Overview
As we discussed in our October 7, 2015 Client Memorandum, the October 6, 2015 decision by the European Court of Justice (“ECJ”) to invalidate the EU-U.S. Safe Harbor framework has created significant uncertainty for the nearly 5,000 companies that have used that framework for the last 15 years to protect data transfers from EU member states to the United States. In a statement shortly after the decision was released, the Article 29 Working Party (a group comprised of representatives of EU member states, EU institutions, and the European Commission (“EC”) to provide advice on data protection and privacy issues) announced that it would begin taking necessary actions, potentially including enforcement actions, by the end of January 2016 if the U.S. and EU failed to reach an agreement.1 Consistent with that announcement, EU member states’ data protection authorities (“DPAs”) have yet to take any enforcement actions based on the invalidation of the Safe Harbor regime. Over the last three months, representatives from the U.S. Government, the EC, and various EU member states have been negotiating to reach the deadline imposed by the Article 29 Working Party.
Earlier today, EC Vice President Andrus Ansip and European Commissioner for Justice Vĕra Jourová announced that an agreement had been reached, and that the new regime would be called the “EU-U.S. Privacy Shield.” In this memo, we will outline the primary elements of the agreement announced today, and identify important considerations for companies moving forward. In particular, it is important for companies to keep in mind that the announcement of an agreement has no binding legal effect.
The Elements of the EU-U.S. Agreement
The decision invalidating the Safe Harbor framework rested largely on the ECJ’s negative answer to the question of whether that framework provided EU citizens with “adequate” protections. As the Article 29 Working Party explained, “the question of massive and indiscriminate surveillance is a key element of the Court’s analysis.” In a presentation yesterday to the European Parliament Committee on Civil Liberties, Justice and Home Affairs, Commissioner Jourová also highlighted issues related to opportunity for resolution of individual complaints, including the opportunity for judicial redress.
These concerns were reflected in the elements of the agreement announced by Commissioner Jourová. Specifically, the agreement has three main elements:
- Handling Europeans’ personal data. According to the EC press release, U.S. companies transferring personal data from Europe will need to commit to satisfying robust obligations regarding how that data is processed. The Department of Commerce and Federal Trade Commission will monitor and enforce these commitments. And any company handling human resources data from Europe must commit to comply with decisions by European DPAs.
- U.S. Government access to data. The press release states that the U.S. has given the EU written assurances that access to information by public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. There will be an annual joint review conducted by the EC and the Department of Commerce to ensure that the agreement is functioning.
- Protection of EU citizens’ rights. Under the agreement, EU citizens who believe that their data has been misused will have several redress possibilities, and companies to which complaints are directed will have deadlines to respond to such complaints. European DPAs would be able to refer complaints to the Department of Commerce and the Federal Trade Commission. And for complaints of suspected access to information by national intelligence authorities in the U.S., a new Ombudsperson will be created within the U.S. Department of State.
What’s Next?
There is still much work to be done. On the EU side, Vice President Ansip and Commissioner Jourová must prepare a draft “adequacy decision” in the coming weeks. Moreover, any agreement must move through proper channels before it becomes binding law, and an increasing number of critics are already mounting an opposition movement and voicing their displeasure, questioning whether the agreement will withstand scrutiny by the ECJ. Commissioner Jourová said that she believes the implementation of the Privacy Shield regime will take three months.
On the U.S. side, the Department of Commerce and other agencies have significant work to do to install the new framework, including creating new monitoring mechanisms and establishing and selecting the new Ombudsperson. Commerce Secretary Penny Pritzker spoke to reporters after the announcement by the EU officials to reinforce the U.S. Government’s commitment to the new regime. According to reports, she said that the Commerce Department will soon be offering a series of briefings for companies on the details of the agreement, and that there will be a transition period to allow companies to undertake compliance efforts and implement any changes necessary under the new regime.
What Should You Do?
Despite the announcement of the EU-U.S. Privacy Shield agreement, the legal state of play has not changed since our October 7, 2015 Client Memorandum and, as such, neither has our top-line message: unless specifically authorized by national data protection authorities, neither the Safe Harbor framework nor the Privacy Shield program is currently a legitimate basis for the transfer of personal data from the EU to the United States. While the announcement of the agreement may give some DPAs reason to hold off on enforcement or other measures, there is still the expectation that some DPAs will approach companies that have been using the Safe Harbor to assess whether alternative legitimate bases are now used for EU-to-U.S. data transfers. Consequently, companies that have been using the Safe Harbor need to analyze and implement alternative mechanisms going forward, at least until a new agreement is reached. As we described in the October 7 Memo, the primary alternatives include:
- Model Contracts. The EU Model Contracts provide a set of standard clauses, approved and published by the EC, for the transfer of personal data between an EU data controller and a U.S. data controller or between an EU data controller and a U.S. processor (i.e., vendor). However, model contract clauses cannot be altered. The current advantage of this option is that the model clauses are based on a valid decision of the EC, which must be presumed to be lawful.
- Binding Corporate Rules (“BCRs”). BCRs are internal company regulations governing how the flow of personal data is organized and the rights of concerned individuals are protected. BCRs can be adapted to the specific needs of the company, but are subject to governmental approval, which is a complicated process that typically has taken years (as a result, only a small number of companies have adopted BCRs). Moreover, the German authorities are currently very reluctant to approve BCRs.
- Notice and Consent. Providing clear notice and obtaining the unambiguous and explicit consent of the individuals whose personal data is being transferred remains a viable strategy for complying with data transfer rules. However, we recognize that this is not always the most practical solution, as consent can be difficult to obtain in certain circumstances, and some European DPAs (e.g., Germany) discourage use of consent in certain situations.
- Statutory Exceptions. Certain statutory exceptions may apply in countries that permit transfers of personal data if specified conditions are met. However, these exceptions are very fact-specific and often narrowly construed by EU regulators.
- Anonymization/Pseudonymization. Depending on how the data is intended to be used, companies may consider anonymizing or psuedonymizing their data prior to transfer. Such an approach could be useful for audits, research, or other tasks where the analysis of the data is focused on relationships and trends, and not necessarily on the identity of a particular individual. However, companies need to be sure that the process of anonymization successfully de-identifies the individuals. Importantly, this approach is recommended by some of the German data protection authorities.
As each of these options has pros and cons, companies should carefully weigh the different options in light of the particular data, organizations, and purposes of the transfers at issue.
As described above, both the U.S. and the EU have significant work to do to finalize the EU-U.S. Privacy Shield regime and give it the force of law. Over the coming months, we will continue to provide updates as developments warrant.
Click here to download this article.
1 Statement of the Article 29 Working Party, available here (Oct. 16, 2015).