On February 29, 2016, the European Commission issued the legal texts that will implement the EU-U.S. Privacy Shield. These texts include a draft adequacy decision from the European Commission, Frequently Asked Questions and a Communication summarizing the steps that have been taken in the last few years to restore trust in transatlantic data flows.
The agreement in support of the new EU-U.S. transatlantic data transfer framework, known as the EU-U.S. Privacy Shield, was reached on February 2, 2016, between the U.S. Department of Commerce and the European Commission. Once adopted, the adequacy decision will establish that the safeguards provided when transferring personal data pursuant to the new EU-U.S. Privacy Shield are equivalent to the EU data protection standards. In addition, the European Commission has stated that the new framework reflects the requirements that were set forth by the Court of Justice of the European Union (the “CJEU”) in the recent Schrems decision.
The EU-U.S. Privacy Shield
The new framework provides a response to the concerns that have been raised by the European Commission and the CJEU with respect to transatlantic data transfers. It contains stronger commitments that must be undertaken by companies in the commercial sector, but also significant commitments with respect to the U.S. government’s access to personal data. The four most important aspects of the Privacy Shield are:
Enhanced obligations on companies and robust enforcement. Companies that are willing to transfer personal data from the EU to the U.S. must accept more stringent obligations regarding the processing of personal data and how individuals’ rights are guaranteed. Among other limitations introduced by the new framework, onward data transfers will be subject to more onerous requirements and liability provisions.
In addition, the Privacy Shield will include stricter oversight mechanisms to help ensure companies abide by their commitments, including regular monitoring by the U.S. Department of Commerce. In addition, companies will face severe sanctions or exclusion from the framework if they fail to comply.
Limits and safeguards regarding access to personal data by the U.S. government. The European Commission has obtained written assurances from the U.S. government (i.e., the Department of Justice and the Office of the Director of National Intelligence) that access to personal data by government authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.
Effective protection of EU citizens’ privacy rights and redress possibilities. Several affordable mechanisms to obtain individual redress will be available to data subjects who think their personal data has been misused under the new framework, whether via a direct complaint to the company or to their national data protection authority (“DPA”). Complaints made to a DPA will be referred to the U.S. Department of Commerce and the Federal Trade Commission for investigation. When receiving a complaint directly from individuals, companies must reply within 45 days. Companies handling personal data in the Human Resources context about European individuals must comply with the decisions of the competent DPA. In addition, companies also must designate an independent dispute resolution body to investigate and resolve individuals’ complaints and provide complimentary recourse to the individuals.
Further, in the context of a company’s certification, the Department of Commerce will verify that the company complies with the Privacy Principles of the Privacy Shield, and that it has designated an independent recourse mechanism. As a last resort, individuals will be able to bring their complaints to a newly-created Privacy Shield Panel, a dispute resolution body that can take binding and enforceable action against U.S. companies that have certified their adherence to the Privacy Shield.
EU citizens also will have a redress mechanism in the national security context. In particular, an independent Ombudsperson will be responsible for handling complaints and inquiries received from EU individuals regarding access to their data by national intelligence authorities. This redress mechanism will be extended beyond the EU-U.S. Privacy Shield and will be available to individuals for all data transfers to the U.S. for commercial purposes.
Annual joint review mechanism. The European Commission will annually monitor the functionality of all aspects of the EU-U.S. Privacy Shield, together with the U.S. Department of Commerce, EU DPAs, U.S. national security authorities and the Ombudsperson. Other sources of information, such as voluntary transparency reports, will also be used for monitoring the functionality of the framework. In the event that companies or public authorities do not comply with their commitments, the European Commission can activate a process to suspend the Privacy Shield.
The Commission encourages companies to prepare for the Privacy Shield so that they are in a position to self-certify to the new framework as soon as an adequacy decision is adopted by the Commission. In general, the various constituents involved in the new framework will be required to take the following actions in connection with the Privacy Shield:
U.S. Companies. U.S. companies must commit to comply with seven privacy principles, including (1) the Notice Principle, (2) the Choice Principle, (3) the Security Principle, (4) the Data Integrity and Purpose Limitation Principle, (5) the Access Principle, (6) the Accountability for Onward Transfer Principle, and (7) the Recourse, Enforcement and Liability Principle. In addition, the European Commission encourages companies to (i) select the EU DPAs as their complaint resolution mechanism under the Privacy Shield, and (ii) publish transparency reports on national security and law enforcement access requests regarding EU personal data.
U.S. Authorities. U.S. authorities will be responsible for enforcing the framework and respecting the limitations and safeguards established regarding access to personal data by law enforcement and for national security purposes. U.S. authorities also must handle complaints received from EU individuals in a timely and effective manner.
EU Data Protection Authorities. EU DPAs must ensure that individuals can exercise their rights effectively, including by transferring their complaints to the competent U.S. authority, as well as cooperating with the relevant U.S. authority. In particular, EU DPAs must assist complainants with cases brought in front of the Privacy Shield Panel, exercise oversight over transfers of EU HR personal data and trigger the Ombudsperson mechanism.
European Commission. The European Commission will adopt an adequacy decision that will be reviewed regularly, allowing the Privacy Shield to be consistently monitored, in contrast with the previous Safe Harbor.
An extraordinary plenary meeting of the Article 29 Working Party will be organized at the end of March 2016. After obtaining the non-binding opinion of the Working Party and consulting a committee composed of representatives of the EU Member States, a final decision by the College of Commissioners will be made. In the meantime, U.S. authorities will prepare for the implementation of the new framework.
FTC Chairwoman Edith Ramirez issued a statement in response to the release of the new framework. She said that “[t]he EU-U.S. Privacy Shield Framework supports the growing digital economy on both sides of the Atlantic, while ensuring the protection of consumers’ personal information. In providing an important legal mechanism for transatlantic data transfers, it benefits both consumers and business in the global economy.” Chairwoman Ramirez also emphasized the FTC’s role, saying that “the FTC will make enforcement of the new framework a high priority, and we will work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.”
Read the Press Release of the European Commission.
Read the Fact Sheet on the EU-U.S. Privacy Shield.
For more information, visit the dedicated page on the European Commission’s website.