In October 2015, the Court of Justice of the European Union (“CJEU”), in its Schems decision, struck down protections afforded by the 2000 CJEU “Safe Harbor Decision.” The Safe Harbor framework had established a system by which U.S. companies could self-certify compliance with a single set of principles and procedures, thus verifying that they complied with all the various EU privacy and data transfer standards.
But in 2015, things changed. Concerned with the U.S. government’s ability to gain access to information during law enforcement investigations, the CJEU determined that the protections afforded by the Safe Harbor framework failed to meet EU standards and adequately protect information of EU citizens. Overnight, companies that previously certified compliance via the Safe Harbor framework were in violation of the EU data protection laws.
In response, the U.S. and EU set about negotiating a new pact that would allow for U.S. companies to collect and store personally identifying information about EU citizens and to protect those citizens’ privacy pursuant to EU standards. The result was the EU-U.S. Privacy Shield. This new pact was negotiated by the EU and U.S. in February 2016, agreed to by the EU on July 8, and formally adopted by the EU on July 12. So what are the requirements of this new Privacy Shield and what do they mean for U.S. companies doing business with European customers?
The EU-U.S. Privacy Shield
Similar to the Safe Harbor framework, companies wishing to take advantage of the Privacy Shield must self-certify their adherence to the requirements of the Privacy Shield to the Department of Commerce (“DOC”). Once a company makes this voluntary public declaration, compliance with the requirements of the Privacy Shield are compulsory, as the DOC will be tasked with ensuring compliance and the Federal Trade Commission (“FTC”), through its powers to prohibit unfair and deceptive acts, will enforce those requirements.
Companies must also publicly declare their commitment to complying with the Privacy Shield requirements and publicly disclose and fully implement their Privacy Shield compliant privacy policies. The DOC will then maintain and publish an authoritative list of U.S. organizations that have self-certified to the DOC, as well as a list of those companies who have been removed from the Privacy Shield list because of voluntary withdrawal or persistent failure to comply.
Protections provided by the privacy shield
One of the touted advantages of the new Privacy Shield is its ability to provide improved privacy protections for EU citizens’ data. Companies must provide notice to their customers about any personal information they are collecting and how they plan to use that information. Companies must take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorized access, disclosures, alteration and destruction. Where companies transfer personal information to other entities, they must provide their customers with notice of such a transfer. When transferring sensitive personal information, companies must receive express consent to the transfer, and must have a contract with the entity receiving the personal information that will ensure that the privacy of the information is maintained and that the personal information will not be improperly used. Companies must also establish procedures for verifying the protection of personal information they store, or that which is stored by their vendors.
In another requirement, companies must allow their customers to file complaints or seek redress for improper use of such personal information. These complaints — and the requirement that they be addressed — are critical to the Privacy Shield. Not only can EU individuals pursue these complaints, but the Privacy Shield mandates that those complaints be addressed in a timely fashion. Participants must respond to individual complaints within 45 days and must provide a no-cost independent mechanism for investigating the claims in those complaints. In addition, both the DOC and the FTC have committed to work with European data protection authorities to receive, review, and respond within 90 days to complaints lodged in the EU. Participants must also commit to binding arbitration if complaints are not resolved by other enforcement mechanisms. And, where individuals prefer to have the government investigate issues, there are procedures allowing customers to register, and for the DOC and FTC to investigate, complaints. The Shield further authorizes private causes of action, like misrepresentation, in U.S. state courts, for example, where participants fail to comply with program principles.
The Privacy Shield provides resources and methods for verifying compliance and removing non-compliant companies from the Privacy Shield List. Not only must participants provide a host of information to confirm the compliance of their privacy procedures and program, but the DOC has committed to robust supervision of such procedures through compliance reviews and investigations. There are also procedures for ensuring that companies who are removed from the Privacy Shield List are still compelled to maintain the privacy of information they have already collected or are forced to return that information to the customer.
The Privacy Shield attempts to offer protection to EU individuals from unreasonable access by U.S. law enforcement and national security agencies. One of the chief concerns with the old Safe Harbor framework was that personal information from EU customers was potentially subject to large scale data collection by the government in connection with law enforcement proceedings. The Privacy Shield attempts to combat these concerns in a number of ways.
First, the U.S. Intelligence Community provided the EU a written explanation of the safeguards that apply to the Privacy Shield’s operation and the oversight provided by all three branches of the U.S. Government.
Second, the Department of Justice provided an overview regarding limits on law enforcement and public interest access to commercial data and other record information held by corporations in the U.S. These activities were conducted in an attempt to ease EU concerns that personal information of EU individuals would be subject to large scale data gathering programs employed by the U.S. Intelligence Community.
To further address concerns regarding government access to personal data, the Department of State agreed to provide an Ombudsperson through whom EU individuals can submit inquiries regarding U.S. intelligence information gathering practices.
The immediate impact of the new Privacy Shield for U.S. companies is the reestablishment of a single recognized program for ensuring compliance with the varied, and often onerous, data transfer and EU privacy standards. U.S. companies can feel confident that by complying with this program they can avoid potential liability under EU law for their handling of personal information. It also facilitates data transfers between the EU and the U.S., which promotes cross-Atlantic commerce and economic activity.
The Privacy Shield should ease the concerns of EU customers regarding the privacy of their data when held by U.S. companies. EU customers will receive notice of the personal information being held, will have processes for challenging the use of that personal information, and will have some protection from large scale data collection practices of the U.S. government in connection with law enforcement activities.
But, this protection will not be identical to that afforded under EU privacy and data transfer standards. And there are already rumblings that this new Privacy Shield will face legal challenges on the same grounds that invalidated the Safe Harbor framework. Further complicating matters is the exit of the UK from the EU. What will the UK’s privacy standards look like post-EU and will they be met by the Privacy Shield? Or will the U.S. be forced to negotiate a separate deal with the UK?
How these concerns and the UK’s “Brexit” will affect the Privacy Shield are yet to be seen. But, for now, U.S. companies can engage in data transfers with EU customers and businesses with some peace of mind.