On July 12, 2016, the EU Commission and the U.S. Secretary of Commerce announced the adoption of the EU-U.S. Privacy Shield (Privacy Shield). This announcement follows today's adequacy decision1 by the College of EU Commissioners2 which recognizes that the Privacy Shield3 provides an adequate level of protection under EU data protection law. The adequacy decision represents formal approval of the Privacy Shield as a legal basis for data transfers from the EU to the U.S.
Privacy Shield certification will be available to companies as of August 1, 2016. Although the adoption of the Privacy Shield is a welcome development, it does not eliminate the recent legal uncertainty that has surrounded data transfers from the EU to the U.S., as the Privacy Shield is expected to face legal challenges before DPAs and courts.
Certification to the Privacy Shield is not a mere formality. Before certifying, companies should carefully review the Privacy Shield principles and the supplemental principles to assess whether it is a workable data transfer solution for their business. Noncompliance may expose companies to significant sanctions.
Background and Next Steps
The Privacy Shield replaces the EU-U.S. Safe Harbor Framework (Safe Harbor), which was invalidated by the EU Court of Justice in Schrems4 on October 6, 2015. Following preliminary discussions with the U.S. Department of Commerce (DOC), the European Commission issued an initial proposal at the end of February 2016. Today's adequacy decision is the result of many months of additional negotiation between the DOC and the EU Commission, following criticism of the initial proposal from various EU bodies, including the Article 29 Working Party, the European Parliament, and the European Data Protection Supervisor.
The DOC and EU Commission will now implement the Privacy Shield by updating the DOC website and providing guidance on how to certify. The DOC will begin processing Privacy Shield certifications as of August 1, 2016. The Article 29 Working Party announced that it will review the Privacy Shield on July 25, 2016, and may comment on some aspects of the final framework.5
The Privacy Shield
The Privacy Shield builds on the existing Safe Harbor principles and FAQs, but expands on some of the principles, provides for new recourse mechanisms, and contains commitments regarding U.S. public authorities' access to EU citizens' personal information. See the annexes to the adequacy decision for the full Privacy Shield principles.
Below are some of the key changes:
Additional notice requirements. The Privacy Shield requires providing additional information in privacy policies, such as information on recourse mechanisms, liability for onward transfers, and potential disclosures to public authorities, including for national security and law enforcement purposes.
Stricter opt-out right. Companies must allow individuals to opt out from disclosure to third parties or from any new use which is "materially different" from the purpose of the collection.
More restrictions on onward transfers. The Privacy Shield restricts onward transfers to third parties, and requires companies to include certain contractual provisions in their data-sharing agreements. The Privacy Shield certified company generally remains liable in case of onward transfers to an agent.
Higher security standard. Taking into account the risks of the processing and the nature of the personal information, companies must take reasonable and appropriate measures to protect information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Enhanced data integrity and purpose limitation. Companies must limit the purpose of the processing to the purposes for which information was collected and only retain personal information for as long as needed for the purpose of collection.
Stronger right of access. Individuals have an enhanced right to access, correct, amend, or delete their personal information, and a new right to receive information about a decision based on the automated processing of their personal information (e.g., creditworthiness).
Restrictions when leaving the Privacy Shield. A company leaving the Privacy Shield must delete the information collected under the Privacy Shield or certify with the DOC that it will continue to process the information in accordance with the Privacy Shield principles.
New redress mechanisms. The Privacy Shield creates new redress mechanisms. Individuals are encouraged to complain directly to companies, who will have 45 days to respond. Individuals may also directly file a complaint with EU data protection authorities (DPAs), which will cooperate with the DOC and the Federal Trade Commission (FTC). Furthermore, individuals have access to a free-of-charge alternative dispute resolution mechanism selected by the company. Finally, as a last resort and in limited situations, individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
In addition, the Privacy Shield entails a series of commitments and limitations relating to U.S. government data access. The U.S. government committed to creating an ombudsperson within the Department of State to handle complaints related to data access by national intelligence authorities. The ombudsperson will be independent from national security agencies.
The Privacy Shield includes a transitional grace period as an incentive for U.S. companies to certify quickly. Companies that certify within two months of the adoption of the Privacy Shield will benefit from a nine-month leniency period to bring their contracts in line with new requirements for onward transfers.
Outlook and Conclusions
With today's adoption of the Privacy Shield, a new data transfer mechanism is available to companies to legitimize their data transfers from the EU to the U.S. However, while this is a welcome development for EU-U.S. data transfers, the Privacy Shield will likely face challenges before DPAs and courts. The validity of EU Model Contracts is already being challenged before Irish courts, with a likely referral to the Court of Justice of the EU. These court proceedings will have a significant impact on EU-U.S. data flows, including the Privacy Shield. As a result, the legal framework around EU-U.S. data transfers will remain in flux, and companies will continue to face a high level of legal uncertainty for the foreseeable future.
Certification to the Privacy Shield is not a mere formality and potentially exposes companies to significant sanctions. Businesses interested in certifying to the Privacy Shield should assess whether it is a workable solution for their data flows and consider conducting a gap analysis to assess the differences between the Privacy Shield and the Safe Harbor if they were Safe Harbor-certified, or between the Privacy Shield and any alternative data transfer mechanism they implemented in the interim (e.g., Model Contracts and Binding Corporate Rules). Companies that implemented an alternative data transfer mechanism should also consider conducting a cost/benefit analysis of certifying to the Privacy Shield as a new or additional data transfer mechanism. Ultimately, which mechanism(s) to select for transferring data outside of the EU depends on a company's size, corporate structure, industry sector, data flows, and whether it operates in the B2C or B2B context.