Worldwide: The EU-US Privacy Shield's Impact On Online Advertising

1. For marketers doing business on an international level a constant cross-border data flow is crucial and - to be capable of successfully applying their practices - they are frequently in need to transfer data from one country to another in an easy and timely way.

In the past US based companies could rely – to address these needs – on the 'Safe Harbor' system, an agreement between the European Commission and the FCC, in force since 2000, governing the transfer of EU citizen's data to the US and granting that in the context of such transfer both, individuals' rights as well as safety measures to protect data, would enjoy standards equal to those set by the EU privacy regulations.¹

2. On October 6, 2015, the Court of Justice of the European Union had to deal with the Safe Harbor agreement² and came to the conclusion that the European Commission's Safe Harbor Decision, preventing the national DPAs from assessing – when called into action by an individual - whether said decision was actually granting sufficient protection to an individual's privacy and fundamental rights, resulted illegal as the Commission lacked of the competence to interfere with the national DPA's powers in such an intrusive way.

3. Given the enormous impact on business performed internationally, the European Commission and US Authorities rushed to come up with a new solution, allowing the data transfer to continue. To the purpose, the EU-US Privacy Shield was born - on July 12, 2016 - as "a robust new system to protect the personal data of Europeans and ensure legal certainty for businesses"³ to substitute the former 'Safe Habor' agreement⁴.

The new agreement provides US companies with a 'self-certification' system, adherence to which is to be notified to the Department of Commerce and implies compliance with a number of key principles, to be taken into account by marketers' promotional strategies, any time they act as data 'controllers' or 'processors' and are involved in data transfer from the EU to the US. The Shield constitutes a rather complex document. Therefore, only the key principles to consider will be mentioned in the following.

4. Once a US company has adhered to the Shield⁵, it will have to keep its own promises, will face regular reviews from the Department of Commerce⁶ as to actual compliance and will need to fulfill the following obligations (the Principles):

• the Notice Principle requires to offer data subjects comprehensive information on aspects such as: type of data collected, purpose of processing, right of access and choice, conditions for onward transfers, liability,
• the Data Integrity and Purpose Limitation Principle brestricts the collection of personal data to information relevant to the purpose of the processing as well as of the original collection and calls for data to result "reliable for its intended use, accurate, complete and current". The principle implies that "personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorized",
• the Choice Principle allows data subjects the right to object (opt out), when their data are used for a "new (changed) purpose .. materially different but still compatible with the original purpose",
• under the Security Principle entities involved in data collection, storage. maintenance or dissemination must adopt "reasonable and appropriate" security measures with respect both, to the risks involved by the processing as well as by the nature of the data handled (when sub-processors are used, their compliance with the principles has to be sought through specific contractual obligations),
• the Access Principle grants data subjects an almost unlimited right to achieve knowledge – "without need for justification and only against a non-excessive fee" – about whether an organization is processing personal data related to them and – if so – to have the data communicated within reasonable time,
• the Recourse, Enforcement and Liability Principle requires to grant (compulsory) compliance with the Shield's key principles and to annually re-certify such compliance of privacy policies⁷. It also calls for an 'effective redress mechanism', capable of dealing timely with any complaints received with respect to data processing.
• the Accountability for Onward Transfer Principle will result particularly relevant to marketers, as it sets that 'onward transfer' of collected data is allowed only when it: (i.) occurs for limited an specified purposes and consistent with data subject provided consent, (ii.) is performed on the basis of a contractual agreement (or of a comparable legal act), and when (iii.) such agreement offers a level of protection identical to that granted by the Principles (bearing in mind that the original controller, transferring the data, remains fully liable for the receiving organization's exact and full compliance with the principles)⁸.

5. These comments are to be intended as per now. Once the General Data Protection Regulation – GDPR⁹ will be in force and fully applicable, the Shield's requirements are necessarily to be put into context with the Regulation's provisions.

Footnotes

1 On the basis of such agreement the European Commission issued its decision no. 2000/520/EC of 26 July 2000 ("pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles").

2 The case – no. C-362/14 - was referred by the High Court of Ireland and originated from a lawsuit between Mr. Maximilian Schrems, an Austrian privacy activist, objecting to Facebook's practice to transfer users' personal information from its Irish subsidiary to servers located in the US. According to Mr. Schrems, after the press reports about the NSA's surveillance practices, the US could no longer be deemed as ensuring an adequate level of protection of the personal data transferred. 

3 Press Release IP/16/2461 of Ms. Věra Jourová, Commissioner for Justice, Consumers and Gender Equality European Commission.

4 The agreement basically results in a new 'adequacy' assessment with respect to the US granting EU privacy standards.

5 The list of companies registered the system will be administered and published by the Department of Commerce, in charge also of the updating the list.

6 The Department will also monitor any false claims of Privacy Shield participation or the improper use of the Shield certification mark, and DPAs can refer organizations for review to a dedicated contact point at the Department.

7 Adhering companies are to provide for adequate 'internal procedures', to offer their employees educational training on the implementation of the privacy policies in place and to either arrange for periodical compliance checks or to undergo an outside compliance review (inclusive auditing or random checks).

8 For details check Annex II, section III.

9 Regulation (EU) 2016/679 of 27 April 2016 "on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC" (General Data Protection Regulation), approved on May 24, 2016 and applicable on May 25, 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.