On July 8, 2016, the Article 31 Committee, comprised of representatives of the European Union (EU) member states, voted to approve a revised Privacy Shield framework that is intended to replace the Safe Harbor framework invalidated by the European Court of Justice (ECJ) in October 2015 and provide another lawful method for U.S. companies to transfer the personal data of European citizens to the United States. Then, on July 12, 2016, the European Commission (EC) endorsed the Privacy Shield, establishing it as a valid alternative to the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) in order to export personal data of EU citizens.
The Privacy Shield may still, however, be the target of scrutiny and legal challenges. A number of critics have already warned that the revised deal is “flawed” and toothless to prevent mass surveillance by the U.S. government once personal data is in the U.S. Additionally, four EU member states abstained: Austria, Bulgaria, Croatia, and Slovenia. Not surprisingly, Max Schrems, the Austrian law graduate and privacy advocate whose successful challenge to the Safe Harbor resulted in its invalidation last year, has already vowed to challenge the legality of the Privacy Shield.
Any U.S. company that receives personal data from the EU must adopt one of the approved mechanisms for cross-border transfers of personal data: (1) Standard Contractual Clauses, (2) Binding Corporate Rules (for inter-company/affiliate transfers), or (3) Privacy Shield. Similarly, companies in the EU that transfer personal data from the EU to the U.S. must ensure that one of the approved mechanisms is used to validate such transfers to companies in the U.S. Since any company seeking to export personal data from within the European Economic Area must do so in compliance with a valid legal mechanism, companies should now (1) determine whether self-certifying to the Privacy Shield makes sense for their organization and (2) if so, conduct a gap analysis between its current practices and the Privacy Shield requirements and remediate deficiencies to enable the company to self-certify to the Privacy Shield. If an organization decides not to utilize Privacy Shield, it must determine and implement an alternative mechanism of transfer in order to legally transfer personal data from the EU to the U.S., as any transfer not following one of the approved mechanisms would not be legal.
The Safe Harbor agreement was relied on by approximately 4,000 U.S. companies to legally transfer the personal data of EU citizens to the United States. However, in October 2015, the Safe Harbor agreement was invalidated by the ECJ in the Schrems case on the grounds that the U.S. surveillance activities brought to light by Edward Snowden threatened the privacy rights of EU citizens without any means for judicial redress. The decision put at risk the transfer of personal data between the European Union and the United States. Since then, representatives of both the EU and the U.S. have been negotiating a new framework for cross-border data transfer that would comply with the laws and regulations governing the privacy rights of EU citizens.
In February 2016, the EC revealed the details on the proposed Privacy Shield framework designed to replace the invalidated Safe Harbor agreement. The original draft of the Privacy Shield was met with concerns by EU regulatory organizations, and on April 13, the European Union’s Article 29 Working Party (Article 29) issued an opinion rejecting the draft Privacy Shield because, among other reasons, it believed that the Privacy Shield did not preempt “massive and indiscriminate” bulk surveillance of EU citizens; it believed that there needed to be a built-in mechanism for adjusting the Privacy Shield for the upcoming General Data Protection Regulation (GDPR); and it was not convinced that the Ombudsman would have the necessary independence and authority to enforce the requirements of the Privacy Shield and address EU citizen complaints. On May 27, the European Parliament officially asked the EC to renegotiate with the United States to address the concerns in the Privacy Shield. The call to renegotiate created a significant amount of uncertainty for U.S. companies wishing to transfer and process data of EU citizens, with some rushing to try to quickly implement other approved mechanisms of transfer.
Since this time, U.S. officials and the EC have been meeting to address these concerns. On July 8, they unveiled the revised Privacy Shield concurrently with the announcement that the Article 31 Committee had reviewed and approved its adoption. The revision is accompanied with a Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the European Union-U.S. Privacy Shield (the Implementing Decision), which has now been adopted by the Commission.
The following is a summary of the key elements of the Privacy Shield:
The Implementing Decision also noted that there is still a difference in the way the United States and the European Union address companies’ use of personal data to make automated decisions that affect individuals. The U.S. only provides regulation in certain sectors, such as employment offers and credit and lending decisions, while Europe and the GDPR provides broader protections across almost all sectors. The Implementing Decision describes that the U.S. and EU will discuss these issues during the annual reviews of the implementation of the Privacy Shield, which may include similar rights described in the GDPR, namely the right for an individual to object to such decisions that are based solely on such automated decision making, unless there are appropriate safeguards in place or there are other conditions that necessitate such decision making.
Determine Whether Privacy Shield is Right for You
The first step is to determine whether Privacy Shield is right for your organization. In addition to the Privacy Shield, other transfer options include the Standard Contractual Clauses and Binding Corporate Rules (for inter-company transfers). If your organization was previously Safe Harbor-certified, Privacy Shield may be a cost-efficient mechanism as you are probably already compliant to a degree with some of the requirements of the Privacy Shield. However, given the very likely legal challenges to Privacy Shield, consideration should be given to the relative cost of compliance and protections as compared to the other valid compliance mechanisms.
If you were not Safe Harbor-certified, the determination of whether Privacy Shield is appropriate for your organization requires consideration of the extent to which your company receives personal data from EU citizens, including the number of different organizations from which you receive personal data. If the amount of personal data transfers is limited, it may be more appropriate for the company to use the SCCs or BCRs. For those organizations that have already entered into the SCCs and BCRs and have undergone and implemented the additional measures required to comply, there is no need to certify to the Privacy Shield. However, if you have not already entered into the SCCs and BCRs, the cost to implement the SCCs and BCRs might be too high or might not effectively address your particular data transfer model, leaving implementation of the Privacy Shield as the only remaining option. Due to pending and likely future legal challenges, it still remains to be seen, however, whether the SCCs will remain a viable and legal alternative for cross-border data transfers. For the time being, they are. However, the pending challenge in the Ireland High Court in Dublin relating to a decision by the Data Protection Commissioner on EU-U.S. data transfer channels still remains. That challenge may wind its way all the way up to the ECJ to decide whether the SCCs that provide legitimacy to many existing trans-Atlantic data transfers are legal. The fate of the SCCs may rest upon that case.
Whether or not your organization was Safe Harbor-certified, companies with access to personal health care or financial data are more likely to have measures in place protecting personal data in a manner similar to the requirements of the Privacy Shield. Thus, certifying for the Privacy Shield should not be overly onerous.
While organizations certifying under the Privacy Shield will face increased scrutiny, the liability and risk to an organization for not having a legal mechanism for compliance is too great to be ignored. While there was once a time that a company could lay low, “allowing” some companies to avoid registering for Safe Harbor out of fear that by registering, they were adding their name to a public registry and opening themselves up to public scrutiny, the current global climate and lack of tolerance for not properly protecting personal data is so great that now every organization is subject to scrutiny, registered or not.
Finally, due to the anticipated legal challenges to the Privacy Shield, companies – particularly those “on the fence” about whether to self-certify to the Privacy Shield – may want to consider waiting until the dust settles a bit more on the future of and likelihood of continued validity of the Privacy Shield.
Privacy Shield Does Not Guarantee Compliance With the GDPR
Importantly, the updated draft of the Privacy Shield makes it clear that the Privacy Shield will only apply to processing by U.S. companies that do not fall within the scope of other EU legislation, and compliance with the Privacy Shield may not be sufficient for compliance with other EU legislation. In particular, organizations should not assume that compliance with the Privacy Shield is sufficient to satisfy the requirements of the activities described in Article 3 of the GDPR, which may apply to most organizations. Article 3 of GDPR brings organizations under the scope of the GDPR no matter where they are located when their processing activities are related to (1) the offering of goods or services to individuals in the EU regardless of whether any payment is required or (2) the monitoring of behaviors of individuals when that behavior takes place in the EU. In other words, most companies that may consider signing up for Privacy Shield will still need to comply with the GDPR when it becomes effective on May 25, 2018.
If Privacy Shield is Right for You, Conduct a Gap Analysis
If Privacy Shield is right for you, your business will need to conduct a gap analysis to determine what practices and procedures need to be put in place in order to submit the self-certification application to comply with the Privacy Shield Principles. This process involves an internal or external review process where the company’s current practices with respect to collection, storage, processing, and security of personal data from the EU are evaluated against the Privacy Shield Principles. Prior to submitting the self-certification application, the organization will need to satisfy itself that it has appropriate policies and practices in place to certify to compliance with the Privacy Shield Principles. While many Privacy Shield requirements are common among U.S. companies (such as implementing reasonable security safeguards to protect personal data), many requirements are not. For example, as discussed more fully above, Privacy Shield requires downstream vendor contracts to require compliance relating to data minimization, data destruction, and access to personal data.
Registration via the USDOC website will open on August 1, 2016, allowing U.S. companies to register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out under the Privacy Shield. Registration will have to be renewed annually. While there is no transition period for the new Privacy Shield, the obligations described in the Principles of the Privacy Shield framework will apply upon certification, with a narrow grace period for complying with the new rules regarding onward transfers (allowing any organization that self-certifies within the two months after the effective date of Privacy Shield nine months to comply with the rules applicable under the Accountability for Onward Transfer Principle).
If Privacy Shield is Not Right for You, Implement Alternative Mechanisms as Applicable
If your company determines Privacy Shield is not warranted or desirable, then (assuming the company receives personal data from the EU) the company will need to adopt an alternative mechanism to comply with the EU data transfer laws such as the SCCs or BCRs. However, given the time and effort required to satisfy the requirements of the SCCs and BCRs, if your organization has not already gone down that path, it might be that you have little choice but to implement the Privacy Shield, as doing nothing is not an option and could result in a finding of non-compliance. Even though Safe Harbor was invalidated, the requirement to use a valid mechanism of transfer was not lifted. Thus, all organizations must consider one of the valid transfer mechanisms.
For the first time since the invalidation of Safe Harbor, the uncertainty for U.S. companies regarding their obligations for protection and transfer of personal data of EU citizens is cleared. However, the clarity may be fleeting, given it is highly anticipated that the Privacy Shield will be challenged on multiple fronts. In addition to the challenges that await, there are other potential changes to the Privacy Shield in light of the UK voting to leave the rest of the EU. While the UK may have to adopt the EU data protections rules post-Brexit, it is unclear what that will look like.
While the Article 29 Working Party (made up of the national data protection authorities) previously stated that they would likely challenge the Privacy Shield in court without further clarification on the protection of EU personal data, in response to the revised Privacy Shield, they have indicated that they would meet on July 25, 2016, to review the Privacy Shield framework, as adopted, and issue a revised opinion.
You can find the final version of the Privacy Shield on the European Commission’s website, along with its appendices, as adopted, and an FAQ.
Click here to read our coverage of the original draft of the EU-U.S. Privacy Shield.
Click here to read our coverage of the Article 29 Working Party’s rejection of the original draft of the Privacy Shield and the European Parliament’s approval of the GDPR.
Legal News Alert is part of our ongoing commitment to providing up-to-the-minute information about pressing concerns or industry issues affecting our clients and our colleagues. If you have any questions about this update or would like to discuss this topic further, please contact your Foley attorney or the following:
Los Angeles, California
San Diego, California
Los Angeles, California