Cynthia J. Rich
Privacy + Data Security
The European Commission (the “Commission”) and the U.S. Department of Commerce issued the draft legal texts for the much anticipated EU-U.S. Privacy Shield (the “Shield”), set to replace the currently inoperative Safe Harbor program (“Safe Harbor”). The new agreement is aimed at restoring the trust of individuals in the transatlantic partnership and the digital economy, and putting an end to months of compliance concerns of U.S. and EU companies alike. The draft will be discussed with EU data protection authorities (“DPAs”) and adopted by Member States representatives before it becomes binding.
The publication of the Shield documents, on February 29, 2016, came at a time of high expectations and a certain tension. Last October, the European Court of Justice (the “ECJ”) invalidated the Commission’s decision 2000/520/EC and effectively shut down the Safe Harbor framework, which until then allowed thousands of European companies to send personal information to U.S. companies that had committed to protecting personal information. As a result, thousands of U.S. and EU companies were suddenly left in a legal limbo. In response to the risk of enforcement against companies relying on Safe Harbor, and to address the concerns raised by EU DPAs, the Commission announced in early February that a new political agreement had indeed been reached with the U.S. government. It also made good on its promise to make the details of the agreement public by month’s end.
At first glance, the Shield bears a strong resemblance to Safe Harbor, which misled some commentators to denounce it as a mere duplicate in disguise. However, the Shield introduces substantial changes for data protection, including additional rights for EU individuals, stricter compliance requirements for U.S. organizations, and further limitations on government access to personal data. From the perspective of U.S. companies, it appears that the Shield may actually signify a shift to heavily monitored compliance. In this sense, the question may no longer be “How good is the Privacy Shield for privacy?” but rather “How burdensome will it become for businesses?”
This alert takes a closer look at the Shield and highlights some of the key differences from the Safe Harbor and other available data transfer mechanisms.
Some of the key takeaways include:
The Commission made public all the documents that will constitute the new agreement, namely: a draft Adequacy Decision, FAQs, a Factsheet, Annexes detailing the principles and various compliance mechanisms, and a Commission Communication describing the current developments in the broader context of transatlantic discussions of the past few years.
In its press release, the Commission stated that the Shield “reflects the requirements” set by the ECJ in its ruling from October 6, 2015 (the “Schrems ruling”). As a reminder, key concerns of the Schrems ruling included: (1) the indiscriminate and excessive government access to EU citizens’ personal information, and (2) the lack of judicial redress mechanisms for EU citizens for privacy related complaints.
According to the Commission, the Shield will provide for “strong obligations on US companies” as well as “robust enforcement” mechanisms to ensure that such obligations are complied with. It will lay down “clear safeguards and transparency obligations on US government access.” Thirdly, it will ensure effective redress of EU Citizens’ rights by means of “several redress possibilities.” Finally, an annual joint review mechanism will allow the Commission, the U.S. Department of Commerce, and the European DPAs to monitor how well the Shield functions.
Assessment of Key Aspects
The following is a discussion of several key aspects of the new agreement, in relation not only to its predecessor, Safe Harbor, but also to other available data transfer mechanisms such as Binding Corporate Rules (“BCRs”) and EU Standard Contractual Clauses (“SCCs”).
1. Transfers to Third Parties
One of the important changes made pertains to conditions for participating organizations to transfer the data to third parties. Under the Safe Harbor principles, an organization had to provide notice and choice prior to disclosing personal information to a third-party controller. This was not required if the third party was “acting as an agent to perform task(s) on behalf of and under the instructions of the organization” [read: processor] (See Onward Transfer principle, Safe Harbor Decision 2000/520/EC, Annex I). For sharing data with an agent, the organization was required to:
Under the Privacy Shield principles, the rules for transfers to third-party controllers and agents change considerably. According to the Third principle (Accountability for Onward Transfer), to make transfers to ‘agents’ (or ‘processors’), organizations must meet a host of requirements, including complying with the principle of purpose limitation, ensuring that the agent provides the same level of protection as required by the Shield’s principles, and stopping and remediating unauthorized processing. Also, more significantly, organizations must provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request. While the obligation to provide a copy of privacy provisions also exists under SCCs (Controller-to-Processor), there the obligation for the U.S. company (the data importer) is limited to providing copies of sub-processing agreements to the data subject (the individual) or the data exporter (the EU company), not directly to a supervisory authority.
Moreover, notwithstanding having met these requirements, the organization remains liable if its agent processes the personal information in a manner inconsistent with the Privacy Shield principles, unless it proves that it is not responsible for the event giving rise to the damage (Principle 7(d), Recourse, Enforcement and Liability). This reversal of the burden of proof will mean that companies face a challenge in practice to show that they are not liable for their agent’s violations, even if the agent acted in contravention with its contractual obligations.
For onward transfers to controllers, the Privacy Shield principles add a new requirement to the notice and choice obligations that existed under the Safe Harbor. Now, organizations will be required to enter into a contract that provides that the data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipients will provide the same level of protection as the Privacy Shield principles. Some limited exceptions are provided for occasional employment-related operational needs, however. Here too, the Shield goes beyond what is required under the SCCs (Controller-to-Controller), where the U.S. company (data importer) has to address the cross-border transfer. The individual’s right to object (as opposed to consent) is only one of the means to legitimize the transfer to third party controllers, not a prerequisite for all transfers.
However, for transfers to affiliated companies, the Privacy Shield Principles provide a bit more flexibility than the SCCs, namely a contract is not always required: data controllers within a “controlled group of corporations or entities” may base such transfers on other instruments, such as BCRs or other intra-group instruments (e.g., compliance and control programs), ensuring the continuity of protection of personal information under the Privacy Shield principles. The participating organization remains responsible for compliance with Privacy Shield principles.
2. Safeguards related to intelligence activities will extend to all data transferred to the U.S.
In early February, the Commission indicated that the U.S. has given written assurances that access to EU citizens’ personal data by the U.S. government will be subject to “clear limitations, safeguards and oversight mechanisms,” and that any exceptions will be “necessary and proportionate.” Also, an Ombudsman within the Department of State will be responsible for receiving and investigating complaints and inquiries about U.S. intelligence practices from EU individuals. The Ombudsman will, however, have no independent investigative or enforcement powers.
Until now, it was unclear whether such safeguards would be confined to data transferred via the Shield, or if they would also apply to all data irrespective of the transfer mechanism used. In the context of the WP29 discussions on the consequences of the Schrems ruling on other transfer mechanisms, the concern was that European DPAs might decide to suspend transfers to the U.S. based on SCCs or BCRs because of mass and indiscriminate surveillance and excessive access to such data by the U.S. government.
From the documents made public on February 29, it appears that U.S. commitments will extend to personal data transferred by means of other transfer mechanisms such as SCCs and BCRs. Indeed, in section 3.1.2 of the draft Commission Implementing Decision, the overview of effective legal protection in U.S. law is of general scope and not limited to data transfers made via the Shield. Also, in section 3.2 of its Communication (COM(2016) 117 final), the Commission explicitly indicates that such safeguards will apply to all personal data transferred to the U.S. for commercial purposes, not only to Privacy Shield transfers. This is a positive development because it becomes harder for European regulators or potential plaintiffs to argue that SCCs and BCRs would allegedly fail to meet the test laid down by the ECJ in the Schrems ruling with respect of U.S. government access to personal data.
3. Dispute resolution
A potentially problematic issue is the multitude of avenues that individuals may choose from to lodge a complaint under the Shield. In practice, this may create a significant administrative burden for organizations, which will now have to be alert and ready to respond on many fronts.
First, individuals are encouraged to raise any concerns or complaints with the organization itself, which is obligated to respond within 45 days. Note that this is stricter than some European data protection laws (in France, for example, the timeframe is two months under current law). Under the Shield, individuals also have the option of working through their local DPA which may contact the organization and/or the Department of Commerce to resolve the dispute.
The second avenue is an independent recourse mechanism. The Shield requires organizations to provide an independent recourse mechanism that will investigate and expeditiously resolve complaints and disputes at no cost to the individual. Organizations may select a private sector alternative dispute resolution (“ADR”) provider or a panel of European DPAs. The private sector ADR provider must satisfy certain Shield requirements, such as responding promptly to inquiries and information requests from the Department of Commerce; reporting an organization’s noncompliance to regulators, courts, or the Department of Commerce; and issuing annual reports that provide aggregate statistics regarding their Shield ADR services. Organizations may also opt to use a panel of DPAs for their independent recourse mechanism. Note that this is mandatory if an organization uses the Privacy Shield for transfers of human resources data. In that case, the DPA Panel will be competent to hear individual claims that have remained unresolved despite the organization’s internal complaint handling efforts. Both parties will have an opportunity to provide comments and submit evidence before the DPA Panel issues its “advice”, which it will try to issue within 60 days. Once the advice is issued, organizations must comply within 25 days. Should an organization fail to comply, the DPA Panel may either refer the matter to the Federal Trade Commission (“FTC”), or another body with statutory authority to enforce against unfair and deceptive trade practices, or inform the Department of Commerce that the organization should lose its Privacy Shield certification because it seriously breached its agreement to cooperate with the panel and therefore that agreement is null and void.
For disputes or complaints involving human resources data that are not resolved internally by the organization (or through any applicable trade union grievance procedures) to the satisfaction of the employee, the organization is expected to direct the employee to the state or national DPA or labor authority in the jurisdiction where the employee works.
The Shield provides for yet another dispute resolution mechanism, namely binding arbitration by the Privacy Shield Panel. This option is open to individuals who have raised their complaint with the organization, used the independent recourse mechanism, and/or sought relief through their DPA, but whose claimed violation still remains fully or partially unremedied. Note that arbitration is not available if a DPA has “authority to resolve the claimed violation directly with the organization.” The Privacy Shield Panel is composed of one or three independent arbitrators admitted to practice law in the U.S., with expertise in U.S. and EU privacy law. The Panel can only impose equitable relief, such as access or correction – it cannot award damages. Arbitrations should be concluded within 90 days. While the individual may not bring his or her claim for equitable relief in another forum after opting for arbitration, he or she may still file a claim for damages otherwise available in the courts. Furthermore, both parties may seek judicial review of the arbitral decision under the U.S. Federal Arbitration Act.
In other words, after raising a complaint with the organization, petitioning the independent recourse mechanism, filing a complaint with the DPA, and seeking equitable relief from the Privacy Shield Panel, the parties may still petition the courts (with the exception of individual complaints to the FTC or another U.S. statutory body).
In light of the above, a participating organization contemplating which data transfer compliance mechanism to implement may be discouraged by this wide array of avenues and potential fronts. For comparison, the SCCs (both Controller-to-Processor, and Controller-to-Controller) provide for dispute resolution either by mediation, or by the courts of the EU member state in which the data exporter is established. Also for BCRs, the dispute resolution mechanisms seem less burdensome, as they provide for an internal complaint handling process, lodging complaints with competent DPAs, and before the courts either at the data exporter’s location or at the location of the EU headquarters of the organization.
4. Enforcement authorities
In addition to adding several channels through which an organization may be confronted with individual complaints, other types of enforcement are expanded as well. An organization’s compliance with the Privacy Shield may be directly or indirectly monitored by the Department of Commerce, the FTC, the Department of Transportation (or other body with statutory authority), European DPAs, and private sector independent recourse mechanisms or other privacy self‑regulatory bodies.
Under the Shield, the Department of Commerce will significantly expand its role in monitoring and supervising compliance. To accomplish this new mission, the Department has doubled the size of the program staff and has committed to dedicating the resources necessary to ensure effective monitoring and administration of the program. Some of the Department’s new responsibilities include:
The FTC will give priority consideration to Privacy Shield compliance issues raised by the Department of Commerce and European DPAs. In particular, it is designating an agency point of contact, creating its own standardized referral process to facilitate referrals from the DPAs, and providing guidance to the DPAs on the type of information that would best assist the FTC in its inquiry into a referral.
Private sector independent recourse mechanisms will have a duty to actively report organizations’ failures to comply with their rulings to the Department of Commerce. Upon receipt of such notification, the Department will remove the organization from the Privacy Shield List.
Both individual DPAs and the DPA panel will be able to refer complaints regarding Privacy Shield compliance to the Department of Commerce. Of course, the DPAs also have the authority to address organizations directly if they process HR data, or have committed to cooperate with DPAs.
The above overview illustrates the complexity of the new agreement and the multiplication of authorities in charge of oversight, all of which is likely to result in greater regulatory scrutiny of and compliance costs for participating organizations. By way of contrast, when an organization relies on alternative transfer mechanisms such as the SCCs, the regulatory oversight is performed by EU regulators against the EU company (as data exporter). Therefore, before settling on a transfer mechanism, organizations will want to consider the regulatory involvement and compliance costs associated with each option.
5. Reporting and continuing compliance obligations
Finally, participating organizations will be subjected to additional compliance and reporting obligations, some of which will continue even after withdrawal from the Privacy Shield. As was required under the Safe Harbor, organizations must recertify their compliance on an annual basis. In addition, Privacy Shield organizations will now be required to maintain records regarding the implementation of their privacy program and provide them to regulators upon request.
Like the Safe Harbor, organizations that leave the Privacy Shield program for any reason must continue to protect the information received during their participation in the program in accordance with the Principles. However, the Privacy Shield adds a new reporting requirement for these organizations. For as long as they retain the information, they must affirm annually to the Department of Commerce that they are protecting the information in accordance with the Principles. Otherwise, the organization must return or delete the information or provide “adequate” protection for the information by another authorized means (e.g., SCCs).
The text of the proposed EU-U.S. Privacy Shield signals the intention of the EU and U.S. governments to work together to address the gap in data transfer mechanisms left by the Schrems ruling. But it also underlines the complexity and depth of the differences in the way the two systems approach privacy. It remains to be seen whether and to what extent the Privacy Shield in its current form appropriately addresses the concerns of all interested parties: privacy concerns of citizens, legal requirements of the ECJ, and legitimate practical considerations of companies wishing to comply on both side of the Atlantic.
Regarding next steps, the Article 31 Committee of representatives of EU member states will have to review the draft adequacy decision and issue an opinion. Furthermore, the WP29 announced that it will also issue an opinion regarding the draft at its plenary meeting on April 12-13. The adequacy decision will then go through the committee procedure before it is formally adopted.
Companies should give careful consideration to the potential advantages and disadvantages of the Privacy Shield in comparison with other transfer tools such as SCCs and BCRs. The complexity of the new agreement and the increased cost of compliance underscore that the Privacy Shield goes far beyond a mere upgrade of Safe Harbor. Also, although the Privacy Shield may withstand judicial scrutiny this year, the ECJ warned that adequacy determinations are an ongoing process, hence the inclusion of an annual review process involving EU and U.S. authorities. What the consequences of this process will be for companies is unclear: if the result of annual reviews is to add new requirements on top of existing ones as issues arise, it may very well turn the Privacy Shield into a moving compliance target.
Contact our world-class privacy and data security lawyers.
Follow us on Twitter @MoFoPrivacy.
©1996-2019 Morrison & Foerster LLP. All rights reserved.