Privacy Shield A New briefing The European Commission adopted its much anticipated decision on the EU- US Privacy Shield ( Privacy Shield ) on 12 July 2016. The Privacy Shield was developed jointly by the European Commission and the US Department of Commerce to replace the Safe framework, which was declared invalid by the Court of Justice of the European Union in the Schrems case. TOP 50 INNOVATIVE LAWYERS 2016 The adoption of this adequacy decision by the Commission means that any transfers of personal data from the EU to companies in the United States that are certified under the Privacy Shield will be deemed to be made in accordance with EU data protection law. As noted in our previous article here, US companies have been able since 1 August 2016 to sign up to the Privacy Shield and receive personal data originating in the EU on the basis of their Privacy Shield certification. It has been reported that over 500 organisations have been certified under the Privacy Shield to date, including such prominent stakeholders as Microsoft, Google and Salesforce, and that some 1,000 more are in the process of applying. Criticism The Privacy Shield has been the subject of much comment (both positive and critical) since its publication. Most of the criticism levied at the Privacy Shield focuses on concerns over the potential access by US public authorities to personal data transferred from the EU to the US This potential access was one of the main criticisms of Safe arising from the Schrems case, and appears to be a continued source of concern for privacy campaigners. Other criticisms of the Privacy Shield include that certain principles of European data protection law, for example in relation to data retention and purpose limitation, are not adequately reflected in the framework, and that the Privacy Shield does not give users as much control over the use of their personal data as under EU data protection law. What is new and improved in the Privacy Shield? Such criticism notwithstanding, it seems clear that the Privacy Shield improves on Safe in a number of key areas, considered below: More detailed transparency/notice requirements: The privacy principles that US companies receiving personal data originating from the EU will have to comply with (the Principles ) include more detailed and robust notice requirements than those required
under Safe. For example, organisations signing up to the Privacy Shield must provide a notice, in clear and conspicuous language to individuals informing them of: the types of personal data the organisation is collecting; whether (if relevant) its subsidiaries adhere to the Principles; the purposes for which the organisation will disclose personal data to third parties; the right of individuals to access their personal data; the independent resolution body designated to address complaints and provide recourse; the possibility in certain circumstances to invoke binding arbitration; and the requirement to disclose personal information in response to lawful requests by public authorities. In addition, the Principles are set out in a clear and easily understandable way for organisations in a single annex (Annex II) of the Commission s Decision. In the Safe decision these were constituted, in a rather piece-meal fashion, of Privacy Principles in one annex, and Frequently Asked Questions in another annex. More choice over uses of personal data: Privacy Shield requires certified organisations to offer individuals clear, conspicuous and readily available mechanisms to allow them to opt out of the disclosure of their personal data to third parties (save where such disclosure is to an agent pursuant to a contract) or of the use of their data for a purpose that is materially different from the purpose(s) for which it was originally collected (or subsequently authorised) by the individuals. The requirement for an opt out for a materially different use of data under the Privacy Shield is arguably more protective than the obligation under Safe, which required an opt-out for a purpose that was incompatible with the purpose(s) for which it was originally collected/subsequently authorised etc. Strengthened requirements and accountability for onward transfers: The Privacy Shield contains more detailed requirements in relation to the onward transfer of personal data from Privacy Shield organisations in the US to other third party organisations. Any onward transfers to data controllers must be made on foot of a contract with the third party controller providing that any data so transferred may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the [Privacy Shield] organisation if it can no longer meet this obligation. By contrast, Safe only contained a broad requirement to apply the Notice and Choice Principles in respect of the disclosure of information to third parties. In addition, the Privacy Shield expands on the requirements set out in Safe in respect of the transfer of data to agents. These additional requirements include that the Privacy Shield organisation: transfers data only for limited and specified purposes; takes reasonable and appropriate steps to ensure that any processing is carried out in accordance with the Principles; takes steps to stop and remediate unauthorised processing; and provides a summary or copy of the relevant privacy provisions of the contract with the agent to the Department of Commerce if requested. A further improvement on Safe from a privacy perspective is that the Principles expressly state that Privacy Shield organisations will remain liable for any processing of personal data by their agents in a manner inconsistent with the Principles (unless the organisation proves that it is not responsible for the event giving rise to the damage). Safe, by contrast, contained a general presumption that the organisation, once it had complied 2 mccann fitzgerald ¼ october 2016
with the principles in respect of onward transfer to an agent, would not be held responsible for processing outside of the permitted purposes, unless the organisation was aware or should have been aware of such processing and did not take steps to remedy it. Data retention: The Principles state that personal data may only be retained for as long as it serves the processing purpose(s) for which it was originally collected /authorised by the individual (with an exception for archiving purposes in the public interest, journalism, literature, art etc). This is a marked improvement on Safe, which did not include specific obligations in relation to data retention. Wider range of enforcement mechanisms: The Privacy Shield also improves on Safe to the extent that it offers a wider range of avenues for individuals to seek redress where they are affected by an organisation s non-compliance with the Principles. These options include bringing a complaint: to the relevant organisation (the organisation must respond within 45 days); to the independent dispute resolution body designated in accordance with the Principles by the organisation; or, directly to the Federal Trade Commission. Individuals may also complain to a national Data Protection Authority who will deliver advice through an informal panel of DPAs established at Union level. Where the Privacy Shield organisation fails to comply with the DPAs advice within 25 days, the matter may be referred to the FTC or other competent US authority for enforcement action eg under Section 5 of the FTC Act (or similar statute) or to the Department of Commerce (who may remove the organisation from the Privacy Shield List). Finally, as a mechanism of last resort, individuals have the right to invoke binding arbitration. The Department of Commerce is to establish a fund supplied with annual contributions from Privacy Shield organisations to help cover the costs of the arbitration. Ombudsperson: The Commission decision acknowledges that whilst EU individuals do have certain avenues of redress where they have been the subject of unlawful surveillance for US national intelligence purposes, the available causes of actions are relatively limited, and EU citizens may have difficulty showing that they have the requisite standing (ie a legally protectable interest) to bring a case to court. In an effort to fill this gap, the US Secretary of State has committed to create a new Privacy Shield Ombudsperson, who is to be independent from the US Intelligence Community, and whose remit will include ensuring that individual complaints are properly investigated, that US laws have been complied with, or, where such laws have been violated, that the non-compliance has been remedied. Helpfully, individuals can address complaints to a competent national authority in their own country (and in their own language) and such authority will then assist the individual in formulating the request to the Ombudsperson. Also positive from a privacy perspective is that to bring a complaint before the Ombudsperson, an individual will not have to demonstrate that his/her personal data have in fact been accessed by the US government via surveillance activities. Assurances regarding access by US National Security agencies: The Privacy Shield includes written commitments by the US Government on enforcing the arrangement, including assurances from the Office of the Director of National 3 mccann fitzgerald ¼ october 2016
Intelligence and the US Department of State, on the safeguards concerning access to personal data by public authorities in the US Annual re-certification: Organisations must self re-certify their compliance with the requirements of the Privacy Shield to the Department of Commerce on (at least) an annual basis, and the Department is to monitor compliance with this requirement, and remove organisations that do not re-certify as required from the Privacy Shield List. The assessment and verification requirements were not as clear under Safe under that regime, an organisation was required to sign a statement verifying that a selfassessment had been carried out once a year. Annual Joint Review Mechanism: A major advantage of the Privacy Shield over the Safe framework is that there is an in-built Annual Joint Review mechanism, to review the functioning of the Privacy Shield on an annual basis. This annual review is to be performed by the Commission, the US Department of Commerce and the Federal Trade Commission, together with other relevant stakeholders such as Intelligence Community Representatives and the Privacy Shield Ombudsperson, as appropriate. It will also be open to EU DPAs and representatives of the Article 29 Working Party to participate in this review meeting. This means that the Privacy Shield is intended to be a living instrument, which can adapt as required to reflect future developments in privacy law. Indeed, the decision specifically states that the Commission will assess the level of protection provided by the Privacy Shield following the entry into application of the General Data Protection Regulation (in May 2018). By contrast, Safe only provided for a review to be carried out by the Commission after three years. Privacy Shield, whilst not perfect, is a viable option for transfers Whilst it is arguable that some of the criticism levied at the Privacy Shield may be justified for example, it may be difficult in reality to fully monitor the access US intelligence agencies may have to EU data transferred under the Privacy Shield - it should also be remembered that the Privacy Shield is relevant to personal data that was originally collected in accordance with EU data protection law. As such, data subjects should have been informed of any further processing of their personal data (including any processing in the US) at the time of collection, and any such processing should be compatible with the purposes for which the data were originally collected. Furthermore, any analysis of the Shield needs to take into account, from a realistic and practical standpoint, the reality that managing data transfers in today s global business environment can present significant challenges for organisations. It is also worth bearing in mind that the other currently approved exemptions to the prohibition on the transfer of personal data outside of the EEA, such as obtaining data subjects consent, entering into data transfer agreements based on the EU Commission approved Model Clauses, or putting in place binding corporate rules, can also present challenges to implementation in practice. In light of the matters considered above, it seems fair to conclude that the Privacy Shield represents a marked improvement on the Safe framework. As such, as organisations weigh up the various options around the transfer of personal data to the United States, the Privacy Shield would appear to represent a viable solution. 4 mccann fitzgerald ¼ october 2016
Further information Paul Lavery Partner, Head of Technology & Innovation Group ddi +353-1-607 1330 email paul.lavery@ mccannfitzgerald.com Lorraine Power Senior Associate, Technology & Innovation Group ddi +353-1-607 1743 email lorraine.power@ mccannfitzgerald.com Alternatively, your usual contact in McCann FitzGerald will be happy to help you further. This document is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed. Principal Office Riverside One Sir John Rogerson s Quay Dublin 2 D02 X576 Tel: +353-1-829 0000 London Tower 42 Level 38C 25 Old Broad Street London EC2N 1HQ Tel: +44-20-7621 1000 New York Tower 45 120 West 45th Street 19th Floor New York, NY 10036 Brussels 40 Square de Meeûs 1000 Brussels Tel: +32-2-740 0370 Tel: +1-646-952 6001 Email inquiries@mccannfitzgerald.com McCann FitzGerald, October 2016 www.mccannfitzgerald.com