Image of shield against digital backdrop representing the adoption and legal challenge of the EU-US Privacy Shield
EU-US Privacy Shield Adopted But Likely to Face Legal Challenge

EU-US Privacy Shield Adopted but Likely to Face Legal Challenge

The Privacy Shield was eventually adopted on 12 July, and entered into force in European Union (EU) Member States immediately. In the United States (US), the documents were published in the Federal Register which is the equivalent of the EU Official Journal.

This adequacy decision, designed for data transfers between the EU (including EEA countries, Norway, Iceland and Liechtenstein) and the US, is an amended version of the draft decision published on 29 February.

There have been a few changes, most notably the requirement for annual review by both parties. This will ensure that the deal can evolve over time. There are also changes to data retention provisions – they are now more following EU style requiring data to be deleted when no longer necessary. Also, the Ombudsman role has been revised so that it should be independent from US intelligence services. Finally, there are additional clarifications on the collection of data for US surveillance: it must be “targeted and focused”.

Privacy Shield will be challenged

Despite this, it is more than likely that the pact will be challenged in the courts. Criticising the arrangement, Jan Philip Albrecht, who was rapporteur for the General Data Protection Regulation (GDPR) in the European Parliament, said that once the GDPR is in force, the Shield will have to be revised. He said in a press release:

Privacy Shield is meant to be based on notice and choice, which sounds promising. Contrary to this verbiage, and contrary to EU law, Privacy Shield does not give users much choice. It actually gives companies a general blanket allowance to use the personal data of any person under the sun.

“Only in two specific cases (data sharing with a third party and a change of purpose), can users object. Obviously, users would first have to know about the US business taking such steps, actively contact the company and conduct an ‘opt-out’. In reality this will hardly happen, which is why EU law is based on an ‘opt-in’ system, where companies typically have to ask customers for consent.”

“Many other such differences, which make Privacy Shield not ‘essentially equivalent’ to EU law could be mentioned.”

“A legal challenge may come but we will challenge it in the courts,” Bruno Gencarelli, Head of the Data Protection Unit at the European Commission said at PL&B’s conference at the beginning of July. “Unlike the Safe Harbor, the Privacy Shield has commitments from US public authorities. We are moving from self-certification to a much more controlled and checked framework. There will be an annual review and the Commission can suspend the framework.”

“We are not looking for a photocopy of EU principles. Essentially equivalent does not mean identical.”

However, Albrecht is not alone in voicing his criticism. Interestingly, when the vote took place in the EU Article 31 Committee, that consists of Member States’ representatives, Austria, Bulgaria, Croatia and Slovenia abstained from voting. The EU DPAs are still cautious – their statement of 26 July says that they welcome the changes made in the EU-US Privacy Shield’s final version, but several concerns remain regarding both the commercial aspects and access by US public authorities to data transferred from the EU. The DPAs point out that there is a lack of specific rules on automated decisions and of a general right to object. It also remains unclear how the Privacy Shield Principles will apply to processors, they say. The DPAs would also like to see stricter guarantees concerning the independence and the powers of the  Ombudsperson, and say that the first joint annual review will be “a key moment for the robustness and efficiency of the Privacy Shield mechanism to be further assessed”. The results of the first joint review regarding access by US public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses, they say.

The DPAs will soon provide information to data controllers about their obligations under the Shield. The Department of Commerce has announced that US-based subsidiaries of EU-headquartered companies may join the Privacy Shield as long as the subsidiaries meet the eligibility requirements for Privacy Shield participation.

What can businesses do now?

In the US, the programme will be administered by the Department of Commerce, which was also responsible for the Safe Harbor. Organizations will have to self-certify to the Privacy Shield principles. This will require filling in an online registration with the department, which invited registrations from 1 August 2016.

Privacy Shield applicants must provide full contact details, including the name of their  Organization Corporate Officer (i.e. information about the individual certifying the organization’s compliance with the Privacy Shield Framework).

Organisations need to provide a description of their activities with respect to all personal data received from the European Union (EU) in reliance on the Privacy Shield. That includes:

  • Other covered entities (i.e. a list all U.S. entities or subsidiaries of the organization that are also adhering to the Privacy Shield Principles and are covered under the organization’s self-certification)
  • Types of personal data covered by the organization’s Privacy Shield commitments (i.e. “personal data other than human resources data” and/or “human resources data”).
  • Purpose(s) for which the organization processes personal data in reliance on the Privacy Shield, including the types of personal data processed by the organization (e.g. organization, customer, client, visitor, and clinical trial data) and, if applicable, the type of third parties to which it discloses such personal information.

Organisations must nominate on their website a private sector independent recourse mechanism available to investigate unresolved complaints, or choose to cooperate with EU DPAs. The national EU DPAs will handle complaints for individuals, and then work together with the US Department of Commerce and the US Federal Trade Commission. In addition, the organisations must mention the location and effective date(s) of their organization’s relevant privacy policy statement(s). Slightly different rules apply to companies that only handle HR data.

In addition, organisations must disclose their annual revenue for the purpose of determining the fee the organization must pay to self-certify to the Privacy Shield Framework This information will not be publicly disclosed on the Privacy Shield website.

Third parties in Asia also affected

Any subcontractor , including those in Asia, will need to  provide the same level of protection as required from Shield participants. This will be a challenge in countries with no, or elementary data protection laws, or extensive national surveillance programmes. However, these organisations in question do not need to self-certify.

The US Department of Commerce advises: “Privacy Shield participants must enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”

With existing commercial relationships, organisations are given nine months to ensure conformity with the Accountability for Onward Transfer Principle. But to rely on this
concession, organisations need to self-certify with the Department of Commerce within two months of the Shield taking effect.

During this interim period, where organizations transfer data to a third party, they must:

  1. apply the Notice and Choice Principles, and
  2. where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.

Although certifications have been available from 1 August, the Department of Commerce says that certification processing times will vary depending on the completeness of the original
self-certification and the number of self-certifications received in particular during the initial roll-out. The Privacy Shield team will provide updates on expected processing times periodically to assist companies in their planning, it says.

 

Additional information: