Background
Following the invalidation of the US-EU Safe Harbor by the Court of Justice of the European Union in October last year (see From a Safe Harbor to a Privacy Shield), the U.S. Department of Commerce and the EU Commission have recently released a draft of a replacement regime, called the EU-U.S. Privacy Shield. The new framework is intended to increase protections for transferring EU residents’ personal data to the U.S. and thereby facilitate the transatlantic flow of data. Now that the dust has settled, we take a look at the key provisions of the Privacy Shield as they relate to U.S. organizations and assess the hurdles that must be overcome before the Privacy Shield becomes a reality.
Eligibility for the Privacy Shield
Participation in the Privacy Shield Framework, like the Safe Harbor, is based on the principle of self-certification, requiring a U.S.-based company to make certain representations to the Department of Commerce. A participating organization must commit to: (i) be subject to the jurisdiction of either the U.S. Federal Trade Commission (“FTC”) or other U.S. agency such as the Department of Transportation; (ii) publicly declare that it will comply with and in fact implement the Privacy Principles, described below; and (iii) publicly disclose its privacy policies. Once an organization is included in the Department of Commerce’s list of certified organizations, it becomes eligible to receive EU individuals’ personal data under the Privacy Shield, with the requirement to re-certify at least annually.
Privacy Shield Principles
Again, like Safe Harbor, the Privacy Shield is based on a number of Privacy Principles. These are summarized below:
- Notice: There is an obligation placed on participating organizations to inform individuals of a broad range of information (over 15 different notice requirements), including type of personal data collected, the purpose of collecting the data, the identity of third parties to whom the data is transferred, conditions for onward transfers, rights of access by the individual and recourse mechanisms. This notification obligation will require a detailed reassessment of even the most robust of privacy policies.
- Choice: The participating organizations must provide clear, conspicuous and readily available mechanisms to allow individuals to opt out of: (i) direct marketing; (ii) the disclosure of their personal data to any third party not acting as an agent for the underlying participating organization; and (iii) the use of their personal data for a purpose materially different from the purpose for which the data was originally collected. If the organization is collecting sensitive data (e.g., health conditions, racial or ethnic origin, sexual preference, trade union membership, etc.), then the data subject must affirmatively “opt in” to allow the participating organization to collect such information. Whilst these concepts may have become familiar to organizations based in the EU, U.S. participating organizations will soon need to familiarize themselves and adopt appropriate opt-in and opt-out mechanisms before collecting an EU individual’s data.
- Accountability for Onward Transfer: Participating organizations may transfer personal data to third parties, but only limited to specified purposes to which the data subject has consented. The pertinent organization must enter into a contract with each such third-party data processor, consistent with the level of protection afforded by the Privacy Principles. The entity that received the personal data under the Privacy Shield in the first place remains responsible for ensuring that all data is processed lawfully and in compliance with the Privacy Principles. The practical consequence is therefore an increased focus on diligence and audit of vendors to ensure compliance down the chain by all data recipients.
- Security: The participating organizations must take reasonable and appropriate security measures, based on the nature of the personal data and inherent risks involved. As described in 3) above, these obligations would need to flow down to any and all third parties receiving the data.
- Data Integrity and the Purpose Limitation: The participating organizations must limit the collection of data to only such data that is “relevant for the purposes of processing,” and must take reasonable steps to ensure that personal data is accurate, complete, current and reliable for the intended use. Even after an entity’s certification has lapsed, that organization will remain bound by the Privacy Principles when processing data collected during a period of certification under the Privacy Shield.
- Access: The participating organizations must provide each data subject with: (i) the opportunity to confirm whether the organization is processing his or her personal data; (ii) a way to obtain a copy of such data within a reasonable time (at a fee that is “not excessive”); and (iii) the ability to correct, amend or delete information that is inaccurate or was processed in violation of the Privacy Principles. Formal channels of communication will need to be established to facilitate these access rights.
- Recourse, Enforcement and Liability: The new Privacy Shield provides EU individuals with detailed mechanisms for recourse and dispute resolution. Each participating organization must implement processes for handling complaints, regardless of whether it has actually received any complaints, including mechanisms to: (i) enable independent recourse for the data subjects; (ii) verify the authenticity of the Privacy Shield-related attestations and assertions made by the organization; and (iii) provide effective redress for individuals who file complaints about the processing of their personal data (with an obligation to respond to each complaint within 45 days). U.S. organizations will therefore need to implement not only procedures to train staff on these mechanisms but also measures to comply with the new recourse requirements.
Remedies for EU Data Subjects
Outside of the mechanisms that the participating organizations must put in place, EU citizens will now be provided a plethora of avenues of redress. These include: (i) direct complaints to the participating organization that collected the data; (ii) alternative dispute resolution, which will be made available free of charge; (iii) complaints to the EU citizens’ local Data Protection Authorities, which in turn will work with the FTC and Department of Commerce to resolve the complaints; (iv) access to an Ombudsperson designated by the U.S. government; and (v) as a last resort, access to an Arbitration panel. We have yet to see the details of all of these mechanisms, but collectively they have been considered one of the Privacy Shield’s key improvements upon the Safe Harbor regime.
So, should you sign up?
No—not yet anyhow. From a regulatory perspective, the EU Commission’s decision on the adequacy of the Privacy Shield is still in draft form. Consequently, we are awaiting: (i) a consultation with the committee of the representatives of the EU member states; (ii) an opinion from the committee of the regulators from the EU member states; and (iii) a formal adoption of the Commission’s decision. Then, or maybe in parallel, the FTC will need to implement the framework enabling organizations to begin to self-certify. Once these regulatory hurdles are overcome, given that the new framework is disliked by most of the interested parties who disliked the Safe Harbor, it will almost certainly be immediately challenged in court in the EU, as the Safe Harbor regime was by Max Schrems.
The outcome of all this uncertainty will likely result in two camps emerging. In one camp will be the “wait-and-see” organizations that will not want to spend the time or the money going through the self-certification procedure until they know whether or not the Privacy Shield is here to stay—and, given the new detailed requirements and recourse mechanisms, self-certification should not be taken lightly. In the other camp will be the adopters—those who will see the Privacy Shield as an investment, which at best will become the foundation of a permanent robust policy and at worst will be a temporary marketing tool.
Either way, it is almost certain that other methods of legitimizing transatlantic data transfers, such as model clauses or binding corporate rules, will be used to supplement the Privacy Shield—at least until the market in Europe begins to trust the new regime.