Personal data transfers from the European Union are about to get easier for U.S. companies. On July 12, 2016, the European Commission announced that it officially approved the EU-U.S. Privacy Shield, paving the way for the new trans-Atlantic data transfer agreement to formally replace the U.S.-EU Safe Harbor Framework, which the Court of Justice of the European Union invalidated last October. Since the Safe Harbor’s invalidation, U.S. companies have been restricted to using model contractual clauses or Binding Corporate Rules (BCRs) to import EU residents’ personal data to the United States.
The formal adoption of the Privacy Shield opens the door for U.S.-based companies to once again make transfers of personal data from the EU through a simpler mechanism in lieu of using model contractual clauses or BCRs. The data transfer pact enters into force immediately in the EU following notification to all EU member states, and U.S. companies will be able sign up with the U.S. Department of Commerce starting August 1. Companies participating in the Privacy Shield framework will have to, among other provisions, agree to adhere to a set of stringent “Privacy Principles” through self-certification with the U.S. Department of Commerce, and provide EU citizens with an extensive array of redress options to resolve non-compliance complaints. Other key components of the finalized arrangement include:
- Regular compliance reviews of participating U.S. companies by the Department of Commerce, and potential sanctions and removal from Privacy Shield list for non-compliance;
- Stronger onward transfer restrictions, requiring third parties that receive personal data from Privacy Shield participants to contractually agree to only process personal data for limited and specific purposes, provide “the same level of protection” under the Privacy Principles, and inform the participating company when it cannot ensure “the appropriate level of data protection.”
- Clearer data retention requirements, allowing participating companies to keep personal data only for as long as it serves the purposes it was collected for (though data that is not “in a form identifying or making identifiable the individual” may be kept longer);
- Tighter limits on and greater oversight of U.S. government access to transferred personal data, including:
- Greater restrictions on bulk data collection, with written assurance from the Office of the Director of National Intelligence (ODNI) that bulk collection can only be used under specific circumstances.
- Further assurances from ODNI that the data is not subject to indiscriminate, mass surveillance, as “the United States does not collect all communications from all communications facilities everywhere in the world, but applies filters and other technical tools to focus its collection on those…of foreign intelligence value.”
- Establishing a Privacy Shield Ombudsperson within the U.S. Department of State to handle complaints from Europeans who believe their information has been used unlawfully by U.S. authorities for national security purposes. U.S. Secretary of State John Kerry included additional assurances that the Ombudsperson will operate independent of the U.S. intelligence community to satisfy European concerns over the Ombudsperson’s relationship with the U.S. intelligence agencies.
The Commission’s much-anticipated announcement comes just days after the EU’s Article 31 Committee – comprised of representatives of the current 28 member states – voted to approve the Privacy Shield on July 8. The Commission released its Draft Adequacy Decision on the Privacy Shield in February, but the Article 31 Committee’s vote and the European Commission’s eventual approval of the Privacy Shield stalled after the EU Article 29 Working Party (WP29), the European Parliament, and the European Data Protection Supervisor (EDPS) expressed misgivings over bulk data collection, government access to transferred data, the independence of the U.S. Ombudsman and other provisions, and asked European and American negotiators to re-open talks to improve perceived deficiencies in the data transfer arrangement. The United States agreed to new concessions in response to these concerns, even though only EU member states have the power to block its adoption, partly in anticipation of a legal challenge before the same court that invalidated the original Safe Harbor framework.
The Takeaways: What’s Next for Companies Looking to Join the Privacy Shield?
August 1 is not too far away, so companies interested in the new framework should move swiftly to assess whether the Privacy Shield is the best way to solve their data importation needs. Such companies should also consult with knowledgeable counsel on how to begin the Privacy Shield’s self-certification process, and to determine what processes and mechanisms they will need to implement prior to seeking self-certification, such as the required redress mechanisms to resolve complaints from individuals in the EU.
Finally, interested companies should be aware that their compliance obligations under the data transfer pact may change over time with developments in U.S. and EU law, including the implementation of the EU’s General Data Protection Regulation in May 2018 as well as the United Kingdom’s future exit from the European Union.
Please return to the Privacy and Security Law Blog in the coming days for an in-depth analysis of the finalized EU-U.S. Privacy Shield and how your company can come into compliance.