EU-US Privacy Shield: The Future Framework for Transatlantic Data Flows?

Marjorie Becker
LL.M., Columbia Law School, 2016

By striking down the 15-year old Safe Harbor Framework in its decision Schrems v. Data Protection Commissioner on October 6, 2015,[1] the Court of Justice of the European Union (CJEU) left most self-certified U.S. companies in limbo. The Privacy Shield announced on February 2, 2016 by the EU Commission and the U.S. Department of Commerce (DOC), however, may yet provide relief to some of them.

This new framework comprises various documents—summarized in the draft adequacy decision and related annexes released on February 29, 2016—and aims to comply with the requirements of Schrems by imposing “strong obligations on companies handling Europeans’ data and robust enforcement,” “clear safeguards and transparency obligations on U.S. government access,” and “effective protection of EU citizens’ rights with several redress possibilities.”

U.S. companies’ obligations and enforcement:

Like the former Safe Harbor Framework, the EU-US Privacy Shield is based on a self-certification system (renewable annually) by which U.S. companies commit to a set of seven principles (collectively, the “Privacy Shield Principles”), listed as follows:

  • Notice principle: organizations must inform data subjects on various key elements pertaining to the processing of their personal data, such as the type of information collected, the purpose of the collection, and the organization’s liability for onward transfers. This principle also imposes various safeguards to organizations, such as the publication of a privacy policy that reflects the Privacy Shield Principles and a link to the DOC’s website.
  • Choice principle: data subjects must be given the ability to opt out both the disclosure of personal data to third parties, and the use of personal data for a materially different purpose than the stated purpose of the collection. A distinction is made for sensitive data[2] which must be collected only after affirmative consent from the data subject (opt in).
  • Security principle: organizations must take “reasonable and appropriate” security measures to protect collected data.
  • Data integrity and purpose limitation principle: personal data collection must be limited to what is relevant for the given purpose. Organizations must also ensure that the data collected is “reliable for its intended use, accurate, complete and current.” In addition, they must not process data in a way that is incompatible with the purposes of collection or as subsequently authorized by the data subject.
  • Access principle: unless exceptional circumstances prevail, data subjects must have the right, without justification and against a non-excessive fee, to access their personal data within a reasonable time. Data subjects also have the right to correct, amend or delete the personal information detained by the organizations where it is inaccurate or it has been processed in violation of the Privacy Shield Principles.
  • Accountability for onward transfer principle: onward transfer of personal data to a third party can be done only for limited and specified purposes and on the basis of a contract (or similar arrangement within a corporate group). Additionally, the third party must commit to provide the same level of protection as the one guaranteed by the Privacy Shield Principles.
  • Recourse, enforcement and liability principle: besides providing strong mechanisms to ensure compliance with the Privacy Shield Principles, self-certified organizations must provide recourses and effective remedies to EU data subjects whose personal data have been processed in a non-compliant manner. Organizations must also periodically verify that their published privacy policies conform to the Privacy Shield Principles and that they comply with them, by implementing internal or external review processes.

The DOC will maintain and make available a list of self-certified U.S. companies to ease their identification. This list will be updated each year based on the annual re-certification submissions and will include organizations that failed to re-certify, withdrew or were removed from the Privacy Shield (i.e.  for failing to comply with the Privacy Shield Principles). In addition, each self-certified company’s privacy policy will need to include a hyperlinks to the Privacy Shield website and the independent complaint mechanism that the company is subject to.

To ensure compliance with the EU-US Privacy Shield, the DOC will also monitor false claims of Privacy Shield participation and improper use of the Privacy Shield certification mark. In addition, each EU Data Protection Authorities (DPAs) will have a point of contact at the DOC where they can refer organizations for review.

Redress mechanisms available to data subjects:

Data subjects will be able to lodge a complaint:

  • directly to U.S. organizations, which must provide in their privacy policy a contact in charge of handling these complaints and must respond to the complaint within 45 days;
  • to a free of charge independent resolution body in the EU or the US with which the U.S. companies must sign up to self-certify;
  • to a local data protection authority who will work with the DOC or the Federal Trade Commission (FTC).

In last recourse, the data subject may also invoke binding arbitration by the “Privacy Shield Panel” which will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission.

Safeguards against U.S. government access to EU data transferred to the U.S.:

Besides the above, the Privacy Shield aims to provide clear safeguards and transparency on U.S. government access to subject data, which was one of the concerns triggered by Snowden revelations. Accordingly, the Office of the Director of National Intelligence has given written assurances that any access to data by public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms, so as to prevent generalized access to personal data. Redress will be provided through the creation of an independent Ombudsperson within the Department of State who will oversee U.S. signals intelligence activities and will ensure that complaints from individuals are investigated and that information is provided on whether the relevant laws have been complied with. The U.S. Department of Justice has similarly provided assurances regarding limitations on U.S. government access and use of data for law enforcement and public interest purposes.

Annual Joint Review mechanism:

To monitor the overall framework and compliance of the U.S. authorities with their commitments, the Privacy Shield will be submitted to an Annual Joint Review by the Commission and the DOC along with any appropriate department and agencies. If the Commission concludes that compliance with the Privacy Shield is no longer ensured by the U.S., despite its requests, it will be entitled to initiate the procedure leading to suspension or repeal of the adequacy decision.

Towards an adoption of the Privacy Shield?

Still under review, this new Privacy Shield has nonetheless yet been the object of criticisms. Max Schrems, whose complaint against Facebook led to the fall of the previous Safe Harbor, had already raised concerns on his twitter account regarding the possible collection of “signals intelligence” in bulk under six exceptions prescribed by the Presidential Policy Directive 28, which would contravene Schrems and the EU fundamental right of privacy.

On March 17, 2016 during a hearing at the European Parliament’s Civil Liberties, Justice and Home Affairs Committee, certain speakers expressed reservations towards this new framework. Thus, while Isabelle Falque-Pierrotin, Chairman of the article 29 Working Party, noted her regret regarding the absence of rules regarding data retention, on the U.S. “side”, Marc Rotenberg, Georgetown University Professor and Head of the Electronic Privacy Information Center, qualified the Privacy Shield as a “step backwards” for privacy principles and expressed reservations on the complexity of the redress mechanisms.

Thus far, opinion of the Article 29 Working Party is expected mid-April and the adoption of the Privacy Shield is still estimated for June 2016.[3] New developments will thus likely occur during these remaining months, clarifying the future of this new framework and transnational data flows between EU and U.S. In the meantime, companies willing to transfer data from EU subject to the U.S. will have to remain patient, and keep relying on alternatives, such as binding corporate rules or approved model contracts.

Featured image source:×229.jpg

[1] Schrems v. Data Protection Commissioner, Case C-362/14, EU:C:2015:650

[2] The Privacy shield adopts the definition of article 8 of the Data Protection Directive 95/46/EC, pursuant to which are “sensitive data” personal data revealing “racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”

[3] At the CeBIT trade fair on March 14, Digital Commissioner Günther H. Oettinger still estimated adoption of the Privacy Shield in June 2016.