For two and a half years, the EU and US have been negotiating new arrangements to permit the transfer of data from the EU to America. This process was given added impetus by the invalidation of the Safe Harbor arrangements by the Court of Justice of the EU on 6 October 2015 in the Schrems ruling (Case C-362/14).
The final form of Privacy Shield was adopted by the EU Commission on 12 July 2016. In doing so, the EU Commission has issued an Adequacy Decision confirming that the US ensures an adequate level of protection for personal data transferred from the EU to US organisations who have signed up to Privacy Shield. The arrangements also seek to address concerns about the US Government’s Intelligence gathering activities. The Adequacy Decision takes effect in the EU immediately.
In its press release accompanying the Adequacy Decision the EU Commission describes Privacy Shield as “robust”. This is no doubt with one eye on some critical comments from EU data protection regulators (the Article 29 Working Party), the European Data Protection Supervisor and the EU Parliament of the earlier draft version of the arrangements. The EU Commission says that it has listened to those criticisms and re-negotiated elements of Privacy Shield to address them.
Privacy Shield applies to organisations which are data controllers or data processors. It is a scheme under which US organisations self-certify compliance with some of the EU data protection principles and subject themselves to oversight, principally by US regulators. Once certified, EU organisations can transfer personal data to that organisation without being in breach of the restrictions against transfers of personal data outside the EU. Privacy Shield will also apply to EEA transferring countries (Norway, Iceland and Lichtenstein) once an additional step is taken by the EEA Joint Committee to adopt it.
Privacy Shield will sit alongside other existing mechanisms which validate transfers of personal data from Europe to America, such as EU Model Clauses. It therefore potentially offers more choice to organisations on both sides of the Atlantic, but US organisations will have to think very carefully before signing up to the new arrangements because they are very onerous and likely to be tested.
The key provisions of Privacy Shield consist of:
- More onerous commitments on US organisations who sign up to Privacy Shield. These include:
- Prescribed information to be contained in privacy policies and complied with;
- a modified form of subject access request for individuals;
- commitments on the length of time data will be held;
- commitments on data security; and
- restrictions on onward transfers of data from Privacy Shield signatories to third parties, like sub-processors.
- In addition, there is a right for individuals to take complaints directly to the US organisations who then have to respond substantively within 45 days, with subsequent redress mechanisms all the way up to an Arbitration process.
- Redress for EU individuals concerned about the processing of their data for Intelligence purposes through an Ombudsperson Scheme set up within the US Department of State, but independent from the US intelligence services. The first Ombudsperson is Under Secretary of State, Catherine Novelli. The US has also ruled out indiscriminate mass surveillance of transferred data.
- Commitments from the US Department of Commerce (DOC) and US Federal Trade Commission (FTC) to effectively monitor and enforce the obligations entered into by US organisations signing up to Privacy Shield. The DOC has committed to conduct regular reviews of companies participating in the scheme.
- An Annual Review mechanism between the EU and US to ensure that Privacy Shield is working effectively. If the EU believes it is not then it has the power to suspend or repeal Privacy Shield.
What to do next
From the point of view of EU/EEA based organisations, they should wait to see the extent to which counter-parties in America adopt Privacy Shield. If they do so then EU/EEA organisations transferring personal data to those US organisations will not be in breach of EU/EEA Data Protection law.
From the American perspective, organisations can sign up to Privacy Shield from 1 August 2016. The DOC has issued Guidance on how to do this (read the DOC Guidance).
As the Guidance makes clear, only US organisations that are subject to the jurisdiction of the FTC or the US Department of Transportation (DOT) may participate in the Privacy Shield. The Privacy Shield Team at the DOC can provide further information if an organisation is unsure about whether it falls within this jurisdictional gateway. However, for example, large parts of the financial services sector will not be covered by the scheme as they are not regulated by either body.
Will the Privacy Shield be effective?
Whether the Privacy Shield arrangements will prove effective and long-lasting depends on a number of factors:
- US organisations will have to carefully consider whether to sign up. The commitments placed on US organisations are onerous and are likely to involve, for example, re-negotiation of contracts with sub-processors used by them (a “grace period” of up to nine months to do this is provided for in the Privacy Shield arrangements provided the US organisation signs up to Privacy Shield by 1 October 2016). US organisations who sign up are almost certain to come under close scrutiny for the reasons explained below and it is likely that this will involve a considerable commitment of resources. Some might decide to sit this out and continue to rely on other transfer mechanisms (such as EU Model Clauses) until Privacy Shield is seen to work or until the current challenge from the Irish Data Protection Regulator to the validity of EU Model Clauses is determined. This could all take some time;
- We expect challenges to be made against US organisations who sign up. These will be likely to not only test compliance by those organisations but also the effectiveness of redress mechanisms operated by them and the US bodies tasked with oversight and enforcement;
- Similarly, we expect challenges to US National Intelligence gathering through the Ombudsperson scheme to test its effectiveness and its independence;
- We also expect a further challenge in the EU to the structure of the arrangements, which could find its way to the Court of Justice of the EU over the course of the next year or so. That challenge is likely to involve a more critical look at US Intelligence gathering, rather than an implicit acceptance that mass surveillance takes place - in the materials accompanying the Adequacy Decision there is an emphasis on the US Intelligence community wishing to set the record straight on what it actually does by way of Intelligence gathering and the oversight over those activities. This topic also looks set to be debated in the Irish challenge to Model Clauses, given the US Government’s intervention in that case. We expect as well that there is also likely to be more emphasis on the question of whether equivalent Intelligence gathering takes place in the EU and the oversight provided in that respect.
- The first EU/US Annual Review will also be critical. There is likely to be a great deal of pressure on the US authorities and the EU Commission to show that Privacy Shield is effective. The EU Commission says that the Privacy Shield is a robust framework or system. Whether that is the case is likely to be down to effective enforcement of its terms. Ultimately, the EU/US Annual Review mechanism is designed to ensure that. What will feed into this is whether the various mechanism for redress and complaint work satisfactorily on a day-to-day basis. However, this will depend on the approach taken by organisations signing up to the Privacy Shield and US agencies with the main oversight and enforcement functions (principally the DOC and FTC, along with the Ombudsperson Scheme set up to deal with National Intelligence gathering activities).