On February 29 the European Commission released its Draft Adequacy Decision and supplemental documents on the EU-U.S. Privacy Shield (“Privacy Shield”), giving businesses that transfer data from the European Union to the United States their first detailed look at the new trans-Atlantic data transfer arrangement. While the Privacy Shield offers a simplified method for importing personal data from the EU, it also imposes strong privacy protection obligations and dispute resolution requirements on participating companies, and promises increased compliance scrutiny by U.S. and EU regulators.
The Privacy Shield’s details come weeks after the European Commission announced on February 2 that American and European negotiators had reached an agreement to replace the U.S.-EU Safe Harbor Framework (“Safe Harbor”), which the Court of Justice for the European Union (“CJEU”) invalidated last October in Schrems v. Data Protection Commissioner. Like the Safe Harbor program, the Privacy Shield will be a voluntary self-certification framework administered by the U.S. Department of Commerce, and will allow U.S.-based companies to facilitate trans-Atlantic data transfers in lieu of using model contractual clauses or Binding Corporate Rules (“BCRs”).
But the Privacy Shield will go further than just restoring the status quo ante Schrems. Instead, the new data transfer framework is built upon a set of stringent “Privacy Principles” issued by the Commerce Department that U.S. companies will have to comply with to participate, and imposes more rigorous –and likely more costly – oversight, redress, and enforcement obligations on participating businesses.
Though the Privacy Shield’s details have been released, its implementation is still many months away. In the meantime, U.S. companies that are considering participating in the new data transfer arrangement should review the increased monitoring and privacy requirements that they will be subject to and determine whether the Privacy Shield will be a better alternative to BCRs and model contractual clauses.
Privacy Compliance under the EU-U.S. Privacy Shield
The Privacy Shield’s core compliance obligations are built around its “Privacy Principles,” which U.S. companies must agree to adhere to through self-certification with the Commerce Department in order to import data from the EU under the framework. At their heart, the Principles will require U.S. companies to:
- Provide notice to EU citizens regarding how their data is collected and processed;
- Allow individuals to choose to “opt-out” (or in the case of sensitive information, “opt-in”) when their personal data is shared with non-agent third parties or used in ways “materially different” from its original purpose;
- Implement “reasonable and appropriate” data security measures, including contractually requiring all sub-processors to provide the same level of data security demanded by the Privacy Principles;
- Ensure the reliability and integrity of personal data, and process personal data in only those ways authorized;
- Provide EU citizens with access to their personal information, including the right to confirm whether their personal data is being processed by an organization;
- Limit “onward transfers” of personal data to specific purposes that are based upon a contract and which include data protections equivalent to the Privacy Principles, with more detailed responsibilities and conditions than under Safe Harbor on data processing by suppliers and other third parties (including some form of notice and choice); and
- Provide “robust” compliance and recourse mechanisms, giving EU citizens access to free and independent recourse mechanisms to redress alleged non-compliance.
Complaint Handling, Dispute Resolution and Redress Requirements
Perhaps the most important aspect of the Privacy Shield is its new redress requirements, which places significant time and cost burdens on participating companies to resolve complaints. EU citizens will now be able to file complaints for non-compliance against self-certifying U.S. companies directly, or through the European data protection authorities (“DPAs”), which will then be relayed via the Commerce Department.
Self-certifying companies will have to respond to complaints of non-compliance within 45 days. Crucially, companies will have to designate an “independent dispute resolution body” to investigate and resolve EU citizens’ complaints free of charge, meaning that businesses must bear the cost of resolving individuals’ complaints.
Further, both the Commerce Department and the Federal Trade Commission (“FTC”) may also investigate non-compliance complaints from a DPA, and self-certifying companies will be required to respond to requests from both agencies during an investigation. Moreover, companies that import human resources data from the EU or voluntarily subject themselves to the oversight of a DPA must also submit to and comply with the DPA’s decision pursuant to an investigation. Finally, if a complaint is still not resolved, EU citizens may seek binding arbitration before the “Privacy Shield Panel,” which can provide only non-monetary equitable relief.
Ultimately, the Privacy Shield establishes an extensive list of redress options to ensure that EU citizens’ complaints are heard, but its extensiveness means that even resolving one complaint could be a protracted and costly endeavor for a self-certifying company to resolve.
Increased Oversight and Enforcement by U.S. Agencies
Further, U.S. companies will face more rigorous oversight from the Commerce Department and the FTC. The Commerce Department has committed to maintaining a “Privacy Shield List,” cataloging actively certified U.S. companies, and will monitor both current and past Privacy Shield participants to ensure that personal data from the EU is processed in accordance with the Privacy Policies. Self-certifying companies will be required to promptly respond to requests for information from the Commerce Department, which may conduct ex officio compliance reviews.
The Commerce Department can remove a company from the Privacy Shield List if it finds the company has “persistently” failed to comply with the Privacy Principles, and refer perceived violations to the FTC for further enforcement action.
The Takeaway: Assess and Prepare for Compliance While Waiting for Privacy Shield’s Review
It will likely still be some months until the Privacy Shield will be effective and available for interested companies to use, as the European Commission is awaiting comments from the EU’s Article 29 Working Party (“WP29”) and the Article 31 Committee representing EU national governments before deciding whether to have the Draft Adequacy Decision approved by the full European Commission or make further changes in the terms of the Privacy Shield. Additionally, possible legal challenges to the sufficiency of the framework in light of the Schrems decision could delay implementation even further.
But in the meantime, U.S. companies that accept personal data from Europe should seriously consider whether participating in the Privacy Shield would be an effective and efficient means of importing personal data from the EU. In addition to the compliance and oversight aspects of the Privacy Shield, businesses should consider the following in their decision:
- If approved, Privacy Shield will provide “adequate” personal data protections. Though the WP29 and the Article 31 Committee still need to review and provide comment on the Privacy Shield’s rules, the European Commission has already stated in its Draft Adequacy Decision that the Privacy Shield provides an adequate level of protection for personal data transferred from the EU. Should the WP29 sign off on the framework with little-to-no changes, the European Commission might ratify the framework shortly thereafter. Thus, businesses that prepare early for compliance with the Privacy Shield’s requirements will be in a strong position once the framework is adopted.
- BCRs and model clauses may also face changes. Since the Privacy Shield is not yet available for companies to take advantage of, BCRs and model contractual clauses remain a valid way to import personal data from the European Union. But the WP29 has previously stated that it will review the viability of both devices in light of the Schrems decision as part of its Privacy Shield assessment.