Oct. 6, 2015, marked the day that the European Court of Justice declared the fundamental data transfer and privacy protection rules of the Safe Harbor agreement invalid. Since that day, the European Union and the United States have been in talks to create a new framework that will satisfy European privacy regulations and permit European data to be transferred back and forth legally between nations. They are calling this new framework the “Privacy Shield.” In a Feb. 2, 2016, news release, Commissioner Vera Jourová, who represents the EU, said, "The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to U.S. companies.”
There have been a series of discussions between the EU and the U.S., and many feel strong improvements have been provided in the new Privacy Shield framework. However, some European authorities have raised concerns about parts of the European Commission’s draft adequacy decision on the framework. Under the negotiated framework, U.S. multinational organizations will face a series of challenges to step up privacy and data protection to comply with EU privacy laws. Those challenges may be greater if the commission makes the framework revisions suggested by the Article 29 Working Party (WP29), the European Parliament, and the European Data Protection Supervisor (EDPS).
The Privacy Shield contains many of the same components as its Safe Harbor predecessor. It contains principles that organizations must follow and involves a self-certification process requiring organizations to be registered with the U.S. Department of Commerce (DOC), as well as the publication of a Privacy Shield compliance list on the DOC website. Following are some key areas in which the Privacy Shield takes matters one step further, yet not far enough for some European authorities.
- Independent oversight: The DOC will be in charge of administering and monitoring the Privacy Shield. The intent is to appoint an ombudsperson to handle all complaints of European individuals regarding the access of their personal information. This new ombudsperson mechanism will be completely independent of U.S. national security services and will promote transparency for EU citizens concerning U.S. government access to their personal data.
However, the WP29 expresses concern “that this new institution is not sufficiently independent and is not vested with adequate powers to effectively exercise its duty and does not guarantee a satisfactory remedy in case of disagreement.” The European Parliament and the EDPS agree with this assessment, and all three authorities recommend further development of the specific role of the ombudsperson.
- Oversight and monitoring: The DOC will cooperate with data protection authorities and conduct annual joint reviews to monitor the functioning of the Privacy Shield. The arrangement will be transparent and monitored through supervision mechanisms. A public report of the results of the annual review will be issued to the European Parliament and European Council.
While the WP29 views the annual joint review as “a key factor to the overall credibility of the Privacy Shield,” it also calls for a “clarification of the exact arrangements” of the review, a call echoed by Parliament and the EDPS.
- Update to the principles: The Privacy Shield principles are similar in name to the Safe Harbor principles. However, the Privacy Shield requirements go beyond the old Safe Harbor requirements to align more closely with the heightened requirements of the General Data Protection Regulation (GDPR) due to go into effect in May 2018.
Because the Privacy Shield is to be implemented by controllers in the U.S. less than one year prior to the implementation of the GDPR, the EDPS recommends that the commission “comprehensively assess the future perspectives since its first report, to timely identify relevant steps for longer term solutions to replace the Privacy Shield, if any, with more robust and stable legal frameworks to boost transatlantic relations.” Despite the difficulties of not having a legal framework for data transfer in the short term, it would be beneficial to U.S. organizations in the long run if the Privacy Shield were to include requirements that would not need to be revised when the GDPR goes into effect.
- Provision for outside compliance review: Public acknowledgement and self-certification of companies complying with the Privacy Shield will follow a similar process to the one defined in the Safe Harbor agreement. U.S. companies that wish to participate in data transfer with the EU will be required to publicly declare that they are adhering to the standards and principles set forth in the Privacy Shield. Those companies also will be required to self-certify and maintain full compliance for as long as they continue to process and collect personal data of EU citizens. However, unlike Safe Harbor, the Privacy Shield provides organizations with the formal option of an outside compliance review in which an independent consulting firm is engaged to assess compliance with the Privacy Shield. This option allows organizations to officially record an independent validation of their compliance.
- Separate rules for transferring human resource data: Employers will have greater flexibility under the Privacy Shield when transferring personnel data associated with employee management events such as security investigations, grievance proceedings, and corporate reorganizations. Notice and choice agreements on EU citizen data may be exempt in this instance, so that organizations may not have to notify EU citizens about how their data is being used nor obtain consent for the transfer of that data to a third party.
- U.S. government access of EU data: The U.S. government has provided written assurances that access of personal information of European citizens will be based on appropriate safeguards and mechanisms preventing generalized access to personal data. This assurance is in response to concerns that the U.S. government was circumventing privacy protections and requiring the release of EU data sets outside the parameters of the Safe Harbor agreement.
However, in its recommendations for revisions to the Privacy Shield text, the WP29 calls for specific language addressing the “massive and indiscriminate collection of personal data originating from the EU,” while the EDPS would like the commission to send a “stronger signal” to U.S. authorities about the indiscriminate collection of data. How the commission will choose to address these concerns remains to be seen.
Because Europe maintains stricter privacy regulations than the United States, many businesses now find their hands tied when handling data managed under the defunct Safe Harbor agreement. Currently without any sort of agreement in place, many U.S.-based companies are stuck between a rock and a hard place trying to figure out how to maintain business as usual while not breaking any laws or invoking fines from the Federal Trade Commission. As a Feb. 25, 2016, article in Fortune states, some organizations are already facing the consequences: “According to [Hamburg] media, the Hamburg data protection authority is preparing to fine three companies for relying on Safe Harbor as the legal basis for their transatlantic data transfers. Two other firms are also under investigation.”
While organizations in the U.S. await the European Commission’s response to calls for improvements to be made to the Privacy Shield framework and for the newly revised text to be ratified, model clauses and binding corporate contracts are the interim solution in the absence of Safe Harbor. However, there has been speculation that EU privacy regulators may also call into question the legality of these agreements. Organizations should continue to monitor the EU privacy landscape diligently and with the assistance of their general counsel.
How is your organization handling the transfer of EU citizen data during this interim period?