14th March 2016
The detailed provisions of the new data protection framework for the transfer of personal data from Europe to the US, known as the EU-US Privacy Shield, were published by the EU Commission on 29 February 2016. Jeanette Burgess and Andrew Northage explain how the Privacy Shield will work in practice and what this means for organisations on both sides of the Atlantic.
Organisations are encouraged to start preparations now so that they are in a position to hit the ground running as soon as the Privacy Shield is implemented.
Under the EU’s data protection laws, personal data must only be transferred out of the European Economic Area (the EEA), if it is being transferred to a country which ensures an adequate level of protection for that data.
US organisations who complied with the Safe Harbor provisions were deemed to provide adequate protection for data transferred from the EEA. In light of Edward Snowden’s revelations about the extent of the US National Security Agency’s (the NSA) mass surveillance operations, the adequacy of Safe Harbor for protecting EU personal data began to be questioned by the European Union. Safe Harbor was finally ruled invalid on 6 October 2015 by the Court of Justice of the European Union (CJEU) when it considered the claims made by Austrian law student, Max Schrems, that Facebook Ireland was forwarding data to the NSA, via its California headquarters (the Schrems Decision).
This means that organisations which continue to transfer data from the EEA to the US on the basis of Safe Harbor risk breaching the data protection legislation and in the UK, they could face fines of up to £500,000 if the Information Commissioner’s Office (the ICO) takes enforcement action against them.
Organisations which use cloud services or even servers located within the EU may be inadvertently transferring data to the US if the small print in their contracts permits the host company’s US affiliates to access information stored on those servers.
On 2 February, the EU and the US announced that they had negotiated a new data protection transfer mechanism, known as the EU-US Privacy Shield (the Privacy Shield), which is intended to address the inadequacies of Safe Harbor as highlighted by the CJEU in the Schrems Decision. The details of that mechanism were published on 29 February.
US organisations will register and self-certify, on an annual basis, that they comply with the Privacy Principles issued by the US Department of Commerce (DoC).
The DoC will monitor and actively verify compliance by the organisations which have registered as well as maintaining an updated list of current members and an updated list of organisations which have left the Privacy Shield scheme.
Organisations that sign up to the Privacy Shield must:
Organisations which leave the Privacy Shield must continue to apply the Privacy Principles to EU personal data for as long as they retain such data.
An organisation’s failure to comply with the Privacy Principles will be enforceable under section 5 of the US Federal Trade Commission Act.
Individuals in the EEA who consider that their data has been misused will have several avenues of redress:
EU citizens will have the same judicial redress rights as US citizens where there has been a breach of their privacy rights.
For the first time, the US Government has also provided the EU with written assurances that public authorities will only access EU personal data for law enforcement, national security and other public interest purposes and such access will be subject to clear limitations, safeguards and oversight mechanisms.
The new Privacy Shield Ombudsperson mechanism will handle and resolve complaints or enquiries raised by individuals in the EU in relation to possible access of their data by US national intelligence services.
The EU Commission and the DoC will carry out a joint annual review to monitor the functioning of all aspects of the Privacy Shield including the limitations and safeguards relating to national security access. This is also intended to ensure that the US is accountable to its commitments.
The Privacy Principles are made up of 7 Framework Principles and 16 Supplementary Principles.
The Framework Principles are:
This covers the information a US organisation must provide to individuals, including details about the data it processes, how to contact the organisation with enquiries or complaints and details of the designated independent dispute resolution body.
US organisations must offer EU individuals the ability to “opt-out” where their data is to be either disclosed to a third party and/or used for a purpose that is materially different from the purpose for which it was originally collected. Where sensitive personal data is involved, organisations must obtain express “opt-in” consent.
Where US organisations intend to transfer EU personal data to a third party, they must enter into a written contract with that third party to ensure that it complies with the Privacy Principles in respect of the data transferred to it.
US organisations must take reasonable and appropriate measures to protect EU personal data from loss, misuse and unauthorised access, disclosure, alteration and destruction taking into account the risks involved in the processing and the nature of the personal data.
Personal information must be limited to the information that is relevant for the purposes of the processing being carried out. Data must be accurate, complete and up-to-date.
Individuals must have access to personal information that an organisation holds about them and be able to correct, amend or delete information which is incorrect or which has been processed in violation of the Privacy Principles.
Organisations must have in place robust mechanisms for ensuring compliance with the Privacy Principles and must offer recourse for individuals who are affected by non-compliance with the Privacy Principles. This includes having in place, at no cost to the individual, independent recourse mechanisms to investigate and resolve individuals’ complaints, including the award of damages where these are available under the applicable US law. Organisations may also face sanctions for non-compliance.
Although the Privacy Shield is a self-certification system in the same way Safe Harbor was, the Privacy Shield appears to have more teeth as:
The European Commission believes that the Privacy Shield will provide adequate protection for personal data transferred to the US as well as addressing all the criticisms of Safe Harbor, and they have published a draft adequacy decision to this effect.
However, the Article 29 Working Party is not due to deliver its opinion on the Privacy Shield until April. Although the Article 29 Working Party cannot veto the Privacy Shield, given that it is made up of representatives of the national data protection authorities in the EU member states, its opinion is likely to be highly persuasive.
Unlike its French and German counterparts which, according to unconfirmed reports, have already begun to take enforcement action against organisations which continue to use Safe Harbor, the ICO has issued guidance stating that it will not be “rushing to use [its] enforcement powers” as “[t]here is no new and immediate threat to individuals’ personal data that has suddenly arisen that we need to act quickly to prevent“. The ICO will consider complaints from affected individuals whatever transfer mechanism is being used, but the advice remains that UK organisations should review the data they are transferring, where it is going to and what arrangements have been put in place to make sure it is adequately protected, without rushing to make any changes.
While becoming a member of the Privacy Shield is entirely voluntary for US organisations, once an organisation does join, it must fully comply with the Privacy Principles.
US organisations should continue to follow the steps set out in our previous briefing What does the new EU-US Privacy Shield mean for US businesses?
They should also start reviewing their existing policies and procedures to assess whether they comply with the Privacy Principles and updating those policies and procedures where necessary. For example US organisations must publicly disclose their privacy policies which must be in line with the Privacy Principles.
Even if the Privacy Shield is ultimately found not to provide adequate protection, any replacement mechanism will almost certainly impose equivalent obligations on US organisations as a minimum.
UK organisations should also continue to review their existing arrangements in line with our previous briefing and where transfers are being made on the basis of Safe Harbor, they should consider whether any of the alternative mechanisms available (such as the Model Contract Clauses or Binding Corporate Rules) are appropriate.
The overriding message, is that unless and until the ICO’s guidance in this area changes, UK organisations should not panic, but they do need to keep up to date with developments in this area, so that they are ready to implement any changes as soon as there is some certainty about whether or not the Privacy Shield is here to stay.
The Regulatory and Compliance team have considerable experience helping organisations understand and comply with their data protection obligations. If you require assistance with reviewing your current arrangements, drafting policies which are compliant with the Privacy Principles or have any questions relating to the Privacy Shield or data protection generally, please contact Jeanette Burgess, Andrew Northage or another member of the team.