On 12 July 2016 the European Commission finally approved the much debated EU-US Privacy Shield. The Privacy Shield replaces the invalidated Safe Harbor regime as the new framework for transfers of personal data to the US. US companies can start self-certifying for the EU-US Privacy Shield as soon as 1 August 2016. Before doing so, however, they should carefully review the obligations under the EU-US Privacy Shield and the consequences that a certification has on their business. In doing so, they should also assess the reliability of the new framework and prepare for strong headwind from some European Data Protection Authorities.
In this alert, we explain what the final version of the EU-US Privacy Shield is all about and what steps should be taken by US and EU businesses.
What are the key principles of the EU-US Privacy Shield?
As we reported previously, companies certifying under the new EU-US Privacy Shield will commit to adhere to the following seven principles:
- Notice: publishing privacy policies and links to Privacy Shield related information;
- Choice: providing appropriate consent and opt-out mechanisms to users;
- Accountability for onward transfer: concluding data transfer agreements with third party recipients;
- Security: implementing appropriate security measures;
- Data integrity and purpose limitation: ensuring that data is only processed for the purposes for which it has been collected;
- Access: providing mechanisms to enable data subjects to confirm what processing is taking place, and to correct or delete information held about them; and
- Recourse, enforcement and liability: implementing mechanisms to resolve complaints.
What about the criticism from the Article 29 Working Party (WP29) and other stakeholders?
In its opinion of 13 April 2016, the WP29 (a group consisting of representatives of DPAs from each EU Member State) recognised the major improvements of the EU-US Privacy Shield in comparison to Safe Harbor. In the end, however, the WP29 concluded that more work needed to be done to adequately protect the personal data of EU citizens under the Privacy Shield. The WP29’s concerns focused in particular on:
- the US authorities’ access to data transferred under the Privacy Shield;
- the position of the proposed US Ombudsman, which was not considered sufficiently independent or vested with adequate powers to effectively exercise and enforce its duty; and
- the complexity of the redress mechanism, which was not considered user-friendly or effective.
These concerns raised by the WP29 were also confirmed and identified by the European Parliament and the European Data Protection Supervisor (EDPS). While the so-called Article 31 Committee (composed of representatives of the Member States’ governments) initially postponed its vote, it ultimately voted in favour of the Privacy Shield on 8 July 2016, thereby paving the way for the European Commission adopting the adequacy decision.
In the interim, the European Commission has revised the wording of the EU-US Privacy Shield and renegotiated a number of aspects with the US. This has resulted in an amended EU-US Privacy Shield that contains stronger rules on data retention, onward transfers and additional safeguards related to the access to personal data by US law enforcement agencies. In addition, the position of the US Ombudsman was renegotiated to ensure that it is truly independent from US intelligence agencies.
The following notable changes have been made in comparison to the provisional version from March 2016:
- Stricter rules for processing: the most important change for businesses that seek to self-certify under the EU-US Privacy Shield is that stricter rules have been put in place on several processing activities.
- More explicit retention periods: the existing limitation of data retention has been made more explicit. Companies may keep personal data only as long as this serves the purpose for which the data was collected.
- Limitations to secondary processing: in line with the new EU General Data Protection Regulation, the Privacy Shield provides for a stricter purpose limitation requiring organisations “not to process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.“
- Tightened conditions for onward transfers of personal data: the obligation to provide the “same level of protection” when passing on data to third party recipients has been further clarified and now includes an obligation for the third party in question to inform the Privacy Shield company when it is no longer able to ensure the appropriate level of data protection. At that point, the Privacy Shield certified company will then have to take appropriate measures, such as making sure that the third party ceases processing.
- Limitations around bulk data collection: an important change that does not so much affect the companies themselves, but which was a precondition for the acceptance of the Shield as a whole, concerns the bulk collection of intelligence information by U.S. national security administration. It has been specified that data collection by the intelligence services should, as a rule, be targeted. Additionally, the exceptional use of bulk collection of data is limited to six defined national security purposes.
- Independence of the Ombudsman: redress in the area of national security for anyone whose data is transferred to the U.S. will be handled by an Ombudsman that is independent from the US intelligence services. During the adoption process, the functioning and the independence of the Ombudsman have been further clarified, in particular its independence and its cooperation with other independent oversight bodies with investigatory powers.
Will the revised Privacy Shield be robust enough?
Whether the amended Privacy Shield fully addresses all of the concerns raised by the most vocal critics of the previous version remains to be seen. Max Schrems has already indicated that he will challenge the legality of the Privacy Shield and the WP29 has a meeting scheduled for 25 July 2016 to review the final version, to analyze whether it satisfies all their concerns and to determine what practical steps need to be taken on an operational level. Some national DPAs have also already cast doubt on whether the new framework meets the high requirements postulated by the CJEU. For example, in an interview, the Commissioner for Data Protection in Hamburg, Germany stated that he considered this “rather doubtful“.
What should businesses do now?
Our recommendations as to what US and EU companies should be considering and doing now are as follows:
- For all US companies that have previously relied on Safe Harbor, it is now time to decide whether to subscribe to the enhanced framework. While those companies that have switched to the use of EU Standard Contractual Clauses (SCC, or ‘Model Clauses’) are not under immediate pressure, those who have waited for the Privacy Shield and not yet implemented an alternative to the invalidated Safe Harbor will need to take action.
- US-based companies that receive personal data from EU businesses will have to carefully review the final version of the Privacy Shield, as well as their data processing activities, before deciding whether to self-certify under the EU-US Privacy Shield. The seven privacy principles identified above will apply immediately upon certification. Organizations that certify in the first two months following the effective date of the Privacy Shield will be given a period of nine months to bring existing third party contracts into conformity with the accountability for onward transfer principle.
- With this in mind, it is advisable for those thinking of certifying to thoroughly review their privacy practices and policies, and to make sure they are compliant with the Privacy Shield prior to making any final decision. The US Department of Commerce has issued a guide on how to join the Privacy Shield and is committed to strict supervision and will verify that companies are registered with their designated independent recourse mechanisms prior to finalising a company’s certification.
- The GDPR, which will come into effect in May 2018, will bring about even stricter obligations than those under the EU-US Privacy Shield. Accordingly, within two years, US businesses that will in future be directly subject to the GDPR will have to comply with enhanced obligations anyway. It may be a good first step for those companies to accede to the Privacy Shield first and thereby take a step-by-step approach to bringing their processing operations in line with GDPR requirements.
- The Privacy Shield does not affect the validity of SCC, which remain another valid ground for transferring data outside the EU. Therefore, there is no need to use the Privacy Shield to cover any data transfers made under those SCCs. Yet, since the SCCs’ validity is already being challenged before the High Court in Ireland, with a possible referral to the CJEU, companies may have to resort to the Privacy Shield sooner than expected in case SCC-based US data transfers suffer the same fate as those under Safe Harbor.
- Also, since doubts have been expressed as to the legality of the new Privacy Shield, and it is very likely that it will be tested in EU courts sooner rather than later, it might be advisable to put (or keep) in place SCCs as another layer of protection, at least for a certain period of time (bearing in mind that SCC-based transfers are also under scrutiny).
By doing so, it will also be easier for an organization to withdraw from the Privacy Shield because, if it wants to retain data received under the Privacy Shield, it will still need to provide adequate protection for the data by another authorized means (for example by using the relevant SCCs).
- For EU businesses, it will be generally be preferable to transfer data to the US on the basis of the Privacy Shield commitments by the US counterpart rather than on the basis of SCCs. This is because the Privacy Shield (1) offers better protection and (2) is a more general approach that does not require the conclusion of separate agreements for each data transfer (although for data processing agencies, a data processing agreement remains necessary).
Having said that, the Privacy Shield will still require constant attention by EU data exporters. This is because the much stricter oversight and enforcement, the recourse mechanisms for data subjects and the increased co-operation with DPAs in the EU will result in a much greater degree of scrutiny, and therefore risk, in relation to the adherence to the framework by individual companies, the validity of their certifications and, therefore, ultimately the permissibility of certain data transfers.