EU-U.S. Privacy Shield

On December 13, 2018, the Information Commissioner’s Office (“ICO”) in the United Kingdom issued guidance on the state of UK data protection law should the country leave the European Union (“EU”) without having reached an agreement on the terms of its withdrawal.  Much of this latest guidance is consistent with the ICO’s earlier guidance on the topic, published in September 2018.  But as the UK’s expected withdrawal from the EU on March 29, 2019, inches closer, organizations that process the personal data of individuals resident in the UK or in other countries in the European Economic Area (EEA) should now take steps to prepare themselves for the possibility of a “no-deal” scenario.
Continue Reading Information Commissioner’s Office Issues Guidance on UK Data Protection Law in the Event of a “No-Deal” Brexit

The European Commission has today published its Report on the first annual review of the EU-U.S. Privacy Shield (the Report is accompanied with a Staff Working Document, Infographic, and Q&A).  The Commission concludes that Privacy Shield continues to ensure an adequate level of protection for personal data transferred from the EU to Privacy Shield-certified companies in the United States.  With its conclusion, the Commission also makes a number of recommendations to further improve the Privacy Shield framework.  The Report follows a joint press statement by the U.S. Secretary of Commerce and EU Commissioner Jourová on September 21, 2017, closing the review and reaffirming that the “United States and the European Union share an interest in the [Privacy Shield] Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”

Background

The EU-U.S. Privacy Shield is a framework that effects the lawful transfer of personal data from the EEA to Privacy Shield-certified companies in the U.S.  The Privacy Shield framework was unveiled by the EU and United States on July 12, 2016 and the Privacy Shield framework became operational on August 1, 2016.  To date, there are over 2,400 in companies (including more than 100 EU-based companies) that have certified, with 400 applications under review.

The Privacy Shield provides an annual review and evaluation procedure intended to regularly verify that the findings of the Commission’s adequacy decision are still factually and legally justified.  Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce and the European Commission, with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  In preparation for the Review, the Commission also sought feedback from a number of trade associations, NGOs, and certified companies.  (See our earlier posts on the purpose of the first annual review here and here.)
Continue Reading EU Commission Concludes Privacy Shield “Adequate” in first Annual Review

On July 26, 2017, the Court of Justice of the EU (CJEU) published Opinion 1-15 (the “Opinion”) on the proposed agreement between the European Union and Canada on the transfer and processing of passenger name record (“PNR”) data (the “Agreement”).  The Agreement was signed in 2014, but the CJEU was asked to determine whether it was compatible with EU data protection law before it is approved by the European Parliament.

The Opinion concluded that a number of provisions relating to the transfer of PNR data – particularly sensitive data – are incompatible with the EU Data Protection Directive (Directive 95/46) and the fundamental rights to privacy and data protection, and the protection against discrimination, under Articles 7, 8 and 21 of the EU Charter of Fundamental Rights (the “Charter”), meaning the Agreement must be renegotiated before it enters into force.

Notably, the CJEU’s opinion was consistent with its recent judgments concerning data transfers to “third countries” (outside the EEA) in Schrems and Tele2/Watson
Continue Reading CJEU: EU-Canada proposed agreement on the transfer of Passenger Name Record data does not conform to EU data protection law standards

The Article 29 Working Party (“WP29”), a group consisting of representatives from each European data protection authority, the European Data Protection Supervisor, and the European Commission, yesterday issued a press release detailing its recommendations for the first Annual Joint Review of the EU-U.S. Privacy Shield (“Privacy Shield”), which will take place in September 2017.  Specifically,

The first annual review of the EU-U.S. Privacy Shield (“Privacy Shield”) is scheduled to occur in September 2017 in Washington, D.C.  The first review is particularly important for the nascent framework, as regulators in both the U.S. and the EU are expected to closely scrutinize the operation of the first year of the Privacy Shield, address concerns that have been raised, and seek to ensure that the Privacy Shield is well positioned to continue operating as a valid legal basis for transfers of personal data from the EU to the U.S.

Under the Privacy Shield, an “Annual Joint Review” is conducted by the U.S. Department of Commerce (“Commerce”) and the European Commission (“Commission”), with participation by the FTC, EU data protection authorities and representatives of the Article 29 Working Party, and “other departments and agencies involved in the implementation of the Privacy Shield,” including the U.S. Intelligence Community and the Privacy Shield Ombudsperson for matters pertaining to national security.  Regulators have also indicated that they plan to solicit and incorporate feedback and comments from other Privacy Shield stakeholders as part of the review process, including from self-certified companies and other interested organizations.

Although this is the first annual review, it is important to note that the Privacy Shield has already been the subject of intense public scrutiny.  The draft text of the framework was released in February, several months prior to the final release in July, and a number of stakeholders took the opportunity to comment on the text, leading to several revisions designed to improve and strengthen the Privacy Shield. 
Continue Reading First Annual Privacy Shield Review Will Comprehensively Assess the Framework

Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website.  Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.

EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield.  During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.”  She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
Continue Reading Privacy Shield Approaches 2,000 Participants; Review Scheduled for September

On January 25, 2017, President Trump signed a new Executive Order on Enhancing Public Safety in the Interior of the U.S.  Among other elements, the Executive Order directs U.S. government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information,” but only if doing so is “consistent with applicable law.”

This prompted certain commentators, such as Member of the European Parliament Jan-Philipp Albrecht, to question whether the Executive Order would have an impact on the robustness of the EU-U.S. Privacy Shield data transfer framework
Continue Reading European Commission Dismisses Privacy Shield Concerns Over Trump Executive Order

In an interview with Politico (link requires a subscription), EU Justice Commissioner Věra Jourová, one of the principal architects of the EU-U.S. Privacy Shield, indicated that she plans to visit the U.S. once the Trump Administration is in place to assess the state of the new administration’s commitment to the Privacy Shield.  In the interview, Jourová indicated that she would seek to ensure that the U.S. maintains a “culture of privacy” under the new administration, and that the U.S. government would continue to adhere to its commitments with regard to U.S. law enforcement and surveillance activities that were included within the Privacy Shield framework.

The Privacy Shield was based in part on a series of letters published by various Obama Administration officials relating to oversight and enforcement of the Privacy Shield Principles by the U.S. government.  These letters were included as annexes to the Commission Implementing Decision that forms the legal basis for the Privacy Shield in the EU, and are posted to the U.S. Department of Commerce’s Privacy Shield website.  They include a letter from the Department of State to Commissioner Jourová describing the new Privacy Shield Ombudsperson designated to field inquiries from the EU regarding U.S. signals intelligence practices, and letters from the Office of the Director of National Intelligence (Letter 1; Letter 2) and the Department of Justice describing safeguards and limitations applicable to U.S. national security authorities and law enforcement authorities, respectively.
Continue Reading EU Commissioner Plans to Assess U.S. Privacy Shield Commitments

On September 16, 2016, Digital Rights Ireland (“DRI”), a digital rights advocacy group, lodged an action with the EU General Court for annulment of the European Commission’s Decision on the EU-U.S. Privacy Shield arrangement.  While the existence of the application has only recently become public knowledge, it was widely-expected that the Privacy Shield would face a legal challenge.  It is also unsurprising that DRI have brought the action (given its objections to the Privacy Shield before it was agreed and its intervention in the Safe Harbor case).

Background

The Privacy Shield was agreed earlier this year, replacing the Safe Harbor framework that was invalidated by the Court of Justice of the EU (“CJEU”) in Schrems.  The Privacy Shield provides a legal basis for transfers of personal data from the European Economic Area to Privacy Shield-certified companies in the U.S.  To date, over 600 companies have certified to the Privacy Shield.  The Privacy Shield contains a much more robust set of commitments than those underpinning the Safe Harbor and will provide stronger protections to data subjects in the EU than its predecessor.
Continue Reading Challenge to EU-U.S. Privacy Shield Lands at EU Court

On July 8, 2016, the draft EU-U.S. Privacy Shield adequacy decision was formally approved by the so-called “Article 31 Committee” of EU Member States (see press release, here).

That approval opens the door for the College of EU Commissioners to approve the Privacy Shield on Monday (July 11).  Once translated and published in the Official Journal of the EU, the adequacy decision will then enter into force.

However, there may need to be an implementation period during which the EU and U.S. put in place relevant structures; it is expected that Commissioner Věra Jourová will provide more details to the European Parliament on Monday, and in a joint press conference on Tuesday with U.S. Secretary of Commerce Penny Pritzker.

Once that implementation phase is complete, U.S.-based companies will be able to self-certify under the Privacy Shield.  Doing so provides a legal basis which entities in the European Economic Area can rely on to transfer personal data to those Privacy Shield-certified companies in the US.
Continue Reading Privacy Shield Deal Passes Major EU Hurdle