On February 29, 2016, the European Commission (EU Commission) unveiled the text of the EU-U.S. Privacy Shield (Privacy Shield).1 The Privacy Shield is designed to replace the invalidated EU-U.S. Safe Harbor Framework and to provide a new legal framework for data transfers from the EU to the U.S. Although the Privacy Shield is based on the same principles as the Safe Harbor Framework, the Privacy Shield differs significantly in a number of key respects, most notably by creating new redress mechanisms and imposing stricter and more prescriptive obligations for companies.
Although this announcement is a major step towards a new data transfer regime, full adoption still faces review and other hurdles before the Privacy Shield will take effect. Specifically, the Privacy Shield will now be reviewed by the body of EU privacy regulators—the Working Party 29 or WP29—and will have to be formally adopted by the EU Commission before being available as a data transfer solution. We expect the approval process to take at least a few months. If adopted, it will almost certainly face immediate challenges before EU Data Protection Authorities (DPAs) and in the courts.
Companies should not rush to implement changes to comply with the Privacy Shield as it is not yet fully adopted. However, companies should keep monitoring its approval process and start assessing whether it would be a workable data transfer mechanism for their business; some may want to assess their current data transfer strategies and product development plans with the Privacy Shield in mind.
We provide some background, summarize the key points, and indicate the next steps below.
Background
The EU-U.S. Safe Harbor Framework was invalidated by the Court of Justice of the European Union (CJEU) on October 6, 2015, in its groundbreaking judgment in Maximillian Schrems v. Data Protection Commissioner.2 More background on the Safe Harbor Framework and Schrems can be found here.
Following Schrems, the WP29 issued a statement urging U.S. and EU negotiators to reach a new agreement by the end of January 2016.3 Since then, companies have been rushing to implement alternative mechanisms to cover data transfers to the U.S. This situation created a high degree of uncertainty for companies doing business in the EU.
On February 2, 2016, the U.S. and EU announced a political agreement4 on the Privacy Shield, but did not publish the agreement's text. On February 3, the WP29 welcomed the announcement of the Privacy Shield, but asked to see the actual terms of the agreement to review it in light of Schrems.5
On February 29, the EU Commission published the text of the Privacy Shield, as well as a draft of the EU Commission's decision by which it would formally recognize the Privacy Shield as providing an adequate level of protection to EU personal data (adequacy decision). The Privacy Shield is a set of principles and written commitments by the U.S. government running more than 130 pages.
Key Points of the Privacy Shield
The Privacy Shield builds on the existing Safe Harbor principles and FAQs, but substantially tightens certain core restrictions, provides for new recourse mechanisms, and regulates access by public authorities to EU personal data.
The key points of the Privacy Shield are the following:
-
Stricter Obligations on Companies. The Privacy Shield imposes stricter obligations on companies, including detailed notice obligations, prescriptive access rights, tightened conditions for onward transfers and liability regime, more stringent data integrity and purpose limitation principles, and strengthened security requirements. Companies that do not respect their obligations will face sanctions or will lose their eligibility to use the Privacy Shield as a data transfer mechanism.
-
New Redress Mechanisms for Individuals. The Privacy Shield creates new recourse mechanisms for individuals who believe that their data have been processed unlawfully. First, individuals will be able to complain: (i) directly to companies, which will have 45 days to resolve the complaint; or (ii) directly to EU DPAs, which will cooperate with the U.S. Department of Commerce and the Federal Trade Commission. In the HR context, companies will be required to commit to comply with the EU DPAs' advice. Second, individuals will have access to an Alternative Dispute Resolution mechanism selected by the company, which must be free of charge for the individuals. As a last resort and under certain conditions, individuals will be able to seek redress from the Privacy Shield Panel, an arbitration mechanism that can make binding decisions against companies.
-
Limitations on U.S. Government Data Access. The EU Commission has obtained written commitments from the U.S. government (i.e., the Office of the Director of National Intelligence and the Department of Justice) that data access by public authorities will be subject to clear limitations, safeguards and oversight mechanisms. Furthermore, the U.S. government committed to create an ombudsperson within the Department of State to handle complaints related to data access by national intelligence authorities. That ombudsperson will be independent from national security services.
-
Annual Joint Review Mechanism. The EU Commission will annually monitor the Privacy Shield. Its review will include all aspect of the Privacy Shield, including national security, and involve all relevant stakeholders (e.g., U.S. national intelligence experts, EU DPAs, NGOs through the participation at a public conference). It will also take into account the U.S. government commitments and the transparency reports published by companies. The result of the review will be presented to the EU Parliament and the Council of the EU.
Next Steps
Before companies can use the Privacy Shield as a valid data transfer mechanism, the EU Commission will need to formally recognize it as providing an "adequate level of protection". This approval process will take at least a few months and will include the following steps:
-
A non-binding opinion by the WP29 in the course of April.6 The WP29 will verify whether the Privacy Shield meets the test of the Schrems judgment. In case of negative opinion, it will be politically difficult for the EU Commission to approve it.
-
A binding opinion by a committee of representatives of the EU Member States (i.e., the Article 31 Committee).
-
In parallel, the implementation of the new framework by the U.S., in particular the various supervision and recourse mechanisms such as the creation of the Ombudsperson.
-
Finally, its formal adoption by the College of EU Commissioners.
However, even if the Privacy Shield is adopted swiftly, companies will still face a high level of legal uncertainty. Since Schrems, data transfers under an EU Commission's adequacy decision are only presumed to be lawful. Thus, upon complaint, EU DPAs will be required to investigate data transfers based on the Privacy Shield and will be allowed to suspend them in case of violation of EU data protection law. We expect the Privacy Shield to be subject to legal challenges as soon as the EU Commission's adequacy decision is published.
Outlook
The creation of the Privacy Shield is a welcome development for companies doing transatlantic business. However, the Privacy Shield is not yet fully adopted and includes stricter requirements than the invalidated Safe Harbor, which may significantly impact the way companies process personal data. Therefore, in the current context of legal uncertainty, companies should consider the Privacy Shield as a new tool for data transfers to the U.S., but should first assess whether it is a workable data transfer mechanism for their business. Other data transfer mechanisms, such as Standard Contractual Clauses and Binding Corporate Rules are also available to transfer data to the U.S., or to complement the Privacy Shield. Which mechanism to choose depends on a company's specific business model, corporate structure, data flows, and operations in the EU.
We will continue to closely monitor developments related to EU-U.S. data transfers and will update you on any significant progress made to the Privacy Shield approval process, including the future WP29 opinion.
On March 17, 2016, at 9:30 a.m. PT, WSGR's team of EU privacy experts will host a webinar on the EU-U.S. Privacy Shield and its impact on EU-U.S. data transfers.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws globally, along with advising clients on EU privacy and data security issues. For more information, please contact Cédric Burton, Christopher Kuner, Lydia Parnes, Michael Rubin, Chris Olsen, or another member of the firm's privacy and data protection practice.
