The current state of the EU-U.S. Privacy Shield

U.S. companies seeking to transfer personal data from Europe into the United States have their first detailed look at a proposed new transatlantic data transfer framework that would bring with it stringent new data privacy compliance obligations.

After two years of intense negotiations, the European Commission and the U.S. Department of Commerce last month approved a draft framework of the EU-U.S. “Privacy Shield” for the transatlantic exchange of personal data. Before it can become binding, the draft must be reviewed by EU data protection authorities (Article 29 Working Party) and EU member states representatives.

Participating in the Privacy Shield is voluntary, but compliance with its principles will be enforceable under U.S. law and will demand that companies review and update their privacy policies and procedures, include in its privacy policy a declaration of the company’s commitment to comply with the Privacy Shield principles, and include links to both the Commerce Department’s website and a link to the website complaint submission form of the independent recourse mechanism that is available to investigate individual complaints. These obligations are just to mention the paper policy part of it.

As any compliance officer knows, the most important part will be the implementation of the Privacy Shield’s principles, says Tanya Forsheit, a partner with law firm BakerHostetler. “What are your actual practices? Are they consistent with what you’re representing? That is going to be subject to the most scrutiny,” she says.

The Privacy Shield will replace the Safe Harbor Framework, which was invalidated by the European Court of Justice in October 2015 in the case Schrems v. Data Protection Commissioner. The decision effectively meant that personal data transferred from Europe to the United States was no longer presumed to be adequately protected, leaving the nearly 4,500 companies that self-certified under the Safe Harbor principles in a state of limbo.

Companies seeking to transfer data from Europe into the United States will be required to self-certify to the Commerce Department, publicly commit to comply with the Privacy Shield’s requirements, and re-certify at least annually. The Commerce Department will maintain an online register of organizations that have successfully certified to the Privacy Shield.

If companies wish to transfer human resources data, they will have to indicate that separately in their self-certification submission and include details, such as their HR privacy policy. The big change is that companies transferring HR data will have to agree to cooperate with EU data protection authorities in connection with complaints from data subjects regarding HR data. This new requirement is “fairly significant,” Forsheit says, “because almost any global company that has employees in different parts of the world is going to have to transfer data of those employees from Europe to the United States, regardless of where the company is located.”

Safe Harbor vs. Privacy Shield

At first glance, the major principles in the Privacy Shield bear a strong resemblance to those in the Safe Harbor. For compliance officers, however, the devil is in the details.

“Now more than ever, companies need to be vetting their practices with respect to data.”
Tanya Forsheit, Partner, BakerHostetler

In fact, the Privacy Shield will introduce substantial changes for data protection, including stricter and more burdensome compliance obligations on U.S. companies to protect the personal data of Europeans and stronger monitoring and enforcement by both the U.S. Department of Commerce and Federal Trade Commission.

At its core, the Privacy Shield will require companies to provide notice to EU citizens regarding how their data is collected and processed. Individuals must also be provided with the choice to “opt-out” when their personal data is shared with third parties or used in ways “materially different” from its original purpose.

One of the most significant changes is the “onward transfer” principle. Under the previous Safe Harbor, companies transferring data to a third-party controller had to provide notice and choice prior to disclosing personal information, with one exception: This requirement did not apply if the third party was a “data processor,” acting as an agent to perform tasks on behalf of and under the instruction of the company.

For sharing data with data processors, companies were required to “ascertain that the third party certified to Safe Harbor principles or another adequacy finding” or enter into a “written agreement requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles.”

The Privacy Shield, in comparison, will explicitly require companies transferring data to enter into a contract with the third-party controller that provides that the data may only be processed for limited and specified purposes consistent with individual consent and that the recipients will provide the same level of protection as the Privacy Shield principles.

PRIVACY PRINCIPLES

Below is a description of the seven privacy principles spelled out in the draft adequacy decision.
Under the Notice Principle, organizations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organizations to make public their privacy policies (reflecting the Privacy Principles) and to provide links to the Department of Commerce’s website (with further details on self-certification, the rights of data subjects and available recourse mechanisms), the Privacy Shield List referred to in recital and the website of an appropriate alternative dispute settlement provider.
Under the Choice Principle, data subjects may object (opt out) if their personal data shall be disclosed to a third party (other than an agent acting on behalf of the organization) or used for a “materially different” purpose. In case of sensitive data, organizations must in principle obtain the data subject’s affirmative express consent (opt in). Moreover, under the Choice Principle, special rules for direct marketing generally allowing for opting out “at any time” from the use of personal data apply.
Under the Security Principle, organizations creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data. In the case of sub-processing, organizations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Privacy Principles and take steps to ensure its proper implementation.
Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organization may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorized by the data subject.
Under the Access Principle, data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organization confirmation of whether such organization is processing personal data related to them and have the data communicated within reasonable time. This right may only be restricted in exceptional circumstances; any denial of, or limitation to the right of access has to be necessary and duly justified, with the organization bearing the burden of demonstrating that these requirements are fulfilled. Data subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Privacy Principles.
Under the Accountability for Onward Transfer Principle, any onward transfer of personal data from an organization to controllers or processors can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Privacy Principles. This should be read in conjunction with the Notice and especially with the Choice Principle, according to which data subjects can object (opt out) or, in the case of sensitive data, have to give "affirmative express consent" (opt in) for onward transfers. Where compliance problems arise in the (sub-) processing chain, the organization acting as the controller of the personal data will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability.
[U]nder the Recourse, Enforcement and Liability Principle, participating organizations must provide robust mechanisms to ensure compliance with the other Privacy Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Once an organization has voluntarily decided to self-certify under the EU-U.S. Privacy Shield, its effective compliance with the Privacy Principles is compulsory. To be allowed to continue to rely on the Privacy Shield to receive personal data from the Union, such organization must annually re-certify its participation in the framework. Also, organizations must take measures to verify that their published privacy policies conform to the Privacy Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organization’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing or random checks.
Source: European Commission

For transferring data to data processors, companies must meet a host of new requirements, including ensuring that the processor provides the same level of protection as required by the Privacy Shield’s principles. If the agent processes personal data in a manner inconsistent with the Privacy Shield’s principles, the company will be liable, unless it can prove that it was not responsible.

Many companies already have “very tight and very comprehensive” onward transfer agreements that meet the adequacy requirements of the Privacy Shield and further have all those agreements centralized in one place, says Robin Campbell, senior counsel and co-chair of the privacy and cyber-security group at law firm Crowell & Moring. For those who don’t already have such mechanisms in place, “that’s going to be a big change,” she says.

If they don’t do so already, companies will have to implement mechanisms to keep better track of their data flows. “What employee and consumer data are you getting from Europe?” asks Forsheit. Even companies that are not consumer-facing need to think about the Privacy Shield principles from the respect of both employee and corporate customer data, she says.

The price of complying with the new principles depend on each company’s level of preparedness. If companies are making the shift directly from the Safe Harbor to the Privacy Shield, “the costs would not be too significant,” says Campbell.

Costs aside, the administrative burdens will be enough to make any compliance officer cringe. One burdensome obligation, for example, requires companies to provide a summary or a representative copy of the relevant privacy provisions of its contract with data processors to the Commerce Department upon request, and respond promptly to inquiries and requests for information relating to the Privacy Shield framework.

Recourse mechanisms

EU citizens will have multiple avenues through which they can seek recourse from companies that may have violated their rights under the Privacy Shield, significantly increasing the prospect for more liability, including more enforcement actions and greater accountability.

For example, the Privacy Shield encourages individuals to raise any concerns or complaints with the company itself, which must then respond within 45 days. A free-of-charge Alternative Dispute Resolution mechanism will be available, which might not be a big change for many companies. “Many of our clients were already offering dispute resolution that was free of charge and easily accessible to individuals,” says Campbell.

EU citizens can also go to their national data protection authorities, who will work with the Commerce Department and FTC to ensure that unresolved complaints are investigated and resolved. If a case is not resolved by any of the other means, an enforceable arbitration mechanism will be provided as a last resort. Furthermore, companies can commit to comply with advice from European data protection authorities, which is mandatory for companies handling HR data.

“Now more than ever, companies need to be vetting their practices with respect to data,” says Forsheit. Additionally, it will be important to impose appropriate disciplinary measures, establishing internal accountability for the mishandling of data, she says.

Not all recourse mechanisms allow for the recovery of damages. Companies may also be required to delete an individual’s data, become subject to regular audits or the oversight of practices, and other types of remedies.

Currently, the draft details of the Privacy Shield are under review by EU member state representatives. The EU’s Article 29 Working Party, which also is reviewing the draft, announced that it will render a non-binding opinion at its plenary meeting in April. From there, the full European Commission will then formally vote on the adequacy of the Privacy Shield program, at which point it will take effect.

That means companies still have several months before they can actually self-certify to the Privacy Shield, if they deem that to be the best option. “For now,” Forsheit says, “organizations need to continue to implement standard contractual clauses both for intra-company transfers and transfers between controllers and processors in order to make those transfers legal.”

Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more