Alert August 11, 2016

EU-US Privacy Shield Framework Formally Adopted

Summary
On July 12, 2016, the European Commission formally adopted the Privacy Shield, a new transatlantic framework for the transfer of personal data from the European Union (EU) and certain countries of the European Economic Area (EEA) to the United States (US). The Privacy Shield replaces the Safe Harbor framework that was invalidated by the European Court of Justice (CJEU) in October 2015. The US Department of Commerce began accepting self-certifications to the Privacy Shield on August 1, 2016. US companies should consider whether joining the Privacy Shield makes sense for their business, depending on factors such as the company’s size, group privacy structure, industry, volume and type of data transferred from the EU to the US, and current data handling practices. If they decide to join and go through the certification process, businesses should first review and update their compliance programs and policies to meet the Privacy Shield’s requirements.

1. What is the Privacy Shield?

The Privacy Shield is a framework for the transfer of personal data from the EU and three EEA countries (Norway, Iceland, and Lichtenstein) to the US It was designed by the US Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU cross-border data transfer requirements.

The Privacy Shield is intended to replace the EU-US Safe Harbor, a transatlantic data transfer framework established in 2000 that was invalidated by the CJEU on October 6, 2015 in Schrems. In the CJEU’s opinion, the Safe Harbor did not prevent large-scale access by the US intelligence authorities to data transferred from Europe. The CJEU also noted that EU individuals were unable to obtain redress in the US for misuse of their data. For further details on invalidation of the Safe Harbor, please see our previous client alert.

The European Commission has been calling for a review of the EU-US Safe Harbor since the revelations in 2013 by former US intelligence contractor Edward Snowden on US surveillance practices. After the invalidation of the Safe Harbor, the Commission worked with US authorities to build a new data transfer framework. On February 29, 2016, the Commission released a draft decision on the Privacy Shield (see previous client alert). On July 12, 2016, following a positive vote from member states, the European Commission formally adopted the Privacy Shield framework.

The Privacy Shield framework does not apply to data transferred from Switzerland to companies located in the US However, it is very likely that Switzerland and the US will negotiate an arrangement similar to the Privacy Shield to replace the 2008 US-Swiss Safe Harbor framework.

2. Who is eligible for Privacy Shield?

Similar to the Safe Harbor, the Privacy Shield is available only to US companies subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT). Thus, eligible businesses include most US for-profit businesses as well as air carriers, but exclude most banks, financial services companies, and other businesses that are not subject to the FTC’s or DOT’s jurisdiction.

The decision by a US-based company to join the Privacy Shield is voluntary. However, once an eligible organization publicly commits to comply with the Privacy Shield Principles through self-certification (as described below in item 5), that commitment is enforceable under US law by the relevant enforcement authority, either the FTC or the DOT.

3. What are the Privacy Shield Principles?

As part of their self-certification under the Privacy Shield, as with the previous Safe Harbor, Privacy Shield participants have to commit to comply with seven principles issued by the US Department of Commerce. However, the Privacy Shield Principles pose stronger obligations compared to Safe Harbor.

The seven Privacy Shield Principles are:

  • Notice. Privacy Shield companies must provide individuals with privacy notices containing 13 enumerated items, including, e.g., the company’s participation in the Privacy Shield and a link to the Privacy Shield website; information on individuals’ rights; and a contact point that will handle complaints. 
  • Choice. Companies must offer individuals the opportunity to opt out if their personal data is to be (i) disclosed to a third party (except agents/processors) or (ii) used for a purpose that is materially different from the one for which it was originally collected or subsequently authorized. Individuals’ express consent (opt in) is, however, required for sensitive information (e.g., data related to health or information revealing sex life).
  • Accountability for Onward Transfers. The Privacy Shield provides heightened obligations when data is transferred to a third-party controller or to an agent/processor (e.g., a vendor), including the requirement to enter into written contracts with third parties, which must contain specific safeguards for the data.
  • Security. Companies must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data.
  • Data Integrity and Purpose Limitation. Companies must limit the collection of personal data to what is relevant for the purpose of the processing and ensure that data is accurate, complete, and current. Personal data must be retained only for as long as needed for the purpose of collection, subject to some exceptions (e.g., scientific research or statistical analysis).
  • Access. Individuals must have access to personal information about themselves and be able to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the Privacy Shield Principles, subject to some limited exceptions (e.g., risk of violating other individuals’ rights).
  • Recourse, Enforcement, and Liability. Individuals have several redress possibilities for misuse of their data under the Privacy Shield, notably:
    • Individuals may bring a complaint directly to a Privacy Shield participant, who must respond within 45 days.
    • Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism to investigate unresolved complaints. Companies may (i) choose a private sector independent recourse mechanism (according to guidance provided by the Department of Commerce, programs like the ones developed by the Council of Better Business Bureaus, TRUSTe, the American Arbitration Association, JAMS, and the Direct Marketing Association could be used) or (ii) elect to appoint a panel of EU Data Protection Authorities (DPAs) and commit to cooperate with it. However, where the Privacy Shield certification covers human resource data, there is no such choice, and cooperation with the DPAs is mandatory.
    • Individuals may submit a complaint to a DPA in the EU that will work with the US Department of Commerce and the FTC to ensure that unresolved complaints are investigated and swiftly resolved. Companies must comply with the DPA’s directive within 25 days; otherwise, the DPA may refer the matter to the FTC.
    • As a last resort, individuals may invoke binding arbitration by a Privacy Shield Panel. The proceedings will be governed by standard arbitration rules to be agreed upon by the Department of Commerce and the European Commission.
    • EU residents may also pursue any available causes of action before US courts. Complaints from individuals relating to use of their data for national intelligence purposes will be resolved through an ombudsperson mechanism that will be independent of the US intelligence services.

The Privacy Shield also provides 16 supplemental principles concerning specific issues, such as sensitive data, journalistic exceptions, human resources data, and performance of due diligence and audits.

Companies self-certifying to the Privacy Shield must have procedures in place for verifying compliance with the Privacy Shield Principles, either through self-assessment or by means of outside/third-party assessment programs.

4. Timeframe

The Department of Commerce began accepting self-certifications to the Privacy Shield on August 1, 2016. The Privacy Shield Principles apply immediately upon certification.

Companies self-certifying within the first two months of the effective date of Privacy Shield (between August 1 and September 30, 2016) will have a nine-month grace period from their date of certification to bring existing contracts with third parties into compliance with the Accountability for Onward Transfers principle. Thus, prompt certification may have benefits.

5. How to join the Privacy Shield

Similar to the Safe Harbor, the Privacy Shield is a self-certification system.

To self-certify to the Privacy Shield, companies must provide a self-certification submission signed by a corporate officer of the company to the US Department of Commerce, via the dedicated website https://www.privacyshield.gov. The submission must include the information listed at this page of the Privacy Shield website (e.g., general information on the company; contact person and corporate officer; type of personal data covered by the Privacy Shield and purposes of the processing; independent recourse mechanism(s); link to the privacy notice; and company’s verification method). It is advisable to review and compile this information prior to initiating the online self-certification process.

Submission of a self-certification will also require payment of a certification fee (see below under item 6).

To help companies prepare for the certification process, the US Department of Commerce has released a “Guide to Self-Certification,” which is available here, as well as Frequently Asked Questions available here.

Before self-certifying and in order to obtain approval under the Privacy Shield, companies should assess their ability to comply with the Privacy Shield framework and take steps to show compliance with the Privacy Shield Principles, including:

  • Developing a Privacy Shield-compliant privacy notice. Companies that are Safe Harbor certified likely already have in place a privacy notice that can be reviewed and supplemented to meet the Privacy Shield’s requirements.
  • Reviewing vendor/data processing agreements to ensure that they comply with the Privacy Shield’s restrictions on onward transfers.
  • Selecting an independent recourse mechanism to address unresolved complaints from individuals.
  • Designating a contact within the company for handling requests or complaints. According to guidance provided by the Department of Commerce, this contact can be either the corporate officer who is certifying the company’s compliance with the Privacy Shield or another official within the company, such as a Chief Privacy Officer.

The Department of Commerce will maintain and make available on the Privacy Shield website a list of Privacy Shield certified companies (the Privacy Shield List).

Like the Safe Harbor, Privacy Shield self-certification must be renewed annually.

6. How much will it cost to self-certify to the Privacy Shield?

US companies must pay an annual fee to the Department of Commerce in order to participate in the Privacy Shield, ranging from $250 to $3,250, based on a company’s annual revenue.

In addition, companies will have to pay the fees applied by the independent recourse mechanism selected to hear individual complaints or an annual fee of $50 to cover the operating costs of the EU DPA panel, if they either choose to or must cooperate with the EU DPAs.

An annual contribution will also be due to cover arbitral costs of the binding arbitration option that will be set up by the European Commission and the Department of Commerce for unresolved complaints. The Department of Commerce will notify companies of the initial amount of such contribution by January 2017.

7. Can companies lose the Privacy Shield certification?

Yes. The Department of Commerce will remove a company from the Privacy Shield List if (i) it voluntarily withdraws from the Privacy Shield or (ii) it fails to renew the certification. Importantly, in both cases, the company must continue to apply the Privacy Shield Principles to the personal information it received while it participated in the Privacy Shield and affirm to the Department on an annual basis its commitment to do so, for as long as it retains such information. Otherwise, the organization must return or delete the information or provide “adequate” protection for the information by other means.

The Department will also remove from the Privacy Shield List those companies that have persistently failed to comply. If removed, such companies must return or delete personal information they received under the Privacy Shield.

8. How will the Privacy Shield be monitored and enforced?

The US Department of Commerce will actively monitor self-certified companies’ compliance with the Privacy Shield Principles, including through regular questionnaires.

Companies that fail to comply with the Privacy Shield may be subject to enforcement by the FTC or the DOT. Both regulators have committed to a more robust framework for enforcement of the Privacy Shield in cooperation with the EU DPAs. The FTC will maintain an online list of companies subject to FTC or court orders in Privacy Shield cases. Companies may also be subject to the sanctions applied by the applicable independent recourse mechanism.

An annual joint review mechanism conducted by the European Commission and the US Department of Commerce, together with national intelligence experts and EU DPAs, will oversee the functioning of the Privacy Shield.

9. Conclusions

The Privacy Shield framework may serve as an important data transfer option for the more than 4,000 US companies that had been Safe Harbor participants, as well as for other American companies looking for a mechanism that will allow them to receive data from Europe in compliance with the EU data protection law.

However, as discussed above, the Privacy Shield poses substantive requirements on participants and may not make sense as a data transfer solution for all companies. Factors such as a company’s size, group privacy structure (if part of a group), industry, volume and type of data transferred from the EU to the US, and current data handling practices should be taken into account when making a determination to participate.

Therefore, companies should consult their privacy counsel to discuss the details of the Privacy Shield and analyze how it compares with the other options for legitimizing cross-border data transfers from the EU/EEA to the US, such as Binding Corporate Rules (only for intra-group transfers) and Standard Contractual Clauses (whose validity, however, is being questioned before Irish courts, with a likely referral to the CJEU). Companies should also assess the intersection of the Privacy Shield and the compliance obligations provided by the European General Data Protection Regulation that will apply as of May 25, 2018.

The Privacy Shield framework itself faces criticism from privacy advocates for not ensuring adequate protection of EU individuals’ data and is expected to be challenged before DPAs and courts. In the meantime, EU DPAs (reunited in the Article 29 Working Party) stated that they reserve the right to further assess the Privacy Shield framework at the first joint annual review. Thus, businesses should keep developments in this field under careful review.

About Goodwin’s Privacy & Cybersecurity Practice

Goodwin’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial industry, licensing, litigation and investigations, regulatory, and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.

For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), or any member of the Goodwin Privacy & Cybersecurity practice.

About the Authors

Jacqueline Klosek is a counsel in the firm's Business Law Department and a member of its Intellectual Property Group as well as its Privacy & Cybersecurity Practice. Her practice focuses on transactions involving technology and intellectual property, and she regularly advises clients on various issues related to privacy and data security.

Federica De Santis is a former secondee joining Goodwin from Portolano Cavallo in Rome, Italy. She advises clients on the regulatory, contractual, and litigation aspects of data protection and information governance and cyber-security. In these areas she advises clients on cutting edge legal issues arising from quickly changing technology and business models.