A leap forward for the EU-US Privacy Shield

Taking advantage of our extra day this month, the European Commission has today issued a press release summarising the steps taken to restore trust in transatlantic data flows following the 2013 surveillance revelations and the 2015 judgment of the CJEU in the Schrems case.

The press release is accompanied by a draft "adequacy decision" as well as the texts that will constitute the EU-U.S. Privacy Shield. This includes the Privacy Principles US companies will have to abide by.  They have also made public the U.S. Government's written commitments on the enforcement of the arrangement.

Press release

The Commission’s press release doesn’t hold back in its description of the Privacy Shield.  It variously refers to “strong obligations”, “stronger protection”, “robust enforcement”, “clear limits and safeguards”, “transparent and effective supervisions mechanisms”, “effective protection of EU individuals’ privacy rights” and “independent oversight” in the materials accompanying the text.

There is clearly a strong desire to move swiftly to implement the Privacy Shield, notwithstanding criticisms levelled from certain quarters.  Recognising the context, the Commission refers to the strong partnership and “strategic relationship” between the EU and the US and, the need to cooperate closely in the fight against common threats, as well as transfer and exchange of personal data forming an essential component underpinning the close links between the EU and the US in the commercial area as well as the law enforcement sector.

At a high-level, according to the press release issued by the Commission, the Privacy Shield:

• seeks to establish that when EU personal data are transferred to the US it will be protected by safeguards equivalent to the data protection standards in the EU;
• addresses the issues identified by the CJEU in its Schrems judgment on 6 October 2015 (Case C-362/14), as well as recommendations made by the Commission in November 2013, and in particular will be guaranteed by strict enforcement and assurances that there will be no indiscriminate or mass surveillance by national security authorities.

More specifically, it includes:

• obligations on companies, including tightened conditions on onward transfers;
• supervision mechanisms, including sanctions;
• limitations and transparency obligations on US government access (backed by written assurances from the Office of the Director of National Intelligence);
• a commitment by the US to establish a redress mechanism through an independent ombudsman, who will follow up complaints and enquiries from individuals;
• a requirement for companies to reply to complaints within 45 days, a free of charge ADR solution, and ultimately a right to go to binding arbitration;
• a right to complain via domestic data protection authorities, who will work with the FTC to ensure unresolved complaints are investigated and resolved; and
• a requirement for companies handling HR data to commit to comply with advice from European DPAs.

The Privacy Shield will be reviewed continuously by the Commission, as well as annually together by the Commission and the US Department of Commerce, to monitor the functioning of the mechanism.  The Commission will also hold an annual summit, with interested NGOs and stakeholders.  It will remain to be seen how efficiently these reviews will operate.

What are the key requirements for US companies? 

US companies must in particular:

• if they want to participate, self-certify annually that they meet the requirements, including in particular compliance with defined privacy principles (the Privacy Principles);
• display a privacy policy on their website, which includes a public commitment to process data in accordance with the Privacy Principles (thus giving those commitments binding force);
• maintain records on the implementation of their policies, which are made available upon request in the context of an investigation or complaint;
• reply promptly to complaints by data subjects (at least within 45 days);
• submit to an independent dispute resolution body, to investigate and resolve individual complaints (unless obviously unfounded or frivolous) and to provide appropriate recourse; and
• if handling HR data, cooperate and comply with advice from European DPAs.

Privacy Principles

The Privacy Principles comprise framework principles, as well as an annex of supplemental principles issued by the US Department of Commerce (annex II).  The Privacy Principles include a set of familiar concepts, namely:

• the notice principle – this includes the requirement to display a privacy policy and provide links to the Department of Commerce website, and the Privacy Shield List;
• the choice principle – this includes a right to opt-out where data is disclosed to third party controllers or is used for a different purpose, as well as a right to opt-in to processing of sensitive personal data;
• the security principle – the requirement here is for “reasonable and appropriate” security measures;
• the data integrity and purpose limitation principle – this includes the concept of data minimisation and data quality, as well as restrictions on secondary processing;
• the access principle – includes the right of subject access (for a non-excessive fee and within a reasonable time), as well as the right of rectification and the right of erasure;
• the accountability for onward transfers principle – includes the requirement to ensure processing takes place on the basis of a contract or (within a corporate group) comparable arrangements; and
• a recourse, enforcement and liability principle – includes a requirement for US companies to have in place robust mechanisms to ensure compliance, and verify compliance (e.g. through independent audit or random checks), as well as recourse for EU data subjects and effective remedies, which may include a right to make complaints through any EU establishment of the US company concerned.

Enforcement

A number of different actors will have a role to play in enforcing the Privacy Shield.

• The independent dispute resolution body must be provided free of charge.  It may be located within the EU or US.  It must be rigorous and able to ensure compliance, including by ordering reversal or correction of the effects of non-compliance and, depending on the circumstances, the termination of processing and/or deletion of data.  It must have the right to publicise findings of non-compliance.  The body must publish statistics regarding the services they have provided.  The body may alternatively be a self-regulatory body.
• The US Department of Commerce has a role to verify compliance with the self-certification framework, conduct compliance reviews of self-certified organisations, and carry out systematic reviews where it receives complaints or where there is evidence of non-compliance.  On a “best efforts” basis, the Department of Commerce will also seek to resolve complaints about non-compliance.
• In the EU, national DPAs also have a role, as individuals will be entitled to make complaints about US companies to their national DPA.  US companies are required to cooperate if the complaint concerns the processing of HR data or if they have voluntarily submitted to oversight by the DPA.
• The FTC will consider referrals of non-compliance with the Privacy Principles received from independent dispute resolution or self-regulatory bodies, the Department of Commerce and national DPAs, to determine whether unfair or deceptive practices have occurred.  The FTC will also provide national DPAs with investigatory assistance.
• The national courts of Member States may consider complaints, if the national DPA has taken no or insufficient action.
• Finally, as a last resort, the data subject may invoke binding arbitration by the “Privacy Shield Panel”.  This will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission.  The arbitration will take place in the US (usually in English, but interpreters may be provided if reasonably requested), before one or three arbitrators, according to rules agreed by the Department of Commerce and the Commission.  Each party bears their own costs, but a fund will be established to fund legal representation up to a maximum amount.  The Privacy Shield Panel will have the power to impose non-monetary remedies in specific cases to remedy non-compliance.  It will not have the power to award damages (which will only be available through the courts).

The Judicial Redress Act separately provides individuals with the right to pursue claims in the US courts in relation to infringement of privacy rights in respect of personal data transferred to the US for law enforcement purposes.

Next steps

On the EU side, the proposal will be subject to review by a committee, together with national data protection authorities (through the A29 Working Party), which will issue an Opinion (we are told by 12/13 April), before a final decision before the College.  The Commission also proposes to sign the Umbrella Agreement, following agreement by the Parliament and adoption by the Council.  On the US side, preparations will be necessary to put in place the new framework, including monitoring mechanism and the new ombudsman mechanism.