On July 12, 2016, EU and U.S. officials announced the final approval of the EU-U.S. Privacy Shield Agreement (“Privacy Shield”). As discussed in our earlier client memos on February 2 and March 3, Privacy Shield is designed to replace the previously invalidated EU-U.S. Safe Harbor regime (“Safe Harbor”) and enable the trans-Atlantic transfer of personal information from the EU to the United States in a way that meets the “adequacy” standard under EU Directive 95/46/EC for such transfer to third countries. The announcement of final approval of Privacy Shield comes after the European Commission formally adopted the Final Adequacy Decision on the framework. The Final Adequacy Decision expands on the Draft Adequacy Decision and related documents released on February 29, 2016.
Our March 3 client memorandum set out the details of Privacy Shield based on the Draft Adequacy Decision. By and large, the framework has not changed – the final framework is built on the same seven privacy principles and the same enforcement mechanisms as the draft. However, as we detail below, the Final Adequacy Decision expands on certain points and revises others in response to critiques from the Article 29 Working Party and other parties.
Privacy Principles and Enforcement – Framework Basics
As we explained in our March 3 client memorandum, companies that participate in Privacy Shield will have to commit to abide by seven principles set forth in the Adequacy Decision (the “Privacy Principles”):
- Choice Principle. Consumers must be able to opt out of any sharing of personal data with a third party (other than an agent acting on behalf of the company) or any use of data for a purpose that is “materially different” from the one for which it was collected. Also, companies must obtain affirmative express consent (i.e., opt in) for the sharing or a materially different use of sensitive data.
- Security Principle. Companies creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures that account for the risks related to the nature of the data and its processing.
- Data Integrity and Purpose Limitation Principle. Personal data collected by companies must be relevant, reliable, accurate, complete and current.
- Access Principle. Consumers have the right to obtain confirmation of whether a company is collecting personal data related to them and to see that data within a reasonable time frame. This right may be restricted only in exceptional circumstances. Further, consumers must be able to correct, amend or delete personal information where it is inaccurate or collected in violation of the Privacy Principles.
- Accountability for Onward Transfer Principle. Any transfer of a consumer’s personal data from a company to a different controller or processor can take place only where the transfer is (i) for limited and specified purposes, and (ii) on the basis of a contract (or comparable arrangement) that provides for the same level of protection.
- Recourse, Enforcement and Liability Principle. Participating companies must provide robust mechanisms to ensure compliance with Privacy Shield and recourse – including appropriate remedies – for EU data subjects. The Final Adequacy Decision highlights the same avenues for recourse mentioned in the Draft Adequacy Decision:
- companies must implement an effective internal mechanism to deal with complaints, including by having a point of contact, either within or outside the company, that will handle complaints;
- companies also must designate an independent dispute resolution body (in either the United States or the EU) to investigate and resolve individual complaints;
- companies must cooperate with the investigation and resolution of any complaints pursued by EU national data protection authorities (“DPAs”) if the complaints concern processing of human resources data collected in the context of an employment relationship, or if the company has voluntarily submitted to oversight by the DPAs;
- Commerce will verify that companies’ privacy policies conform to the Privacy Principles, maintain an updated list of participating organizations, and increase its enforcement and monitoring capabilities;
- the Federal Trade Commission will give priority consideration to complaints implicating Privacy Shield to determine whether Section 5 of the FTC Act has been violated; and
- if no other available avenue of redress has satisfactorily resolved the EU data subject’s complaint, the individual may invoke binding arbitration by a newly established “Privacy Shield Panel” whose findings can be enforced in the U.S. under the Federal Arbitration Act.
New Information in the Final Adequacy Decision
Following the release of the Draft Adequacy Decision earlier this year, the Article 29 Working Party and others offered their opinions on the various components of Privacy Shield, and this led to a number of tweaks, revisions, and expanded explanations of how the Privacy Principles will work in practice and what the expectations will be for companies that certify compliance with Privacy Shield. Some of those tweaks include:
- Data Integrity. The Final Adequacy Decision expands on the Data Integrity and Purpose Limitation Principle by highlighting that companies may not process or use personal data in a way that is incompatible with the purpose for which the data was originally collected. Companies may retain personal data – in an individual identifiable form – for only as long as the data serves the purpose for which it was collected.
- Access. The Final Adequacy Decision discusses concerns with the use of data in automated decision-making processes, and concludes that both the EU and the United States will monitor developments and discuss the practices as part of the first annual review of Privacy Shield. The decision highlights U.S. laws – such as the Fair Credit Reporting Act and the Fair Housing Act – that offer protections against adverse decisions and provide individuals with the right to be informed of the specific reasons underlying those decisions so they can dispute incomplete or inaccurate information and seek redress. However, there are some situations in which processing will result in an automated decision that is not covered by those protections. The Privacy Shield annual review could result in additional protections related to automated decision-making processes.
- Onward Transfer. One of the issues raised by the Article 29 Working Party involved questions about the extent to which data that was transferred to additional parties retained the protections afforded by Privacy Shield. The Final Adequacy Decision clarifies that to transfer a consumer’s personal data to a third party acting as an agent a company must:
- transfer the data only for limited and specified purposes;
- determine that the agent is obligated to provide at least the same level of privacy protection required by the Privacy Principles;
- take reasonable steps to ensure that the agent effectively processes the personal data transferred in a manner consistent with obligations under the Privacy Principles;
- require the agent to notify the company if the agent determines that it can no longer meet the obligations of the Privacy Principles;
- upon that notice, take reasonable steps to stop and remediate unauthorized processing of the date; and
- provide a summary or a copy of the relevant privacy provisions of the company’s control with the agent to Commerce upon request.
- Enforcement. Another issue raised by the Article 29 Working Party was whether the various means of recourse available to EU data subjects were sufficiently clear and easy to use. In response, the Final Adequacy Decision highlights the potential use of EU national DPAs to pursue complaints if the complaint concerns processing of human resources data collected in the context of an employment relationship, or if the company at issue has voluntarily submitted to oversight by the DPAs. During the DPA oversight process, companies must respond to inquiries from the DPA, comply with advice from the DPA, and provide written confirmation of the steps taken to comply with that advice. If a company fails to comply with the advice of the DPA, the DPA will submit the matter to the Federal Trade Commission. Furthermore, if a DPA does not take sufficient steps, the EU data subject may take the matter to the member state court. The benefit to companies of voluntarily submitting to DPA oversight is that consumers would not be able to invoke the Privacy Shield Panel for enforcement.
Other Oversight – the Privacy Shield Ombudsperson
One of the most interesting components of Privacy Shield is the creation of the new Privacy Shield Ombudsperson. The Privacy Shield Ombudsperson will be a Department of State Undersecretary with the authority to investigate complaints related to use of Privacy Shield data by national security and intelligence agencies. The Ombudsperson will work with the Privacy and Civil Liberties Oversight Board and the Inspectors General community to ensure that U.S. privacy laws continue to meet the EU’s adequacy requirement. Although this position promises to play a key role in the overall success of Privacy Shield – as discussed in our previous client memos, questions regarding access to information by the U.S. public safety and national security agencies have been central to the issue of whether Privacy Shield will be able to survive judicial scrutiny – the Privacy Shield Ombudsperson will not serve as an enforcement mechanism vis-à-vis private parties’ compliance with Privacy Shield.
EU and U.S. officials have engaged in a very thorough roll-out of Privacy Shield, with each side putting out its own Fact Sheet (EU, U.S.) and set of FAQs (EU, U.S.). Now that Privacy Shield has been approved on the EU side, Commerce will publish the framework in the Federal Register. Companies now have an opportunity to review the framework and update their compliance programs, privacy notices and other data-handling policies, and will be able to submit their certifications of compliance to Commerce starting August 1. Concurrently, the European Commission will publish a short guide for EU citizens explaining the available remedies in case an individual believes that his or her personal data has been used without taking into account the data protection rules.
While Privacy Shield will almost certainly face a legal challenge in the European Court of Justice, the final adoption is a welcome relief to many on both sides of the Atlantic. With Safe Harbor invalidated and Model Contractual Clauses under legal attack in the EU, we believe Privacy Shield is currently the best avenue for parties to undertake the important data transfers that have become the heart of the trans-Atlantic trade.