On March 25, 2022, the EU Commission and US announced that an agreement in principle on a new framework for transatlantic data flows had been reached (see the Commission’s statement here, here, and here, and the US White House’s statement here).  The Commission and the U.S. published draft factsheets outlining the agreement (see the Commission’s factsheet here and the U.S. factsheet here).  This agreement will form the basis for an adequacy decision in the EU and an executive order in the US, which both parties will draft as a next step.

Today’s announcement follows lengthy negotiations that began shortly after the Court of Justice of the EU’s (“CJEU”) Schrems II judgment on July 16, 2020, which annulled the EU-US Privacy Shield (see our blog post here).  There, the CJEU held that the US did not provide an “essentially equivalent” level of data protection to that found in the EU, due in part to extensive powers granted to US law enforcement and intelligence agencies to access data and an absence of effective legal remedies for EU residents.

According to the published factsheets, the US has made “unprecedented commitments” that build on the safeguards that were in place under the annulled Privacy Shield framework with the aim of addressing issues identified in the Schrems II decision.  The new framework will:

  • strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities through binding safeguards limiting U.S. intelligence authorities’ access to data to what is necessary and proportionate to protect U.S. national security;
  • establish a new, multi-layered redress mechanism with independent and binding authority composed of individuals chosen from outside the U.S. Government who will have full authority to investigate and adjudicate claims, as well as impose remedial measures, as needed; and
  • enhance the U.S.’ existing rigorous and layered oversight of signals intelligence activities.

Just as with the annulled Privacy Shield, U.S. companies will need to self-certify their adherence to the Privacy Shield 2.0 once it is released.

This is undoubtedly good news for industry, as such a framework will offer industry another option when transferring personal data from the EU, alongside EU contractual clauses and other means.  However, any new framework is certain to be pressure-tested before the EU courts, and at least one privacy advocacy group has, issued a statement challenging the legality of the agreement (see NOYB statement here).

The Covington team will keep monitoring any developments on the Privacy Shield 2.0 and continue to report on them on our blog Inside Privacy.

Today, the Court of Justice of the European Union issued a landmark decision striking down the EU-U.S. Privacy Shield—an agreement between EU and U.S. authorities authorizing transfers of EU personal data to the United States—but upholding the validity of standard contractual clauses (“SCCs”), another mechanism that EU-based organizations use to transfer data internationally. Covington represents BSA | The Software Alliance (“BSA”) in the case, and key aspects of BSA’s arguments on the validity of SCCs were reflected in the Court’s decision.

Continue Reading EU’s Highest Court Strikes Down Privacy Shield But Upholds Other Key International Data Transfer Mechanism

On October 23, 2019, the European Commission (“Commission”) published its Report on the third annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report “confirms that the U.S. continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield” (see also the Commission’s Press Release).  The Report welcomed a number of improvements following the second annual review, including efforts made by U.S. authorities to monitor compliance with the framework, as well as key appointments that have been made in the last year.  The Commission in particular noted the appointment of Keith Krach to the position of Privacy Shield Ombudsperson on a permanent basis, filling a vacancy that had been noted in previous reviews.  The Report also provided a number of recommendations for further improvement and monitoring.

Recognizing that, in its third year, Privacy Shield has “moved from the inception phase to a more operational phase,” the Report placed particular emphasis on the effectiveness of the “tools, mechanisms and procedures in practice.”  Not only has the number of Privacy Shield certifications exceeded 5,000 companies — eclipsing in three years the number of companies that had registered to the Safe Harbor Framework in its nearly 15 years of existence — the Report also noted that “an increasing number of EU data subjects are making use of their rights under the Privacy Shield and that the relevant redress mechanisms function well.”

As with prior reviews, the Commission sought feedback from trade associations, NGOs, and certified companies, and  addressed the functioning of (i) the framework’s commercial aspects, and (ii) U.S. authorities’ access to personal data.

Continue Reading Privacy Shield Third Annual Review

On September 3, 2019, the Federal Trade Commission (“FTC”) announced settlement agreements with five companies for alleged false claims of certification under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks (collectively, “Privacy Shield”).  These settlements indicate that the FTC is continuing to actively enforce Privacy Shield commitments, as it has done with respect to several other companies over the past year for similar violations related to false certification claims.

The websites for all five companies claimed that they were certified under the Privacy Shield. Four of the companies had submitted applications, but allegedly “failed to complete the necessary steps to obtain certification from the Department of Commerce.”  The FTC alleged that the fifth company allowed its certification to lapse but did not remove the claim of participation from its privacy policy despite warnings from Commerce.  The FTC also alleged that this company failed to comply with additional Privacy Shield requirements because it did not comply with the annual verification requirement or requirements applicable to personal information collected under the Privacy Shield after a company is no longer certified.

Per the FTC’s announcement, the settlement agreements prohibit the five companies “from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization” and also require the companies to comply with FTC reporting requirements.  The fifth company must also apply Privacy Shield protections to personal information it collected while certified to the Privacy Shield, or return or delete the information.

On June 20, 2019, Keith Krach was confirmed by the U.S. Senate to become the Trump administration’s first permanent Privacy Shield Ombudsperson at the State Department.  The role of the Privacy Shield Ombudsperson is to act as an additional redress avenue for all EU data subjects whose data is transferred from the EU or Switzerland to the U.S. under the EU-U.S. and the Swiss-U.S. Privacy Shield Framework, respectively.

As Ombudsperson, Krach will be responsible for dealing with complaints and requests from individuals in the EU and Switzerland, including in relation to U.S. national security access to data transmitted from the EU or Switzerland to the U.S.  The Ombudsperson works with other Government officials and independent oversight bodies to review and respond to requests.  Krach’s role as Ombudsperson forms part of his duties as the Under Secretary for Economic Growth, Energy and the Environment.  The Under Secretary is independent from the intelligence services and reports directly to the Secretary of State.

The formal approval of a permanent Privacy Shield Ombudsperson will be welcomed at EU level.  As we have previously reported, the European Data Protection Board praised the appointment of a permanent Ombudsperson in its January report regarding the second annual review of the Privacy Shield.  In addition, the Commission has emphasized that the Ombudsperson is “an important mechanism that ensures complaints concerning access to personal data by U.S. authorities are addressed.”  This appointment comes at a time when both the EU-U.S. Privacy Shield and the Standard Contractual Clauses are under scrutiny in the European courts.

On January 24, the European Data Protection Board (“EDPB”) adopted a report (“Report”) regarding the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”).  In a press release accompanying the Report, the EDPB welcomed efforts by EU and U.S. authorities to implement the Privacy Shield,  including in particular the recent appointment of a permanent Ombudsperson.  But the EDPB also noted that certain concerns remain with respect to the implementation of the Privacy Shield.

The EDPB, which is made up of representatives of various European data protection authorities, is established by the GDPR, and advises on the consistent application of data protection rules throughout the EU.  The Report is not binding on the EU or U.S. authorities directly; instead it will serve to guide regulators considering the implementation of the Privacy Shield.  The Report is also likely to influence the EU Commission’s assessment of the Privacy Shield, and to contribute to political pressure in the European Parliament to continue to reform the Shield.     Continue Reading European Data Protection Board Releases Report on the Privacy Shield

Earlier this week, the European Commission (“Commission”) published its Report on the second annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) (the Report is accompanied by a Staff Working Document).  The Report concludes that the Privacy Shield “continues to ensure an adequate level of protection” for personal data transferred from the EU to the United States.  The Commission also found that the implementation of a number of the recommendations following the first annual review last year improved several aspects of the Privacy Shield, but that certain recommendations still required implementation and/or monitoring.

In another Privacy Shield-related development this week, the International Trade Administration’s Privacy Shield Team announced new guidance on the applicability of the Privacy Shield to the United Kingdom following the UK’s pending withdrawal from the EU.  Continue Reading Privacy Shield Updates: Second Annual Review and Brexit Guidance

The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States.  With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework.  The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

Background

The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S.  The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016.  To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.

The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified.  Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies.  (See our earlier posts on the purpose of the first annual review here and here.) Continue Reading EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

The Article 29 Working Party (“WP29”), a group consisting of representatives from each European data protection authority, the European Data Protection Supervisor, and the European Commission, yesterday issued a press release detailing its recommendations for the first Annual Joint Review of the EU-U.S. Privacy Shield (“Privacy Shield”), which will take place in September 2017.  Specifically, the June 13 press release announced that WP29 had adopted a letter to send to the European Commission with its views and questions regarding U.S. fact-finding on commercial matters, law enforcement, and national security.  According to the WP29, answers to these questions will be crucial to “ensur[ing] that the US authorities are able to constructively answer concerns on the concrete enforcement of the Privacy Shield decision.”

The WP29 emphasized in its press release the need to assess the “robustness and effectiveness of the Privacy Shield mechanism,” which the EU and U.S. jointly adopted in July 2016 to provide a framework for cross-border data transfers.  The WP29’s current concerns echo points that the group has previously raised and also reflect developments in the current U.S. administration.

  • Regarding the commercial part of the U.S. fact-finding for the annual review, the WP29 expressed concerns over the legal guarantees that exist around automated decision making, the existence of guidance on the application of the Privacy Shield from the U.S. Department of Commerce, and clarifications on definitions, specifically including “human resources data.” The WP29’s list is non-exhaustive.
  • With respect to the law enforcement and national security part, the WP29 stressed its need to obtain information related to “the latest developments of US law and jurisprudence in the field of privacy.” In particular, the group stated it seeks “precise evidence to show that bulk collection, when it exists, is ‘as tailored as feasible.’” The WP29 also raised questions about Privacy Shield oversight, including the nomination of four members of the Privacy and Civil Liberties Oversight Board (“PCLOB”), as well as questions regarding the appointment of the Ombudsperson and the mechanisms governing that position.

The WP29 further used the press release to announce that it has been “intensely preparing” for the annual review, and it shared recommendations regarding participants, the length of the review, and the WP29’s ability to publish its own report.

The WP29’s letter comes in the wake of larger questions about the implementation of the Privacy Shield on both sides of the Atlantic. With more 2,000 organizations listed as self-certified under the framework, the first annual review will provide an important opportunity to shape the future of cross-border data transfers across many industries.  We will continue to monitor developments relating to the Privacy Shield and the first annual review.

 

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield.  Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework