Is the ‘Privacy Shield’ a New Foundation for EU-U.S. Data Flows?
On February 2, the European Commission and the United States government announced an 11th hour agreement in principle to replace the invalidated Safe Harbor, which previously allowed lawful transfers of personal data between the European Union (EU) and the United States. Throwing the legality of trans-Atlantic personal data flows into upheaval, the Court of Justice of the European Union (CJEU) struck down the Safe Harbor in October 2015, finding in part that access to EU personal data afforded to the U.S. intelligence community impermissibly interfered with EU citizens’ privacy rights. In response to the CJEU ruling, EU data protection authorities (DPAs) called on EU Member States, EU institutions, and the U.S. government to “find political, legal and technical solutions enabling data transfers” by the end of January 2016, or risk coordinated enforcement actions.
U.S. and EU negotiators have announced agreement on the broad outlines of a plan to replace the Safe Harbor, but many challenges and risks remain. Few details about the new agreement, which is being called the EU-U.S. Privacy Shield, have been released. U.S. companies therefore have little insight into what their privacy obligations might be, should they choose to use the Privacy Shield. On the other side of the Atlantic, some EU DPAs already have voiced concerns over whether the Privacy Shield adequately protects EU citizens’ privacy rights, or whether it is simply a repackaged Safe Harbor. In fact, a February 3 statement issued by the EU Article 29 Working Party, an advisory group comprised of representatives from EU DPAs, demonstrates that significant uncertainty remains over trans-Atlantic data flows at this time. So, while the agreement is a step forward, U.S. companies should remain cautious.
Below, we highlight some key features of the Privacy Shield based on the limited information that has been made available. We also review the Article 29 Working Party statement, which offers some new insight into enforcement risks and the adequacy of alternative data transfer mechanisms, such as model contractual clauses and binding corporate rules. Finally, we discuss next steps for the Privacy Shield, which still faces a long road to adoption.
The EU-U.S. Privacy Shield
According to the European Commission, the Privacy Shield will include the following elements:
Obligations on U.S. companies and enforcement. Under the Privacy Shield, U.S. companies that receive personal data from the EU will be required to commit to “robust” obligations on how that personal data is processed and how individual rights are guaranteed. The U.S. Department of Commerce will require Privacy Shield companies to publish their privacy commitments, which ensures that they are enforceable under U.S. law by the Federal Trade Commission (FTC). U.S. companies handling EU human resources data also will be required to commit to comply with decisions by European DPAs.
So far, these obligations should sound familiar to companies that previously were enrolled in the Safe Harbor, as they are consistent with long-standing practices under that agreement. However, the Department of Commerce has offered some additional detail on where the new agreement diverges from its predecessor. Specifically, the Department of Commerce has indicated that the Privacy Shield will create “new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection.” The Department of Commerce also has stated that under the new agreement, it will “step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.”
Safeguards and transparency obligations on U.S. government access. For the first time, U.S. authorities have provided written assurances to the EU that U.S. law enforcement and national security access to EU citizens’ personal data “will be subject to clear limitations, safeguards, and oversight mechanisms.” Specifically, to address concerns raised in the CJEU ruling, the Privacy Shield will ensure that EU personal data will not be subject to “indiscriminate mass surveillance.” Rather, data collections for law enforcement or national security purposes under the new arrangement will be “proportionate” and “only to the extent necessary.” The European Commission and the Department of Commerce will conduct an annual joint review of the functioning of the arrangement, which will include a review of national security access. EU DPAs will be invited to participate in those reviews.
Protection of EU citizens’ rights with several redress possibilities. In perhaps the most significant break from the Safe Harbor, the Privacy Shield will provide EU citizens several avenues for seeking personal redress in the United States. U.S. companies that receive complaints from EU citizens will have deadlines to respond. European DPAs also will be able to refer complaints directly to the Department of Commerce and the FTC. Finally, the Privacy Shield will offer alternative dispute resolution free of charge and an “ombudsperson” for complaints relating to access by national intelligence authorities. According to the Department of Commerce, Privacy Shield companies also will be required to participate in arbitrations “as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.”
The Article 29 Working Party Statement
EU DPAs comprising the Article 29 Working Party issued a much-anticipated statement on February 3, 2016, the day after EU and U.S. negotiators announced the Privacy Shield deal. The statement “welcomed” the conclusion of negotiations and expressed the Working Party’s anticipation for reviewing the specific contours of the Privacy Shield, so that it can assess whether the new agreement can “answer the wider concerns raised by the [CJEU] judgment.” To that end, the statement called on the European Commission to make all documents pertaining to the Privacy Shield available for review by the end of February.
A key question remains unresolved in the Article 29 statement—namely, whether the deal extends the unofficial moratorium on enforcement actions. In the United States, FTC Commissioner Julie Brill stated that she understood that European DPAs would not bring enforcement actions against companies until the Privacy Shield is fully in place. This statement may be at odds with the February 3 statement by the Article 29 Working Party, which emphasized that U.S. companies no longer can rely on the Safe Harbor for their data transfers from the EU and that “EU data protection authorities will therefore deal with related cases and complaints on a case-by-case basis.”
The Article 29 Working Party statement does provide some guidance to U.S. companies by finding that, while it reviews the Privacy Shield, other transfer mechanisms, such as standard contractual clauses and binding corporate rules, still can be used for lawful personal data transfers to the United States. This is not to suggest that the Working Party has fully blessed these alternative data transfer mechanisms—only that its review is ongoing and it has not found them inadequate.
The Working Party has requested that the European Commission deliver all documents on the Privacy Shield by the end of February. The Working Party then will complete its assessment for all personal data transfers to the United States at an extraordinary plenary meeting around the end of March. After this period, the Working Party plans to consider whether alternative transfer mechanisms, such as model contractual clauses and binding corporate rules, still are valid for data transfers to the U.S.
With respect to the Privacy Shield, the European Commission must prepare a draft adequacy decision for the arrangement, which then could be adopted following consultation with a committee of Member State representatives. In the meantime, the United States must prepare to implement the Privacy Shield and formalize its commitments in writing. The European Commission has expressed its expectation that the Privacy Shield can be adopted within three months. Until then, U.S. companies should consider using alternative mechanisms to transfer data to the U.S. and carefully monitor developments.
For more information on these and other data transfer issues, please contact Amy E. Worlton or Umair Javed.