As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce. Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.
A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor. In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.
- Tougher and Binding Remedies and Enforcement
In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days. If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body. The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).
For signatories that utilize the DPA panel, the Principles state that the panel will provide advice as quickly as possible, but as a general rule within 60 days. DPA panel remedies, as well as remedies from other dispute resolution bodies, can include “publicity for findings of non-compliance,” compensation “for losses incurred as a result of non-compliance,” or the suspension or removal of a Privacy Shield seal. Signatories must comply with DPA panel advice within 25 days, and in the event of non-compliance, the DPA panel can refer the matter to the FTC or another relevant U.S. federal government agency for enforcement action or inform Commerce so that the organization is removed from the Privacy Shield List.
For claims that remain unresolved after the dispute resolution process, a consumer must raise the issue through his or her DPA to allow Commerce an opportunity to resolve it. If this method also fails, a consumer may opt for binding arbitration. Commerce will maintain a “Privacy Shield Panel,” which will consist of a pool of at least 20 arbitrators, none of whom may be affiliated with a Privacy Shield signatory. The arbitration award can only consist of “individual-specific, non-monetary equitable relief” necessary to remedy the alleged Privacy Shield violation at issue, such as access, correction, deletion, or return of the individual’s data. Arbitration proceedings should reach a decision within 90 days, and decisions will be enforceable under the Federal Arbitration Act. Decisions made under that Act can, in certain limited circumstances, be challenged in federal courts.
- More Detailed and Specific Onward Transfer Restrictions
The Privacy Shield also expands the Safe Harbor onward transfer requirements – that is, its requirements for Shield signatories to transfer personal information (“PI”) to other third parties. Onward transfers will require a contract with third-party data controllers that “provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.” For transfers to third-party agents, the organization must (1) transfer data only for “limited and specified purposes”; (2) ascertain that the agent is obligated to provide at least the same protections as required by the Principles; (3) take reasonable steps to ensure processing consistent with the Principles; (4) stop or reasonably remediate unauthorized processing upon notice; and (5) provide a “summary or a representative copy” of the relevant contractual provisions to Commerce upon request.
Unlike the Safe Harbor, Privacy Shield organizations are liable for violations by onward transfer recipients acting as agents that process such information in a manner inconsistent with the Privacy Shield, “unless the [signatory] organization proves that it is not responsible for the event giving rise to the damage.”
- Annual Certification: Verified By Commerce
Unlike the Safe Harbor, which only required annual “reaffirmation” of compliance, organizations that self-certify their compliance with the Privacy Shield’s requirements to Commerce must re-certify their compliance on an annual basis, and Commerce will closely verify certifications and re-certifications for compliance and “that the organizations have in fact registered with the relevant [dispute] mechanism indicated in their self-certification submissions, where such registration is required.” Commerce can also remove organizations that “persistently” violate the Privacy Shield requirements from the list of Privacy Shield signatories. Any organization that decides to cease compliance with the Privacy Shield, or is removed by Commerce, must in principle return or delete all personal information received under the Privacy Shield.
In addition to the annual re-certification requirement, the Privacy Shield Framework itself will be subject to an annual review by the European Commission and Commerce, as opposed to the Safe Harbor reviews that occurred every three years. This annual review opens up the possibility that the Privacy Shield Framework could change on a regular basis, depending upon the political pressures at play.
- Expanded Notice & Choice Obligations
The Privacy Shield Principles expand the requirements for self-certified organizations to provide notice and choice regarding PI. The Safe Harbor only required notice about the purposes of data collection and use, contact information of the self-certified organization for inquiries or complaints, types of third-party data recipients, and choices available to limit use and disclosure. Under the Privacy Shield, certified organizations must additionally inform individuals about, among other things: (1) the purposes for which the organization discloses PI to third parties; (2) the right of individuals to access their PI; (3) the ability to invoke binding arbitration; and (4) potential liability in cases of onward transfers to third parties.
The Safe Harbor required opt-outs prior to disclosing PI to third parties, or used for a purpose “incompatible” with the purpose for which it was originally collected, and opt-ins with respect to sensitive information. Under the Privacy Shield, the opt-out applies to use of PI for a purpose that is “materially different” from the purpose for which it was originally collected (or subsequently authorized).
- New Restrictions on National Security Access
A separate letter from the Department of State describes how the Department of State’s “privacy ombudsperson”—Under Secretary of State Catherine A. Novelli—will coordinate responses to requests from EU citizens, channeled through EU member states, for information on U.S. government access to their data for national security purposes. Importantly, these requests can cover not only data that is transmitted under the Privacy Shield, but also data transmitted pursuant to standard contractual clauses, binding corporate rules, derogations, and possible future derogations.
The ombudsperson will work with other U.S. government agencies to ensure that requests are processed and resolved, and may also refer matters to the Privacy and Civil Liberties Oversight Board for its consideration. However, the response from the U.S. government will be limited to a statement that the appropriate procedures (under the Privacy Shield or otherwise) were followed, or that any non-compliance has been remedied.
The mandatory annual review process will be an important check to ensure that these commitments are upheld. Of course, the Privacy Shield also should be considered in light of the post-Edward Snowden changes made in U.S. law and policy, which the Schrems court could not consider because its procedures locked it in 2013. Those changes include the Judicial Redress Act, signed by President Obama last week; the USA Freedom Act, which ended bulk metadata surveillance; and the Presidential Policy Directive on signals intelligence issued in 2014.
As our London colleague Dan Cooper has discussed previously here, the EU must now formally adopt the Privacy Shield Framework through the “comitology” procedure. This procedure, which will involve a non-binding opinion by the Article 29 Working Party (expected at the next plenary meeting on April 12 and 13), a binding opinion by a qualified majority of the Article 31 Committee, and the formal adoption of the adequacy decision by the EU College of Commissioners, is expected to last until early summer. The Article 29 Working Party issued a press release welcoming the publication of the draft adequacy decision. However, both the European Parliament and the Council may request that the European Commission amend or withdraw the adequacy decision at any time before its formal adoption. Once the Framework is approved, Commerce has stated that it will be delivered to the Federal Register for publication within 30 days.