Today, the European Commission (“EU Commission”) formally approved a new transatlantic framework for the transfer of personal data from Europe to the United States (“U.S.”) (the “Privacy Shield”). Under the EU Commission’s decision approving the new framework ( the “Adequacy Decision”), U.S. organizations participating in the Privacy Shield will be deemed to ensure an “adequate level of protection” for the transfers of personal data from Europe to the U.S.. The Privacy Shield is the result of extensive negotiations between the EU Commission and the U.S. Department of Commerce (the “DOC”) as well as substantial discussions among the EU institutions and EU Member States.
Below we have answered some of the most important questions you may have with respect to the Privacy Shield.
What is the EU-U.S. Privacy Shield?
The Privacy Shield is a framework for the transfer of personal data from Europe to the U.S. It has been developed by the EU Commission and the U.S. DOC and is intended to replace the EU-U.S. Safe Harbor, a transatlantic data transfer framework established in 2000 (the “Safe Harbor”) that was invalidated by the European Court of Justice’s October 6, 2015 ruling in Maximillian Schrems v. Data Protection Commissioner.
The legal instruments establishing the Privacy Shield consist of the EU Commission’s Adequacy Decision as well as a series of annexes that set out the applicable details and procedures along with commitments undertaken by the U.S. government to ensure the Privacy Shield’s proper functioning. The core of the framework are seven “Privacy Shield Principles” that participating organizations must comply with when processing personal data transferred under the program. These principles are: (i) Notice; (ii) Choice; (iii) Security; (iv) Data Integrity and Purpose Limitation; (v) Access; (vi) Accountability for Onward Transfers; and (vii) Recourse, Enforcement and Liability. In the view of the EU Commission, the Privacy Shield arrangements reflect the requirements set out by the Court of Justice in the Schrems case.
Participation in the Privacy Shield is voluntary. In order to participate, U.S. organizations must register to be included on the Privacy Shield List and self-certify that they meet the program’s requirements. Participating organizations submit to monitoring by the DOC and agree to be subject to program’s enforcement and redress mechanisms.
The Privacy Shield is not the only means available to transfer personal data to the U.S. compliant with EU data protection law. At present, other mechanisms include transfers made pursuant to EU Standard Contractual Clauses as well as intra-group company transfers made pursuant to Binding Corporate Rules.
What are the countries in scope of the Privacy Shield?
The Privacy Shield will cover transfers of personal data made to U.S. organizations from the Member States of the European Economic Area (the “EEA”), which includes the 28 EU Member States plus Norway, Iceland and Liechtenstein. Transfers of personal data from Switzerland are not within the scope of the Privacy Shield. Switzerland may decide to negotiate a new data transfer framework to replace its existing arrangement with U.S., which is analogous in substance to the now-defunct Safe Harbor.
Notwithstanding the “Brexit” referendum on June 23, 2016, personal data may be compliantly transferred from the United Kingdom (the “UK”) under the Privacy Shield once the program is up and running, pending the UK’s formal withdrawal from the European Union and the UK’s adoption of legislation amending or superseding the UK Data Protection Act 1998. In the meantime, the 1998 Act, which implements the EU Data Protection Directive (the “Directive”), remains the law of the land, and the UK is bound to implement decisions taken under the Directive, including the Adequacy Decision on the Privacy Shield framework. The conditions applicable to the transfers from the UK will need to be re-assessed following the UK’s exit from the EU, which will take up to two years following formal invocation of the withdrawal procedure, and has not yet been commenced.
What are the core changes in the Privacy Shield compared to Safe Harbor?
More Detailed Registration Requirements: Under Safe Harbor, companies received benefits from the day they self-certified as a Safe Harbor organization. Privacy Shield now requires companies to submit a registration package, and they will not be admitted as Privacy Shield organizations until the DOC has confirmed the application is complete.
Expanded Privacy Notices: Safe Harbor required only four items of information to be included in privacy notices to individuals; Privacy Shield now requires eight additional items. New information to be disclosed to individuals includes, for instance, the identification of the entities or subsidiaries of the participating organization and a link to the publicly available list of companies having registered with the DOC (“Privacy Shield List”). Since the DOC will actively monitor companies’ privacy policies, companies will need to gap-assess and refresh their notices and make sure that they are easily accessible.
Onward-Transfer Restrictions: U.S. Privacy Shield organizations that want to onward-transfer EU data to a third party in a controller or processor capacity must now enter a contract obligating the third party to provide the same level of protection as the Privacy Shield Principles. Importantly, those third parties must notify the Privacy Shield organization if they can no longer meet contractual obligations, in which case the Privacy Shield organization must “stop and remediate” all “unauthorized processing.”
New Redress Mechanisms: The Privacy Shield offers various options for individuals to obtain remedy for damages resulting from a breach of Privacy Shield Principles (see question below: “What liability do we face towards EU residents under the Privacy Shield?”).
Mandatory Compliance Verification: Privacy Shield organizations must now periodically verify that they are in compliance with Privacy Shield Principles. Companies can choose between self-assessment or outside audits, but must in either case draft or revise auditing procedures to ensure that they can document effective implementation of Privacy Shield Principles.
EU-to-U.S. Transfers for Processing Require a Contract: If an EU controller transfers data to a US Privacy Shield organization for processing, both parties must enter a written contract. The fact that the recipient U.S. company is a Privacy Shield member is no longer sufficient to permit the transfer. Companies will need to update their vendor relationships to reflect this requirement.
Do Safe Harbor certified companies benefit from an easy entry to certify under the Privacy Shield?
U.S. organizations that formerly participated in the Safe Harbor framework will need to certify anew with DOC in order to participate in the Privacy Shield. As noted, the Privacy Shield includes new or modified procedural and substantive requirements as compared to the Safe Harbor. All companies, regardless of whether they participated in the Safe Harbor, will need to comply with all Privacy Shield requirements in order to participate in the new arrangement. However, Safe Harbor participants will be able to leverage efforts made to conform privacy policies, practices and governance structures to Safe Harbor requirements.
Does certification into the Privacy Shield require renewal?
Yes, Privacy Shield participants must make self-recertification submissions to the DOC on at least an annual basis. If a participant fails to re-certify, it will be removed from the Privacy Shield List.
What liability do we face towards EU residents under the Privacy Shield?
The Privacy Shield introduces several new obligations and an escalated procedure for the handling of complaints from EU residents:
Complaint with the Company itself: Participating organizations must address any complaints directly from individuals residing in the EU within 45 days and provide a cost-free independent recourse mechanism for investigating and resolving complaints.
Complaint with the Member State Supervisory Authority: Individuals can always file a complaint with the local data protection supervisory authority (the “DPA”), which will channel the complaint to the DOC and/or the U.S. Federal Trade Commission (the “FTC”), which in turn must resolve the case in a reasonable time frame. The DOC must respond within 90 days where the complaint pertains to commercial use of the data.
Dispute Resolution: Organizations participating in the Privacy Shield can opt between free of charge Alternative Dispute Resolution or voluntary submission to the EU DPA except where they process human resource data where cooperation with the DPA is mandatory.
If a Privacy Shield organization elects an Alternative Dispute Resolution, it must designate an independent dispute resolution body, either in the U.S. or the EU (basically, mediation providers). It must provide a link to the website of their chosen dispute resolution provider in their privacy notices and policies. The results of mediation must be complied with by the Privacy Shield organization, which may include paying damages to EU residents. Note that mediation providers must be named in Privacy Shield registrations.
If a Privacy Shield organization elects to cooperate with European DPAs, DPAs can order “compensatory” measures to remedy complaints brought by EU residents.
Arbitration: Only where a case is not resolved by any of the other means, and as a last resort, an arbitration mechanism is available to individuals which is required to be cost-free and user-friendly. To this end, the Privacy Shield creates a Privacy Shield Panel with binding decision making power. However, the Panel can only award “non-monetary” relief, so Privacy Shield arbitrations should not result in damages awards against U.S. companies.
U.S. Lawsuits: Lastly, EU residents may file damages claims in U.S. courts. In contrast to mediation or DPA complaints, U.S. lawsuits are not cost-free (and, in fact, may well be prohibitively expensive for EU consumers). However, the Privacy Shield does not expressly require EU residents to use Privacy Shield redress avenues. Thus, larger security incidents involving, e.g., data breaches, may result in U.S. lawsuits.
What type of scrutiny should we expect from U.S. agencies (Department of Commerce, Federal Trade Commission)?
The Privacy Shield contains numerous provisions aimed at ensuring that U.S. agencies monitor compliance.
Regular DOC Questionnaires: The DOC has committed to conduct ex officio compliance reviews on Privacy Shield companies “on an ongoing basis” by sending “detailed questionnaires” and monitoring any false claims of Privacy Shield participation. Privacy Shield organizations should therefore be prepared to receive and respond to DOC questionnaires. If a company does not provide “satisfactory responses,” DOC may open a compliance investigation.
Action Prompted by DPAs and Mediation Providers: Privacy Shield requires U.S. agencies to work together with European DPAs and private-sector mediation providers to monitor compliance. EU residents may bring complaints against Privacy Shield companies directly to European DPAs, and DPAs may refer the complaints to DOC or FTC. Moreover, independent recourse mechanisms may also report companies’ non-compliance to the DOC or FTC. The FTC has committed to create a “dedicated point of contact” to receive complaints, and to “give priority consideration to referrals of non-compliance.” Furthermore, the DOC has committed to “systematically” carrying out a compliance review whenever it receives a non-frivolous complaint. Thus, Privacy Shield organizations should consider European DPAs and mediation providers to be the “eyes and ears” of the DOC and FTC for Privacy Shield enforcement proposes.
FTC Investigation: Privacy Shield obligates companies to publicly commit to all of the Privacy Shield Principles. Any noncompliance with Privacy Shield is therefore potentially subject to the FTC’s unfairness or deceptiveness jurisdiction.
Can a company lose its Privacy Shield certification?
Yes. Persistent failure to comply with the Privacy Shield Principles will mean removal from the Privacy Shield List and organizations struck from the list must return or destroy personal data collected under the Privacy Shield, which may have significant impacts in practice. In other cases of removal, the DOC will ensure that companies that are no longer participants in the Privacy Shield continue to apply its principles to personal data received while they were participants for as long as they retain the data for legitimate purposes.
The DOC will maintain a list of organizations that have been removed from the Privacy Shield List and provide a link to Privacy Shield-related FTC cases that are maintained on the FTC’s website with a view to “name and shame” non-compliant organizations.
What are our obligations under the Privacy Shield when we transfer EU data to vendors or third party processors?
To disclose EU data to vendors or third-party processors, Privacy Shield organizations must meet several new obligations:
Due Diligence: The Privacy Shield organization must make sure the processor is obligated to provide at least the same level of privacy protection as is required by the Privacy Shield Principles. This can be done through due diligence showing that the processor is also a Privacy Shield organization, or by contractually flowing-down Privacy Shield obligations to the processor.
Ongoing Monitoring and Remediation: Privacy Shield organizations must take “reasonable and appropriate steps” —such as questionnaires or audits – to make sure the processor actually processes EU data in compliance with Privacy Shield Principles.
Joint Liability: Privacy Shield organizations are jointly and severally liable with any processor they employ, all the way down the chain of sub-processors employed, unless the Privacy Shield organization can prove it is not responsible for “the event giving rise to the damage.” Accordingly, Privacy Shield companies should (a) place liability caps/indemnity in processor agreements, and/or (b) document due diligence and monitoring measures to prove non-responsibility for processor-caused liability events.
Are there any benefits to registering for Privacy Shield quickly?
Yes. Companies that self-certify for the Privacy Shield within two months after it enters into force have nine months to bring their existing vendor relationships into compliance with onward transfer restrictions.
It may be inferred that companies that register after October 1, 2016 will have less time to fix compliance issues with vendors and may be exposed to liability claims for non-compliance as a result.
If we register for Privacy Shield, are we suddenly subject to EU data protection law?
Generally not. Registering for the Privacy Shield will not automatically subject a U.S. company to EU data protection law. At the same time, however, companies should be mindful of the new General Data Protection Regulation (the “GDPR”) that will enter into force on May 25, 2018. Under Article 3(2) of the GDPR, a U.S. company – regardless of whether it is a controller or processor – is subject to EU data protection law if it (a) offers goods or services to EU residents, or (b) monitors the behavior of EU residents. If the activities a U.S. company performs with the EU data it receives via the Privacy Shield trigger either of these conditions, the company will be subject to EU data protection law regardless of whether it participates in the Privacy Shield.
How long can we retain the EU data that we have imported from the EU under the Privacy Shield?
Privacy Shield companies may store the data “in a form identifying or making identifiable the individual” only as long as the data serves original purposes for which it was collected or for compatible processing purposes. Otherwise, the data must be anonymized or deleted. This requirement was a key element in recent negotiations between the EU and the U.S., raised at the urging of the EU Parliament and EU DPAs, which emphasized the need for a clear data retention limitation principle.
As of what date will we be able to register?
According to a statement today by the U.S. State Secretary of Commerce, Penny Pritzker, the DOC will begin accepting registration applications as of August 1, 2016.
What do we need for our Privacy Shield registration?
To self-certify for the Privacy Shield, an organization must provide the DOC a self-certification submission, signed by a corporate officer on behalf of the organization, that contains at least the following information:
Name of organization, mailing address, e-mail address, telephone and fax numbers;
Description of the activities of the organization with respect to personal data importer from the EU;
The statutory body that has jurisdiction to hear privacy-related claims;
Name of privacy program in which the organization is a member;
Method of verification; and
Recourse mechanism to investigate unresolved complaints.