Written by Olivier Proust, Of Counsel, with special thanks to Fieldfisher Trainee Solicitor Alex de Gaye for his valuable contribution to this article.
Following two years of intense negotiation between the European Commission and the US Department of State, the European Commission finally adopted its updated Adequacy Decision on the EU-U.S. Privacy Shield ("Privacy Shield") on 12 July 2016. This amends the draft decision published on 29 February 2016. The Adequacy Decision is based on the political agreement that was reached by the EU and US on 2 February 2016, and intended to replace the Safe Harbor Framework that was invalidated by the Court of Justice of the European Union ("CJEU") on 6 October 2015. Following publication in the Federal Register, US companies will be able to certify with the US Department of Commerce from 1 August 2016. The Adequacy Decision has been notified to the EU Member States and thus comes into force immediately.
What are the key changes under the amended Adequacy Decision?
The revised Adequacy Decision strengthens the previous draft Adequacy Decision from February 2016, which received criticism from regulators and privacy activists (see our previous blog on the Article 29 Working Party's opinion).
Several paragraphs have been added to explain the general rule: intelligence collection is "as tailored as feasible", collection is targeted rather than bulk and the exceptions must not become the norm. The US provided assurances that bulk collection can be neither "mass" nor "indiscriminate". Collection should always relate to specific intelligence objectives and be filtered to reduce irrelevant information. These reassurances were provided in a new five page letter from the US Office of National Intelligence, General Counsel Robert Litt.
When a Privacy Shield organisation subcontracts its data processing to a third party, the contract must provide that the third provides the same level of protection required by the Privacy Shield Principles, although it does not specify that it must certify with Privacy Shield itself. If the third party determines it is not able to do this it must notify the organisation. How organisations determine this standard remains to be seen. Where such subcontracts are already in place, the organisation will have nine months to get all its sub-processors to conform, provided that during this period it allows EU data subjects to opt out and the third party provides at least the same level of protection as the Principles. In order to have this nine month grace period it is necessary for organisations to certify "in the first two months following the day when the Privacy Shield becomes effective".
Changes have now been made to increase the Ombudsperson's independence and their ability to investigate thoroughly. The Commission concludes that the Ombudsperson will now allow complaints from individuals about surveillance to be thoroughly investigated.
Privacy Shield organisations must verify that their privacy policies conform to the Principles and are actually complied with. They must put effective, free complaints procedures in place which can be based either in the EU or US. Data subjects can bring complaints directly to the organisation, to a designated independent dispute resolution body, to national DPAs or the FTC. The lack of involvement of DPAs was one of the WP29's criticisms. Once certain remedies have been exhausted, the data subject can invoke binding arbitration. EU and US regulators have the power to suspend data transfers, take enforcement action against non-compliant organisations or remove them from the Privacy Shield scheme.
There is an express obligation for Privacy Shield organisations to delete data after they are no longer relevant for the collected purpose (with limited exceptions such as scientific research). Likewise, organisations that are removed from the Privacy Shield for non-compliance will be made to return or delete all personal data they received.
It was not clear in the original Privacy Shield whether it applied to the three EEA states not part of the EU. The amended Decision now clarifies that it will apply to transfers from EEA countries Iceland, Liechtenstein and Norway countries (provided the EEA Joint Committee incorporates the decision into the EEA Agreement).
Now the real test begins
Now that it has passed the political hurdle, the real test lies ahead for the Privacy Shield.
From its entry into force, the European Commission now has a legal obligation to continuously monitor the functioning of the Privacy Shield and to re-evaluate the adequate level of protection that is provided by the US each year. For this, the European Commission can rely on the information it will receive as part of the Annual Joint Review Mechanism but also feedback it receives from the Member States, particularly where there are indications that US public authorities responsible for national security, law enforcement or other public interests are interfering with the rights of individuals to the protection of their personal data. Where this is the case, or where the US authorities are not cooperating with the European Commission, the European Commission may present draft measures to suspend, amend or repeal the Privacy Shield. Enforcement of the Privacy Shield, independence of the Ombudsperson, efficiency of redress mechanisms and limited access to data by US authorities are likely to be the key issues that the EU Commission will be focusing on.
The national data protection authorities ("DPAs") are now more heavily involved in the monitoring of the Privacy Shield. Individuals who consider that their data has been misused under the Privacy Shield can complain directly to their national DPA who will then work together with the US Department of Commerce and Federal Trade Commission to ensure that complaints by individuals are investigated and resolved. As stated in the CJEU's decision in Schrems (Case C-362/14, Maximillian Schrems v Data Protection Commissioner, ECLI:EU:C:2015:650), DPAs are responsible for monitoring compliance with the EU data protection law on their respective territories and are vested with the power to check whether a transfer of personal data from its own territory to a third country complies with EU law. DPAs must therefore hear claims made by individuals and, where they consider such claims to be well-founded, they have the possibility to bring a case before the national courts. Whilst the ICO took a pragmatic approach and announced in February 2016 it would not be expediting Safe Harbor complaints whilst the Privacy Shield process was being finalised, not all DPAs have done the same. For example, on 6 June 2016 the Hamburg DPA fined three companies a total of €28,000 for unlawful transfers to the US for continuing to rely on Safe Harbor.
According to recent figures published by some DPAs in their annual activity reports, it is clear that individual complaints are increasing. And so, the chances are that the validity of the Privacy Shield and its compliance with EU data protection law will one day be challenged before the national courts, possibly in several EU jurisdictions. Whether such legal action will reach the CJEU remains to be seen and is likely to take some time, but the chances are the Privacy Shield will one day fall on the CJEU's desk and so the validity of the Privacy Shield as a data transfer mechanism remains uncertain.
What should companies do?
The question that all US companies (or EU companies doing business in the US) are asking themselves now is what should they do next? In light of the above, some companies may question whether it is worth spending additional time, effort and money to comply with a legal framework that has received significant criticism before it was adopted and is now likely to be challenged in court. Essentially, the answer to this question will largely depend on a company's goals and strategy, and how it is structured globally.
For companies that are headquartered in the US and whose main concern is to ensure that they can lawfully transfer personal data from the EU and the US, the Privacy Shield may be their best option. However, one of their main concerns for them will be comply with the onward transfer principle to third party controllers or processors located in the US or another third country. Such onward transfers can only take place on the basis of a contract that provides the same level of protection as those that are guaranteed under the Privacy Shield's Principles, including limitations on access to data for national security, law enforcement or other public interest purposes. In practice, certified companies will need to revisit or sign dozens of contracts with their vendors, suppliers and other business partners in the US and elsewhere. This will also require them to carry out due diligence and to re-assess the level of compliance of such third parties before signing any contract. This may also result in lengthier negotiations with their partners, particularly if they are located in third countries that do not have any data protection legislation and are known for their intrusive law enforcement and national security laws (eg. Russia, China or India).
For EU-based companies who may be carrying out business in the US, their primary goal is to comply with the General Data Protection Regulation ("GDPR"). While the Privacy Shield certainly does impose obligations that are similar to those that can be found under the GDPR (eg. transparency, purpose limitation, data integrity, security, access, etc.), the GDPR imposes a lot more accountability measures on companies that are simply not required under the Privacy Shield (eg. data protection officers, data protection impact assessments, privacy-by-design, etc.). Therefore, if the goal is to achieve compliance with the GDPR, the Privacy Shield alone will not be sufficient. For companies who are keen to use EU data protection law as a global compliance standard within their organisation, Binding Corporate Rules may be a better option as these already cover many of the GDPR requirements.
As for those companies who have signed the EU Model Clauses following the invalidation of Safe Harbour, such contracts remain valid despite them being challenged by some privacy activists or DPAs. Nonetheless, it appears the onward transfer obligations under the Privacy Shield are separate from those of the Model Clauses, and therefore, those companies may need to enter into separate agreements to comply with the Privacy Shield.
In the end, it seems likely that most companies will need to rely on several legal mechanisms if they want to transfer data globally, as the Privacy Shield alone is unlikely to be sufficient for companies who are operating at a global level.
One question that UK-based companies may be asking themselves is whether the Privacy Shield applies to them amidst the Brexit situation. The short answer is yes – for the time being. As long as the UK is a member of the European Union, all adequacy decisions that are adopted by the European Union apply in the UK. For more information regarding the impact that Brexit has on your data processing activities, see Phil Lee's blog article here.
What happens next..?
The Article 29 Working Party ("WP 29") published a press release on 1 July reiterating its position from its April 2016 Opinion and stating it will conduct a coordinated analysis as soon as the Adequacy Decision is adopted. The WP 29 is due to meet on 25 July to discuss the Privacy Shield. It will be interesting to read what the WP 29 has to say about the Privacy Shield now that it has entered into force.
What this means for your practice will become clearer in the following days/weeks. Stay tuned as we continue to provide our analysis on the Privacy Shield.