Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.” Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

On February 9, 2017, six Democratic senators wrote to DHS Secretary John Kelly about their concerns over a Trump executive order that would remove Privacy Act protections for non-U.S. citizens and lawful permanent residents.

Senators Ed Markey (MA), Ron Wyden (OR), Jeff Merkley (OR), Al Franken (MN), Chris Coons (DE), and Mazie Hirono (HI) wrote that Section 14 of the order would make it easier for government agencies to share non-citizens’ personal information with Congress and the public. Continue Reading Senators Seek Answers from DHS on Privacy Aspects of Trump Order, Including Privacy Shield

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer frameworkContinue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

In an interview with Politico (link requires a subscription), EU Justice Commissioner Věra Jourová, one of the principal architects of the EU-U.S. Privacy Shield, indicated that she plans to visit the U.S. once the Trump Administration is in place to assess the state of the new administration’s commitment to the Privacy Shield.  In the interview, Jourová indicated that she would seek to ensure that the U.S. maintains a “culture of privacy” under the new administration, and that the U.S. government would continue to adhere to its commitments with regard to U.S. law enforcement and surveillance activities that were included within the Privacy Shield framework.

The Privacy Shield was based in part on a series of letters published by various Obama Administration officials relating to oversight and enforcement of the Privacy Shield Principles by the U.S. government.  These letters were included as annexes to the Commission Implementing Decision that forms the legal basis for the Privacy Shield in the EU, and are posted to the U.S. Department of Commerce’s Privacy Shield website.  They include a letter from the Department of State to Commissioner Jourová describing the new Privacy Shield Ombudsperson designated to field inquiries from the EU regarding U.S. signals intelligence practices, and letters from the Office of the Director of National Intelligence (Letter 1; Letter 2) and the Department of Justice describing safeguards and limitations applicable to U.S. national security authorities and law enforcement authorities, respectively. Continue Reading EU Commissioner Plans to Assess U.S. Privacy Shield Commitments

On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement.  While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face a legal challenge.  It is also unsurprising that DRI have brought the action (given its objections to the Privacy Shield before it was agreed and its intervention in the Safe Harbor case).

Background

The Privacy Shield was agreed earlier this year, replacing the Safe Harbor framework that was invalidated by the Court of Justice of the EU (“CJEU”) in Schrems.  The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  To date, over 600 companies have certified to the Privacy Shield.  The Privacy Shield contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor. Continue Reading Challenge to EU-U.S. Privacy Shield Lands at EU Court

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US. Continue Reading Privacy Shield Deal Passes Major EU Hurdle

Today, the Article 29 Data Protection Working Party (“Working Party”), a group consisting of representatives from the European data protection authorities, the European Data Protection Supervisor, and the European Commission, published its opinion on the EU-U.S. Privacy Shield draft adequacy decision (“Opinion”) (see here). The Opinion is accompanied by a second document, Working Document 01/2016 on the justification of interferences with the fundamental rights to privacy and data protection through surveillance measures when transferring personal data (“European Essential Guarantees”) (see here). This document sets out EU standards for surveillance by public authorities in the EU and U.S., as formulated by the Working Party. The Working Party also issued a press release (see here). The chairwoman of the Working Party, CNIL President Falque-Pierrotin, presented the documents today in a press conference, a recording of which is available here.

According to the Working Party, the Privacy Shield contains significant improvements compared to the now-defunct EU-U.S. Safe Harbor framework; however, there remain certain concerns and a need for clarification.  Continue Reading EU Data Protection Authorities Call For Further Clarifications on the EU-U.S. Privacy Shield and Raise Some Concerns

Yesterday, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) held a public hearing on the EU-US Privacy Shield, see agenda here and a video of the hearing here. While European Parliament support is not strictly necessary for the approval of the Privacy Shield, it’s view certainly has political weight.

The hearing began with a presentation of views by the EU and U.S. negotiators and European data protection regulators (the chair of the Article 29 Working Party (“WP29”) and the European Data Protection Supervisor (the “EDPS”)). The LIBE committee then heard from private entities, organizations and scholars such as DIGITALEUROPE, Marc Rotenberg (executive director of the Electronic Privacy Information Center (EPIC)), a European consumer association, and Max Schrems, the privacy campaigner.

The EU and U.S. negotiators defended the proposed arrangement. Representatives of the Commission stated that if the Privacy Shield did not receive approval, some elements of the Privacy Shield system could still be applied, such as the Ombudsperson mechanism, clarifications on national security access and limitations on data in transit. Participants also noted that the Privacy Shield will have to fit into the new European data protection framework, the forthcoming General Data Protection Regulation.

WP29 Opinion

The Privacy Shield proposal is currently being reviewed by the WP29, a group made up of a representative from the data protection authority of each EU Member State, the EDPS and the European Commission. The WP29 must provide a non-binding opinion on the Privacy Shield, which is expected on April 12 or 13. At the hearing, the chair of the WP29 identified some aspects of the Privacy Shield which concerned them:

  • an absence of rules in the Privacy Shield on data retention; and
  • the powers and independence of the new Ombudsperson.

The chair observed that the forthcoming opinion will also have an impact on future WP29 opinions and positions on alternative transfer mechanisms, such as Binding Corporate Rules (BCRs) and model clauses.

The EDPS intends to adopt his own opinion, subsequent to the publication of the WP29 opinion.

Article 31 Committee Meeting

Just a few days before the WP29 is expected to issue its opinion, on April 7, 2016, the Article 31 Committee will meet for the first time to discuss the Privacy Shield. This Committee is made up of representatives of each EU Member State and must provide a binding opinion supporting the Privacy Shield by qualified majority for the Privacy Shield to go ahead. For more details on the approval procedure for the Privacy Shield, please see our alert here.

Yesterday, a group of twenty-seven privacy and civil liberties organizations sent a letter to EU officials opposing the EU-U.S. Privacy Shield, which was released last month and is currently being reviewed by the Article 29 Working Party in the EU.  According to the letter, the Privacy Shield “manifestly fails” to meet the standards set by the Court of Justice of the European Union in invalidating the prior Safe Harbor Framework.

While the letter acknowledges that “questions remain about the scope and utility” of the Privacy Shield, it lists three specific critiques.  First, the letter argues that the Privacy Shield fails to include a commitment by the U.S. government to apply the international standards of necessity and proportionality to its surveillance activities.  Second, the letter argues that the Privacy Shield’s enforcement mechanisms are inadequate because the ombudsperson is not independent and lacks sufficient authority to initiate investigations or respond to complaints.  Third, the letter argues that the Privacy Shield lacks sufficient transparency because “individuals are never notified when their information has been collected, disseminated, or used.”

The letter concludes by urging the Article 29 Working Party to send the Privacy Shield back to the negotiators for further consideration.  The Working Party is expected to release its non-binding opinion on the Privacy Shield during its next plenary meeting in April.

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).

Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps