On February 29, 2016, and after more than two years of negotiations with the U.S. Department of Commerce, the European Commission released its draft Decision on the adequacy of the new EU–U.S. Privacy Shield program, accompanied by new information on how the Program will work. The Privacy Shield documentation is significantly more detailed than that associated with its predecessor, the EU-U.S. Safe Harbor, as it describes more specifically the measures that organizations wishing to use the Privacy Shield must implement. Importantly, the Privacy Shield provides for additional transparency and processes associated with U.S. government access to the personal data of EU individuals. Our high-level summary of the Privacy Shield program follows.
Obligations on U.S. Companies
As was the case with respect to the Safe Harbor, organizations that wish to use the Privacy Shield must self-certify compliance with an expanded set of Privacy Principles via a filing to the U.S. Department of Commerce, signed by a corporate officer. Annual re-certification is required, as are follow-up procedures to verify compliance so long as an organization maintains the data collected under the Privacy Shield. Among other things, the Privacy Shield Privacy Principles require that companies take the following actions:
- Publish their privacy policies supporting their participation in the Privacy Shield (or, in the case of human resources information only, make it known where employees can view such policies)
- Provide links to the Privacy Shield portion of the Department of Commerce website
- Provide a mechanism for:
- individuals to opt out of use of personal information for direct marketing,
- individuals to opt out of having personal information disclosed to a third party or used for a materially different purpose than that for which it was provided, and
- obtaining affirmative express consent from individuals prior to sensitive information being shared with a third party or used for a purpose other than for which it was initially collected or to which it was otherwise expressly consented
- Implement reasonable and appropriate security measures
- Provide a mechanism by which data subjects may obtain confirmation of whether an organization is processing information related to them within a reasonable time and for a non-excessive fee
- Provide a mechanism by which data subjects may request personal information relating to them be corrected, amended, or deleted
Accountability for Onward Transfer
- Put in place policies and procedures to ensure that processors only use data for limited and specified purposes
- Execute contracts (or comparable arrangements within corporate groups) that require processors to provide the same level of protection as that provided by the Privacy Principles
- Put in place mechanisms to resolve—expeditiously (within 45 days, according to the European Commission’s statements) and at no cost to the individual—complaints raised by EU-based individuals
- Take measures to verify that their published privacy policies conform to the Privacy Principles and are, in fact, complied with. This may be done via self-assessments
Department of Commerce and Federal Trade Commission Oversight and Enforcement
Under the Privacy Shield program, the Department of Commerce is committing to double its staff resources and increase its oversight. For example, if it receives a non-frivolous complaint, or if there is other credible evidence that an organization may not be complying with the Privacy Principles, then the Department of Commerce will conduct a review.
The FTC, which retains its primary enforcement role, will give priority consideration to referrals of non-compliance with the Privacy Principles to determine whether the organization has violated Section 5 of the FTC Act or other relevant laws. The FTC will also undertake Privacy Shield investigations on its own initiative. The Privacy Shield program requires that all consent orders issued by the FTC in connection with the Privacy Shield contain self-reporting provisions and further require that any relevant Privacy Shield-related sections of compliance or assessment reports submitted to the FTC be made publicly available.
If a business must be removed from the Privacy Shield List, it will also be required to return or delete the personal information that it received under the Privacy Shield. The business may retain the data only if it annually affirms to the Department of Commerce that it continues to apply the Privacy Principles or provides adequate protection for the data by other authorized means.
Individuals may raise complaints regarding the treatment of their personal information through several mechanisms. As noted above, individuals may file complaints directly with U.S. organizations, which must respond expeditiously. Individuals may also make use of free alternative dispute resolution services, provided by the companies. Alternatively, individuals may file complaints directly with their local Data Protection Authority, which will work with the Department of Commerce and the FTC to investigate and resolve complaints.
Finally, as a last resort, individuals may file complaints with the Privacy Shield Panel. The panel will consist of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission. The parties to the dispute will select three arbitrators from this pool of panelists. The Privacy Shield Panel will have the authority to impose individual-specific, non-monetary equitable relief to remedy non-compliance with the Privacy Shield.
Government Access and Ongoing Review
In addition, in order to meet the criteria for lawful privacy intrusions by the state set out by the Court of Justice of the European Union (“CJEU”) in its Safe Harbor ruling, the Privacy Shield documentation describes limitations on, and oversight of U.S. government access to the personal data of EU individuals, including a redress possibility through an Ombudsman mechanism within the Department of State, which will be independent from the national security services. This aspect of the Privacy Shield is likely to be closely scrutinized by EU privacy regulators and advocates and, therefore, the long term viability of the program will be dependent on the effectiveness of these controls.
Finally, the Privacy Shield includes an annual joint review mechanism, pursuant to which the European Commission and the Department of Commerce will facilitate an examination of the continuing efficacy of the Program. The annual review will include an annual privacy summit with NGOs and stakeholders on developments in U.S. privacy law and its impact on EU individuals and will take into account information from a range of sources including—as noted in the Privacy Shield documentation—company-published transparency reports on the number and type of governmental access requests.
It is not surprising that in the light of the arduous negotiations on this framework and the outcome of the Safe Harbor decision by the CJEU, the parties have made a substantial effort to address every possible weakness of the previous program. Ultimately, the Privacy Shield represents the commitment of the EU and the U.S. Government to securing the vital transatlantic data flows which are such an integral part of the information economy. The ability of companies on both sides of the Atlantic to benefit from these efforts now depends on the response of EU regulators and courts to the Privacy Shield.
Notably, the Privacy Shield is still not yet in effect. The details are under review now by the EU’s Article 29 Working Party, which will render a non-binding opinion within the next few months. Taking that opinion into account, the full European Commission will then formally vote on the adequacy of the Privacy Shield program, at which point it will take effect. Therefore, U.S. organizations still have a few months before they can formally sign up for the new Privacy Shield and, regardless of the Working Party’s response, it would be wise to carefully consider all alternatives available.