the Commission highlights two previous data privacy achievements: (i) that it has finalized the reform of EU Data protection rules, which apply to all companies providing services on the EU market (i.e., making reference to the new General Data Protection Regulation) and (ii) the final success of the EU-U.S. Umbrella Agreement negotiations, applying to data transfers across the Atlantic for law enforcement purposes. The Umbrella Agreement covers all personal data (for example names, addresses, criminal records) exchanged between the EU and the U.S. for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism, but is not in itself a legal basis for data transfer nor an adequacy decision.
The principal implications of the EU-US Privacy Shield for companies are the reinforcement of obligations on companies that wish to be listed on the Privacy Shield register and enhanced redress possibilities for EU nationals. These obligations and mechanisms are summarized below.
Obligations on Companies
- Companies on the Privacy Shield register will be subject to enhanced oversight mechanisms to ensure they abide by the rules.
- These Companies will also have to pledge not to collect more personal information than they need for purposes of their service.
- They will also be subject to tightened conditions for onward transfers to other partners.
New Redress Possibilities
Any EU citizen who considers personal data to have been misused will have several redress possibilities:
- Directly with the company: Companies will have to reply to complaints within 45 days. In addition, any company handling human resources data relating to EU nationals has to commit to comply with advice by the competent EU Data Protection Authority, while other companies may voluntarily make such a commitment.
- Data Protection Authority: EU nationals will also be able to go to their local data protection authorities, who shall refer the complaint to the Department of Commerce, who will respond within 90 days, or the Federal Trade Commission, if the Department of Commerce is unable to resolve the matter.
- Alternative Dispute Resolution: U.S. companies wishing to register under the Privacy Shield must subject themselves to a new, free-of-charge Alternative Dispute Resolution system for the benefit of EU nationals. These companies will be required to publish information about the dispute resolution body, including where consumers can address their complaints and a link to the website of their chosen dispute resolution provider.
- If a case is not resolved by any of the other means, as a last resort Individuals will be able to have recourse to the Privacy Shield Panel, a dispute resolution mechanism that can take binding decisions against U.S. self-certified companies.
- In the area of national security, EU citizens can turn for redress to an Ombudsperson, who will be independent from the U.S. intelligence services. The Ombudsperson will deal with individual complaints from EU nationals if they fear that their personal information has been used in an unlawful way by U.S. authorities in the area of national security.
Transparency Obligations And Annual Joint Review Mechanism
- The EU Commission and the US Department of Commerce will establish a new mechanism to monitor the functioning of the new framework through an annual joint review, including as regards access to data for law enforcement and national security purposes. The joint review would involve, as appropriate, representatives of the U.S. intelligence community and will provide an ongoing process to ensure that the Privacy Shield is functioning in accordance with the principles and commitments made.
- The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss broader developments in the area of U.S. privacy law and their impact on Europeans.
- On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
- U.S. firms will need to self-certify themselves for the Privacy Shield register on an annual basis, and the Department of Commerce will need to monitor and actively verify that their privacy policies meet the standards in the agreement to ensure that companies follow the rules they submitted themselves to.
- The Department of Commerce will monitor companies’ compliance with the Privacy Shield principles, including through detailed questionnaires. These reviews will take place when the Department of Commerce receives specific complaints, when a company does not provide satisfactory responses, or when there is credible evidence suggesting that a company may not be complying with the Privacy Shield principles. Non-compliant companies will face sanctions and removal from the register.
- The US has given the EU written assurance, to be published in the U.S. Federal Register, that public authorities’ access for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, assuring there is no indiscriminate or mass surveillance on the personal data transferred to the US under the new arrangement.
A committee comprising representatives of the 28 EU Member States will now examine the legal texts and the Commission’s draft adequacy decision. In addition, the European Parliament will hold a hearing on the Privacy Shield in March and the Article 29 Working Party had stated it would give its opinion on the 12th or 13th April. In the meantime, the U.S. side will make the necessary preparations to implement the new framework, monitoring mechanisms and Ombudsperson mechanism. It is still not clear exactly when approval can be expected but it has been reported that the aim is to finalise before the end of June (when the Dutch EU Council presidency expires).
The new Privacy Shield framework is similar in structure to the old Safe Harbor Framework, although with substantially amended safeguards. From a practical perspective, the main change for U.S. companies may be the need for greater diligence in relation to onward transfers of data on EU nationals. For EU nationals, the redress possibilities are certainly more robust.
As noted above, the Privacy Shield must still undergo considerable further scrutiny and in this context, the publication of the complete texts is only one step in an extended political process.
Even once the EU Commission decision is adopted, it is clear from the draft that the EU Commission expects the new adequacy decision to be challenged in front of the European Court of Justice – the draft has 129 recitals describing ways in which the new decision reflects the requirements the Court set out in its Schrems decision.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.