1 août 2016
On 12 July 2016, the European Commission adopted the EU-US Privacy Shield adequacy decision (Privacy Shield) allowing transfers of personal data from the European Union (at the time of writing, the Privacy Shield decision does not apply to Iceland, Liechtenstein and Norway. Once incorporated into the EEA Agreement, US certified companies will be able to receive personal data from those countries) to US organisations which voluntarily certify under the Privacy Shield framework. The US Department of Commerce will begin accepting applications for certification from 1 August 2016. Organisations that are headquartered in the US, or group companies with a US-based company which access, receive or process personal data (including HR data) from the EU, may consider signing up to the Privacy Shield as a data export solution.
This note will help organisations evaluate whether or not to take advantage of the Privacy Shield and, if they decide to do so, to prepare them for the certification process and compliance.
Since the Court of Justice of the European Union (CJEU) invalidatedthe EU Commission’s Decision on EU-US Safe Harbor in October 2015, US organisations have not been able to rely on the Safe Harbor scheme to receive personal data from the European Economic Area countries (EEA). Instead, they have had to use other legal mechanisms such as the EU standard contractual clauses (SCC) or rely on the limited exceptions set out in Article 25(2) of the European Data Protection Directive (e.g. consent of the data subject). Given the more involved process of a Binding Corporate Rules’ (BCR) application, BCRs are less likely to be a short term alternative option.
Perhaps the main advantage of signing up to the Privacy Shield is that it avoids the need to sign individual contracts with each organisation from which data is received. An organisation with a Privacy Shield certification can be presumed to afford adequate protection to EU personal data. The adoption of the Privacy Shield, therefore, provides US organisations with an additional legal mechanism to enable lawful transatlantic data flows from the European Union.
The Article 29 Working Party (WP) (representing the EU data protection regulators) has broadly welcomed the Privacy Shield which should provide comfort to US businesses considering certifying. However, the WP has also expressed doubts about the scheme and has stated its intention to reassess its views further down the line. The WP sees the independence of the Ombudsperson who will oversee the scheme, and evidence that the Privacy Shield has teeth with real sanctions for non-compliance, as key factors in determining its success. It is worth remembering that it is open to the EU regulators to investigate data exports, regardless of any EU Commission decision of adequacy.
In addition, although the Privacy Shield provides a set of more robust and enforceable protections for the personal data of EU individuals, it may still be subject to legal challenge before the European courts, despite the view of the Commission and the US Department of Commerce that the flaws in the Safe Harbor scheme have been addressed. Any challenge would most likely relate to the use of EU personal data by US law enforcement agencies but could nonetheless have implications for all organisations signing up to the Privacy Shield.
US organisations need to consider the benefits of the Privacy Shield carefully, taking into account their business needs and practices and weighing the Privacy Shield up against the other available data transfer mechanisms from the EEA to the US. Legal advice should be sought at the outset of the decision making process.
US organisations signing up to the Privacy Shield will be required to:
The Privacy Shield applies to the personal data of any EU data subject that has been transferred from the EU to organisations in the US that have self-certified their adherence to the seven Principles with the US Department of Commerce. It applies to both data controllers and data processors and service providers and agents will also be able to certify under it.
To be eligible to sign up to the Privacy Shield, an organisation needs to be subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT). The FTC has no jurisdiction over most financial organisations such as banks, savings and loan institutions or federal credit unions. It also has no jurisdiction over common carriers activities, air carriers and foreign air carriers and persons, labor associations, most non-profit organisations, and most packer and stockyard activities. The DOT has exclusive jurisdiction over US and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation.
If you are a US organisation considering self-certifying under the Privacy Shield, you will need to assess your current privacy compliance programme and make any necessary changes before applying for certification. You should:
Determine whether changes need to be made to your current privacy compliance programmes. In particular, revisit current data transfer practices including the extent to which they rely on the SCCs or the exceptions under article 25(2) of the Data Protection Directive. The fact that an organisation was certified under the EU-US Safe Harbor scheme does not mean that it will automatically comply with the Privacy Shield as the requirements have been strengthened in line with recommendations made by the CJEU and DPAs.
Specific rules apply to onward transfers (i.e. transfers of personal data from an organisation to a third party controller or processor), human resources data collected in the employment context (HR data), direct marketing and to pharmaceutical and medical products. It is important to check whether these specific issues affect you. By way of example, if you pass EU data to third parties, you need to check your agreements with them to ensure they provide the same level of protection as is required by the Principles. If you receive EU HR data in the context of an employment relationship, you must agree to cooperate with relevant DPAs to resolve any complaints about your use of such data.
The Principles apply immediately upon certification. However, the Privacy Shield provides an exception to this. Where there is a pre-existing commercial relationship with a third party, a grace period of up to nine months is allowed in relation to compliance with the rules of the Accountability for Onward Transfer Principle under the Privacy Shield, to allow for the amendment of relevant agreements. To benefit from this, organisations must self-certify in the first two months following the day when the Privacy Shield becomes effective.
The Privacy Shield requires organisations to provide “robust mechanisms to ensure compliance with the Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies”.
Prior to self-certifying, your organisation will need to identify the recourse mechanism for individuals and the dispute resolution process it will use to handle complaints and disputes. Organisations may designate the panel of EU DPAs or an alternative dispute resolution provider which can be based in the EU or the US. Existing providers include the Better Business Bureau, TRUSTe, JAMS or the Direct Marketing Association. The US Department of Commerce will be responsible for ensuring compliance with this requirement.
The Privacy Shield also requires organisations to provide a “contact point” in relation to any questions or issues with the dispute resolution provider. In practice, this is likely to be the Chief Privacy Officer or the person responsible for certifying compliance with the Privacy Shield.
Under the Privacy Shield, organisations must comply with the Notice requirement which includes making privacy policies public and displaying them on any organisation’s website. The information must include: