Proposed Privacy Shield Framework Releases
As was discussed in the Spring 2016 Legal Press newsletter, the European Union Data Protection Directive (EUDPD) is one of the most stringent data protection laws in the world. It generally prohibits EU residents’ personal data from being transferred to a country outside of the European Economic Area (EEA). For the past 15 years, US companies with EEA operations were permitted to transfer personal data from the EEA to the US by self-certifying under the EU-US Safe Harbor Framework. The Court of Justice of the European Union (CJEU) recently invalidated the EU-US Safe Harbor Framework, mainly due to a concern that personal data transferred by Facebook from the EEA to the US was not adequately protected from National Security Agency (NSA) surveillance activities.
Since the invalidation of the EU-US Safe Harbor, the US and EU have been actively working on a new safe harbor provision, entitled “Privacy Shield.” The European Commission published details regarding the Privacy Shield Framework at the end of March 2016, designed to ensure that companies respect their obligations regarding the personal information of EU residents, while permitting the NSA to continue carrying out data collection for national security purposes subject to clear limitations, safeguards, and oversight mechanisms.
While all of the details have yet to be decided upon and approved, proposed Privacy Shield Framework contains four main elements:
• Strong obligations on companies and robust enforcement: The new arrangement will contain supervision mechanisms to help ensure that companies respect their obligations, including sanctions or exclusion if they do not comply. The new rules also include tightened conditions for onward transfers to other partners by the companies participating in the scheme.
• Effective protection of EU citizens’ rights with several redress possibilities: A new free of charge Alternative Dispute Resolution solution will be available, as well as the traditional national Data Protection Authorities (DPAs). If a case is not resolved by any of the other means, as a last resort there will be an enforceable arbitration mechanism. Moreover, all companies may choose to comply with advice from European DPAs. However, compliance is obligatory for companies handling human resource data. Complaints have to be resolved by companies within 45 days.
• Clear safeguards and transparency obligations on U.S. government access: For the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.
• Annual joint review mechanism: The European Commission and the U.S. Department of Commerce will conduct an annual review and consult with national intelligence experts from the US and European Data Protection Authorities in an effort to monitor the functioning of the Privacy Shield. The Commission will also hold an annual privacy summit to discuss broader developments in the area of US privacy law and their impact on Europeans. On the basis of the annual review, the Commission will issue a public report to the European Parliament and the Council.
US companies wishing to avail themselves of the safe harbor provisions within the Privacy Shield Framework will be required annually to register to be on the Privacy Shield List and self-certify that they meet the requirements set out. The US Department of Commerce will monitor and actively verify that companies’ privacy policies are readily available and presented in line with the relevant Privacy Shield principles. The US will also maintain an updated list of current Privacy Shield members and remove those companies that have left the arrangement. Additionally, the Department of Commerce will ensure that former Privacy Shield members continue to apply Privacy Shield principles to personal data received when the former members were in the Privacy Shield program, for as long as the data is retained.
However, until the Privacy Shield Framework is finalized and approved by EU regulators, US companies that formerly depended upon the invalidated Safe Harbor should look to other avenues of transferring data that comply with the EUDPD. Such measures can include: (1) Filter EU residents’ non-personal data from the personal data, and transfer only non-personal data to the US. (2) Partner with hosting vendors within the EEA to avoid transferring EU residents’ personal data altogether, while allowing for either local or US review. (3) Obtain unambiguous consent to the data transfer from the EU residents, such as employees and customers. (4) Enter into model contracts governing trans-Atlantic data transfer, which contain provisions pre-approved by EU regulators; (5) Adopt Binding Corporate Rules (BCRs), which permits the transfer of personal data between divisions and affiliates of the same organizations.
Overall, US businesses transferring the personal data of EU residents should take note of this CJEU decision, the progress of the Privacy Shield Framework, and consult legal counsel to establish alternative data transfer methods for compliance with the EUDPD. Updates will be provided in future editions of this newsletter regarding the Privacy Shield as the Framework solidifies and progresses through the approval process.
If you would like to learn more about this topic, please contact: Charles Andrew Hayes, Esq. at firstname.lastname@example.org. Mr. Hayes is a member of the WHV cybersecurity and intellectual property practice groups.