Proposed Privacy Shield Framework Releases
As was discussed in the Spring 2016 Legal Press newsletter, the
European Union Data Protection Directive (EUDPD) is one of the most stringent
data protection laws in the world. It generally prohibits EU residents’
personal data from being transferred to a country outside of the European
Economic Area (EEA). For the past 15 years, US companies with EEA operations
were permitted to transfer personal data from the EEA to the US by
self-certifying under the EU-US Safe Harbor Framework. The Court of Justice of
the European Union (CJEU) recently invalidated the EU-US Safe Harbor Framework,
mainly due to a concern that personal data transferred by Facebook from the EEA
to the US was not adequately protected from National Security Agency (NSA)
Since the invalidation of the EU-US Safe Harbor, the US and EU
have been actively working on a new safe harbor provision, entitled “Privacy
Shield.” The European Commission published details regarding the Privacy Shield
Framework at the end of March 2016, designed to ensure that companies respect their
obligations regarding the personal information of EU residents, while
permitting the NSA to continue carrying out data collection for national
security purposes subject to clear limitations, safeguards, and oversight
While all of the details have yet to be decided upon and
approved, proposed Privacy Shield Framework contains four main elements:
- Strong obligations on companies and robust enforcement: The new arrangement will contain supervision mechanisms to help ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme.
- Effective protection of EU citizens’ rights with several redress possibilities: A new free of charge Alternative Dispute Resolution solution will be available, as well as the traditional national Data Protection Authorities (DPAs). If a case is not resolved by any of the other means, as a last resort there will be an enforceable arbitration mechanism. Moreover, all companies may choose to comply with advice from European DPAs. However, compliance is obligatory for companies handling human resource data. Complaints have to be resolved by companies within 45 days.
- Clear safeguards and transparency obligations on U.S. government access: For the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
- Annual joint review mechanism: The European Commission and the U.S. Department of Commerce will conduct an annual review and consult with national intelligence experts from the US and European Data Protection Authorities in an effort to monitor the functioning of the Privacy Shield. The Commission will also hold an annual privacy summit to discuss broader developments in the area of US privacy law and their impact on Europeans. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
US companies wishing to avail themselves of the safe harbor
provisions within the Privacy Shield Framework will be required annually to
register to be on the Privacy Shield List and self-certify that they meet the
requirements set out. The US Department of Commerce will monitor and actively
verify that companies’ privacy policies are readily available and presented in
line with the relevant Privacy Shield principles. The US will also maintain an
updated list of current Privacy Shield members and remove those companies that
have left the arrangement. Additionally, the Department of Commerce will ensure
that former Privacy Shield members continue to apply Privacy Shield principles
to personal data received when the former members were in the Privacy Shield
program, for as long as the data is retained.
However, until the Privacy Shield Framework is finalized and
approved by EU regulators, US companies that formerly depended upon the
invalidated Safe Harbor should look to other avenues of transferring data that
comply with the EUDPD. Such measures can include: (1) Filter EU residents’
non-personal data from the personal data, and transfer only non-personal data
to the US. (2) Partner with hosting vendors within the EEA to avoid
transferring EU residents’ personal data altogether, while allowing for either
local or US review. (3) Obtain unambiguous consent to the data transfer from
the EU residents, such as employees and customers. (4) Enter into model
contracts governing trans-Atlantic data transfer, which contain provisions
pre-approved by EU regulators; (5) Adopt Binding Corporate Rules (BCRs), which
permits the transfer of personal data between divisions and affiliates of the
Overall, US businesses transferring the personal data of EU
residents should take note of this CJEU decision, the progress of the Privacy
Shield Framework, and consult legal counsel to establish alternative data
transfer methods for compliance with the EUDPD. Updates will be provided in
future editions of this newsletter regarding the Privacy Shield as the
Framework solidifies and progresses through the approval process.
If you would like to learn more about this topic, please
contact: Charles Andrew Hayes, Esq. at email@example.com. Mr. Hayes is a
member of the WHV cybersecurity and intellectual property practice groups.