Introduction of the EU-U.S. Privacy Shield

On July 12, 2016 the European Commission adopted the long-awaited EU-U.S. Privacy Shield, set to fill the legislative gap left by the invalidation of the US Safe Harbor Decision in October 2015.

Overview

In accordance with the requirements set forth by the European Court of Justice, the new framework aims to provide actual and effective protection for those EU residents whose personal data is transferred to the United States and bring legal clarity to companies dependent on international data transfers. The EU-U.S. Privacy Shield enables the effective protection of personal rights, provides safeguards in respect to the U.S. government’s access to data, and stipulates strict obligations on U.S. companies receiving personal data from the EU. Each year, parties to the agreement must meet and evaluate the execution and implementation of the new scheme. European lawmakers hope that the new framework will restore the confidence of data subjects in cases of international data transfer(s).

Based on the EU-U.S. Privacy Shield, the U.S. Department of Commerce (hereinafter referred to as: DoC) shall continually assess participating companies in order to guarantee their compliance with the rules based on the information they submit. Special restrictions apply to further transfer from a Privacy Shield Participant. Non-compliance may lead to sanctions and exclusion from the list.

Anyone who believes their data has been mishandled under the Privacy Shield regime may turn to the company in question. Should the company fail to remedy the complaint, there are free alternative dispute resolution options. Data subjects may contact their national data protection authority (hereinafter: DPA) to help resolve issues that may arise. If all else fails, an arbitration mechanism will be available as last resort.

The U.S. Government provided the EU with assurance that the access of public authorities is also subject to clear limitations, safeguards and possibilities of redress. Random mass surveillance of personal data is forbidden. Bulk collection of data may only be applied in cases where specific preconditions are given and even in such cases, collection must be as focused as possible. Certain safeguards will be in place even under such exceptional circumstances. A wide array of redress possibilities is available.

Operation of the Privacy Shield will be continuously monitored. The European Commission and the DoC will conduct yearly reviews aided by national intelligence experts from the U.S. and European DPAs. Findings of these annual assessments shall be summarized in the form of a public report to the European Parliament and the Council.

Next Steps

The DoC will commence operation of the Privacy Shield after it is published in the Federal Register. The Commission will simultaneously publish a brief guide for data subjects on available remedies – a so-called “Citizen’s Guide”.

U.S. companies looking to receive personal data from the EU under the Privacy Shield must review the scheme and update their compliance. The DoC will begin accepting certifications from August 1, 2016.

Details of the EU-U.S. Privacy Shield

Self-Certification

The EU-U.S. Privacy Shield is based on self-certification through which U.S. companies must comply with a number of privacy principles – the EU-U.S. Privacy Shield Framework Principles (hereinafter: Principles). The Principles shall apply to both data controllers and data processors. Processors must at all times be contractually bound to act only on instructions from the data controller. The Principles shall generally apply immediately upon certification, however a grace period of nine (9) months is provided to bring pre-existing commercial relationships to conform the Principles – given that the self-certification must take place by the end of September. During the transition period, data subjects are entitled to opt-out of having their personal data transferred. Once certified, each company must recertify yearly in order to be able to continually rely on the Privacy Shield for receiving personal data from the EU.

Further details, including a Guide to Self-Certification is available on the website of the DoC: https://www.commerce.gov/page/eu-us-privacy-shield

The Principles

Once a company has – at its own discretion – decided to certify, compliance with the Principles is compulsory.

Notice Principle

Based on the Notice Principle, companies must disclose to data subjects multiple conditions regarding the processing of their data. Privacy policies reflecting the Principles must be made public and a link to the DoC’s website, the Privacy Shield List, and the website of a compliant alternative dispute settlement provider must be stated.

Data Integrity and Purpose Limitation Principle

Personal data transferred must be limited to what is relevant for the purpose of the processing, reliable for its anticipated use, precise, comprehensive and up-to-date. No data may be processed in a manner incompatible with the purpose for which it was originally collected or consequently authorized by the data subject. Personal data may be kept only for as long as it serves the purpose(s) for which it was collected or subsequently authorized. Processing for a longer duration will only be deemed acceptable in case it reasonably serves at least one of the following purposes: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis.

Choice Principle

Data subjects are provided with the right to object and opt out in case of a new or amended purpose is materially different but still compatible with the original purpose. This shall however at no times be interpreted to overwrite the absolute prohibition on data processing incompatible with the initial purpose.

Security Principle

Companies handling personal data must take reasonable and appropriate security measures. In case of sub-processing, companies must conclude a contract with the sub-processor which guarantees the same level of protection as ensured by the Principles.

Access Principle

Under the Access Principle, data subjects have the right to obtain confirmation within a reasonable time of whether a given company is processing personal data related to them and if so, what personal data is being processed. No justification of the request may be required from the data subject. A fee may be requested, however it cannot be excessive. Data subjects must be able to correct, amend or delete their data in case it is inaccurate or has been processed unlawfully.

Recourse, Enforcement and Liability Principle

Companies participating in the EU-U.S. Data Shield scheme must offer remedy possibilities for data subjects whose data has been processed in a nonconforming manner. The company’s privacy policy must clearly inform data subjects as to the location of where their complaints should be forwarded. Upon receipt of a data subject’s complaint, the company must reply within forty-five (45) days. Primary liability shall always lie with the Privacy Shield certified company, thus in case compliance issues arise anywhere else in the processing chain, the Privacy Shield company acting as data controller will have to prove that it is not responsible for the event giving rise to any damage, or otherwise face full liability.

Data subjects may also submit their complaint directly to an independent dispute resolution body selected by the company to provide free recourse to individuals. The DoC will verify that companies have actually registered with the recourse forums they claim to be registered with. Companies may choose independent recourse possibilities either in the United States or in the EU. This comprises the option to voluntarily agree to cooperate with the European DPAs. No such choice is provided in case of companies processing HR data – cooperation with DPAs in that case would be mandatory. Companies must respond to questions and comply with advice provided by the DPA. In case a complaint is brought to a DPA which is not eligible to directly act as a recourse forum, the DPA shall forward the complaint either to the DoC or the Federal Trade Commission (hereinafter: FTC).

Privacy Shield certified companies must be subject to the investigatory and enforcement powers of U.S. authorities – specifically the FTC. The FTC can enforce compliance through administrative orders and will regularly monitor compliance with such orders.

In cases where complaints are not resolved by any available recourse procedure, individuals may, as a last resort, turn to binding arbitration under the Privacy Shield Panel. Companies must notify data subjects of their right to turn to binding arbitration. The Privacy Shield Panel consists of a pool of at least twenty (20) arbitrators assigned by the DoC and the Commission. Arbitration may not be invoked if a DPA has full legal authority to settle the claim.

Additional possibilities for judicial remedy may be available under U.S. law either under tort law, cases of fraudulent misrepresentation, unfair or deceptive practices, or general breach of contract.

Accountability for Onward Transfer Principle

Special guidelines apply to onward transfers, i.e. transfers of data from an EU-U.S. Privacy Shield certified company to a third party controller or processor, either within or outside the U.S. (but at all times outside the EU). Such onward transfers may only take place (i) for limited and specified purposes, (ii) on the basis of a contract and (iii) only if such contract ensures the same level of protection as which is provided by the Principles. Data subjects must be informed of any third party recipient and can opt out. In case of sensitive data, affirmative express consent, i.e. an explicit opt in is required for onward transfers. Receiving third parties may only process transmitted data for purposes not incompatible with original or subsequently authorized purposes.

Oversight and Enforcement

The EU-U.S. Privacy Shield includes oversight and enforcement procedures which guarantee that self-certified companies actually comply with the Principles. The DoC shall maintain and disclose a list of companies and organizations that have self-certified their dedication to the Principles. Such Privacy Shield List and the recertification submissions shall be available through a website operated by the DoC. The DoC will continuously lead compliance reviews of self-certified companies. Companies that have persistently breached compliance with the Principles will be removed from the Privacy Shield List and must return or delete data received under the EU-U.S. Privacy Shield.

Leaving the Shield

When a company leaves the EU-U.S. Privacy Shield, it must remove all public declarations pointing to continued participation in the scheme, especially, but not limited to any references to the Privacy Shield in its privacy policy. The DoC will, on its own initiative, monitor any false claims of Privacy Shield compliance and the inappropriate use of the Privacy Shield certification mark.

Access by U.S. Public Authorities

Adherence to the Principles may be limited to the extent necessary to meet national security, public interest or law enforcement requirements. The Commission has evaluated the restrictions and safeguards applicable in the U.S. regarding the access to data transferred under the EU-U.S. Privacy Shield by U.S. authorities. Upon such evaluation the Commission found that U.S. law establishes a number of limitations regarding access to data transferred, together with oversight and redress procedures that guarantee effective protection against an illegal invasion of privacy. Targeted data collection is always prioritized and mass collection is limited to exceptional cases. The USA Freedom Act (enacted on June 2, 2015 in replacement of the prior U. S. Patriot Act) explicitly prohibits the collection of mass records and calls for the use of specific selection terms.

Once data has been transferred to companies self-certified under the EU-U.S. Privacy Shield, intelligence agencies may only request access to personal data in case their request complies with the Foreign Intelligence Surveillance Act (hereinafter: FISA) or is made by the Federal Bureau of Investigation based on a National Security Letter. Procedures based on the FISA limit mass collection and only allow targeted access. Furthermore, the U.S. government has given the Commission categorical assurance that the U.S. Intelligence Community does not engage in indiscriminate surveillance of European citizens. Access to data collected shall be limited to authorized personnel on a “need to know” basis.

In case access does take place, several options are available for EU data subjects regarding the processing of their data, including specific remedy options under the FISA itself, the USA Freedom Act and the Freedom of Information Act. To provide a new redress option for EU data subjects, the U.S. government has decided to establish a new ombudsperson mechanism. The Privacy Shield Ombudsperson will be independent from the U.S. Intelligence Community, which means that it may not receive instructions from any authority concerned. To ensure easy accessibility for EU data subjects, complaints can be addressed to the supervisory authority in the given Member State competent for the oversight of national security services and/or the processing of personal data by public authorities, which authority shall forward complaints to a centralized EU body from where they will be channelled to the Privacy Shield Ombudsperson. The main reason for establishing such a mechanism is to make sure that no complaint is left unanswered – thus the Privacy Shield Ombudsperson must at all times either confirm compliance or confirm the remediation of any non-compliance.

Regarding the possible interference with personal data transferred under the EU-U.S. Privacy Shield for law enforcement purposes, the Commission has also declared that an adequate level of protection is provided for. The Fourth Amendment ensures dignity, privacy, and protects against random and intrusive acts by officers of the Government. Although the Fourth Amendment does not apply to non-U.S. citizens residing outside the United States, EU residents whose data is transferred based on the Privacy Shield can still benefit from its protections, as their personal data will be held by U.S. companies, thus law enforcement authorities must generally seek judicial authorization to access data.

Redress possibilities regarding access for law enforcement purposes include the options provided for in the Administrative Procedure Act (hereinafter: APA), the Electronic Communications Privacy Act (hereinafter: ECPA) and the Freedom of Information Act (hereinafter: FOIA). Generally, under the APA any person suffering legal wrong-doing because of agency action is entitled to judicial review. The ECPA criminalizes unlawful access to wire, oral or electronic communications stored by third-party service providers and provides recourse rights for individuals affected. Under the FOIA anyone has the right to gain access to federal records.

Conclusions

Assessing all of the above measures and processes, the Commission has decided that the United States ensures an adequate level of protection for personal data transferred to companies under the EU-U.S. Privacy Shield, i.e. the Principles laid down by the DoC ensure a level of protection of personal data that is practically equivalent to that guaranteed by Directive 95/46/EC. Interference by U.S. authorities with the fundamental rights of persons whose data were transferred under the Privacy Shield will be limited to what is strictly necessary to achieve certain legitimate objectives.

Follow-up

As the level of protection provided by the U.S. law may from time to time change, the Commission shall regularly check whether the level of protection ensured by the EU-U.S. Privacy Shield is still warranted. Apart from ad hoc assessments, the adequacy decision will be subject to a habitual Annual Joint Review. Within the scope of the Annual Joint Review, the Commission will meet with the DoC and FTC, as well as representatives of the Intelligence Community and the Ombudsperson. Within the scope of the Annual Joint Review, the DoC shall provide a wide range of information on all significant aspects of the operation of the Privacy Shield. The Commission will prepare a public report on the basis of the Annual Joint Review.

In case the Commission determines that the level of protection provided by the Privacy Shield can no longer be regarded as essentially equivalent to the one established in the EU, it will notify the DoC thereof and request appropriate measures. In case such notification proves futile, the Commission shall initiate the procedure for the amendment, suspension or repeal of its adequacy decision. Such procedure may be initiated by the Commission also in cases where those responsible fail to provide adequate information essential for the evaluation of compliance.


The content of this newsletter is for information purposes only and should not be treated as legal advice by KNP LAW Nagy Koppany Varga and Partners or any of their attorneys. For more information please contact us.