On February 29, 2016, the European Commission (EC) and U.S. Department of Commerce (DOC) published a series of documents providing details for the implementation of the new EU-US Privacy Shield framework for the transfer of personal data from the European Union to the United States. Once it is formally adopted by the EC sometime this spring, this new framework will replace the Safe Harbor scheme that was invalidated by the European Court of Justice (ECJ) in October of 2015 in the Schrems decision.
Among the documents published by the DOC was a detailed set of Privacy Shield Framework Principles, which outlines the requirements that U.S. companies must follow to qualify as a Privacy Shield company. These principles create more onerous obligations on participating U.S. companies than the Safe Harbor framework and require U.S. regulators, including the Federal Trade Commission (FTC), to engage in stricter monitoring and enforcement efforts.
Stricter Obligations for Privacy Shield Companies
Some of the significant requirements Privacy Shield companies must now follow include:
- Notice Requirements: Companies must inform individuals of their access rights to personal data, explain that personal data may be disclosed in response to lawful requests from public authorities, describe the company’s liability for onward transfers of personal data to third parties, provide information and direct links to the DOC’s website and “Privacy Shield List,” and provide links to information about an appropriate, cost-free alternative dispute resolution mechanism.
- Onward Transfers to Third Parties: Companies may transfer EU personal data to third parties only for limited and specified purposes consistent with the data subject’s consent and only if the parties have entered into a contract that provides the same level of protection for the data as the Privacy Shield would offer.
- Verification and Assessment: Companies must verify compliance through self-assessments or assessments conducted by outside organizations.
- Redress Mechanisms: Companies must implement a multi-step redress mechanism to resolve complaints. First, companies must permit individuals to file complaints directly with the company and must respond to the complaint within 45 days. Second, companies must notify individuals that they may bring complaints directly to their Data Protection Authority (DPA), which will work with the DOC and the FTC to resolve any outstanding issues. Third, companies must offer an alternative dispute resolution provider free of charge. Fourth, and as a last resort, companies must notify individuals that they may invoke binding arbitration by a Privacy Shield Panel selected from arbitrators designated by the DOC and the European Commission.
- HR Data: Companies that handle human resources data from EU citizens will be subject to the national laws of the EU country where the data is collected. Thus, these companies must commit to cooperate in investigations by and comply with the advice of applicable national DPAs regarding such data.
- Sensitive Data: Companies must receive affirmative, express consent from data subjects to process sensitive data unless such processing falls within certain limited exceptions including processing of data necessary to carry out the company’s obligations in the field of employment law. “Sensitive personal data” typically includes race, national origin, religion, union status, political beliefs, philosophical beliefs, and medical information.
- Privacy Policies. Companies must establish a privacy policy to notify individuals of the type of data collected, how the data is handled, and available opt-out mechanisms. Companies with online privacy policies must also include (1) a statement that the company will comply with the Privacy Shield; (2) a pledge not to collect more personal information than is needed; (3) a point of contact, either within or external to the organization, to handle complaints by individuals; and (4) links to the DOCs Privacy Shield website and the website or complaint submission form of the independent dispute resolution body selected.
- Annual Certification: Companies must annually certify with the DOC their commitment to comply with the Privacy Shield principles. If a company decides to leave the Privacy Shield framework, it must certify with the DOC that it will continue to comply with the Privacy Shield principles for information that it had received or chosen to keep during the time that the company had participated in the Privacy Shield framework.
Stricter Enforcement by Regulators
U.S. and EU regulators will be responsible for the robust enforcement of the Privacy Shield as follows:
- The DOC will actively monitor compliance with the Privacy Shield by conducting compliance reviews of companies, including detailed questionnaires and reviews of published privacy policies.
- The FTC has committed to vigorous enforcement of the Privacy Shield framework, including receiving referrals of complaints from EU DPAs, the DOC, privacy self-regulatory bodies, and alternative dispute resolution providers.
- National DPAs have the authority to channel complaints they receive to the appropriate U.S. authorities, cooperate with such authorities to resolve the complaint, assist complainants to bring arbitration cases before the Privacy Shield Panel, and exercise oversight over HR data transfers.
Limits on U.S. Surveillance
To address the concerns that lead to the invalidation of the Safe Harbor framework, the Privacy Shield provides clear limits and safeguards with respect to U.S. government access to data transferred from the EU. The United States will establish an ombudsman within the U.S. Department of State who will be independent from national security services and serve as a point of contact for foreign governments raising concerns about U.S. surveillance activities.
Annual Joint Review Mechanism
The European Commission and DOC will conduct annual joint reviews of the operation of the Privacy Shield program. Further, the European Commission will determine whether the adequacy of protection under Privacy Shield is factually and legally justified and will have the power to suspend or repeal its adequacy decision.
Next Steps
Much work remains for both the EU and United States before the Privacy Shield can be implemented. The Article 29 Working Party, a group of regulators representing the 28 EU member states, must issue its approval of the Privacy Shield before it can be presented to the European Commission for a finding of “adequacy” as required under the current EU Data Protection Directive. Further, the U.S. must put in place its enforcement mechanisms. Commentators are predicting that Privacy Shield will not become operative until June of 2016.
In the meantime, former Safe Harbor companies should revise their Safe Harbor programs to comply with the stricter Privacy Shield requirements. Additionally, until the Privacy Shield becomes effective, companies should continue to rely on standard contract clauses and existing binding corporate rules to transfer data from the EU to the United States.
Ogletree Deakins will keep you up to date on the latest developments in this rapidly-evolving area of international data privacy law by means of the firm’s Data Privacy blog, webinars, and seminars. Stay tuned.