On 29 February 2016, after more than two years of negotiations with the US Department of Commerce, the European Commission released the legal texts that will put in place the EU-US Privacy Shield (the "Privacy Shield"), which is the renewed framework for transatlantic exchanges of personal data.

The "package" published by the European Commission includes: (i) the EU-US Privacy Shield Framework Principles issued by the US Department of Commerce (the "Principles"); (ii) written commitments by the US Federal Trade Commission ("FTC") and the Department of Transportation ("DoT") on the enforcement of the arrangement; (iii) letters from the US Office of the Director of the National Intelligence and the US Department of Justice with assurances on the safeguards and limitations concerning access to data by public authorities; and (iv) a letter from the US Department of State with a commitment to create a new "Privacy Shield Ombudsperson".

In addition, the European Commission also published a draft "adequacy decision" which, when finally adopted by the European Commission, would allow EU companies to transfer personal data to US recipients that are registered under the Privacy Shield.

The new framework provides for important new safeguards to reflect the requirements set out by the Court of Justice of the European Union in its Schrems ruling of 6 October 2015 (See, VBB on Business Law, Volume 2015, No. 10, p. 8, available at www.vbb.com). Unlike its predecessor, the EU-US Safe Harbor, the Privacy Shield covers not only commitments in the commercial sector but also, and for the first time, in the area of access to personal data by public authorities, including for national security purposes. The Privacy Shield provides for US government oversight and increased cooperation with EU data protection authorities ("DPAs"). The published documents also describe in more detail the measures that companies wishing to rely on the Privacy Shield must implement, and increases transparency as to how participating companies may use EU citizens' personal data.

  1. EU-US Privacy Shield Framework Principles

The Privacy Shield is based on a system of self-certification by which US organisations commit to a set of privacy principles – the Privacy Shield Framework Principles (the "Privacy Principles") – that were issued by the US Department of Commerce. Hence, the system is voluntary for US companies wishing to transfer personal data between the EU and the US. However, companies that sign up must comply with the Privacy Principles and thus subject themselves to investigation and enforcement measures.

In order to enter the Privacy Shield, a company must provide the Department of Commerce with a self-certification submission, signed by a corporate officer on behalf of the organisation, which includes: (i) the name of the company; (ii) a description of its activities; and (iii) a description of the company's privacy policy. The Privacy Principles apply immediately upon certification and companies must annually re-certify their commitment to these principles.

The Privacy Principles include the following rights and obligations:

Notice: companies must:

  • inform individuals about the type of data collected, the purpose of processing, the right of access and conditions for onward transfers and liability;
  • make public their privacy policies (implementing the Privacy Principles) and provide links to the Department of Commerce's website; and
  • inform individuals about the choice and means which the company offers them for limiting the use and disclosure of their personal data.

Choice: individuals have the option to opt in or opt out:

  • individuals can object to ("opt out from") the use of their personal data: (i) for direct marketing purposes; (ii) for disclosure to a third party; and (iii) for use for a "materially different" purpose than that for which it was provided; and
  • individuals must give affirmative express consent ("opt in") if sensitive information is to be disclosed to a third party or used for a purpose other than that for which it was initially collected or for which express consent had been given.

Accountability for Onward Transfer

  • Any onward transfer of personal data from an organisation to controllers or processors can only take place: (i) for limited and specified purposes; (ii) on the basis of a contract (or comparable arrangement within a corporate group); and (iii) provided that contract provides the same level of protection as that guaranteed by the Privacy Principles.

Security

  • The Privacy Shield obliges companies to implement reasonable and appropriate security measures.

Data Integrity and Purpose Limitation

  • Privacy Shield companies must limit personal data to data that is relevant; reliable for its intended use; accurate; complete; and current.

Access

  • A company must create a mechanism by which data subjects may obtain confirmation of whether a company is processing information related to them within a reasonable time and for a non-excessive fee; and
  • grant individuals access to their personal information and allow them to correct, amend, or delete that information if it is inaccurate or if it has been processed in violation of the Privacy Principles.

Recourse, enforcement

  • Registering companies must put in place independent recourse mechanisms in the company to resolve expeditiously (within 45 days) and at no cost to the individual complaints submitted by EU-based individuals;
  • provide individuals with the possibility to have recourse to a form of alternative dispute resolution, including the Privacy Shield Panel, a dispute resolution mechanism that can adopt binding and enforceable decisions against US companies registered under the Privacy Shield;
  • US companies must commit to cooperating with EU data protection authorities; and
  • in case of withdrawal from the Privacy Shield List, return or delete the personal information received under the Privacy Shield.

Finally, companies must take measures to verify that their published privacy policies conform to the Privacy Principles and are, in practice, complied with. This verification can be done through self-assessment or outside compliance reviews.

  1. US Government Guarantees

The US government has given the EU written assurances that any access of public authorities to personal data of EU individuals for national security purposes, will be subject to clear limitations, safeguards and oversight mechanisms, preventing generalised access to personal data.

In a letter to the European Commission, John Kerry, US Secretary of State, has committed to establishing a new redress mechanism for EU data subjects through an Ombudsperson. The Ombudsperson, who will be a US official independent from the national security services, will follow up on complaints and enquiries by individuals and inform them whether the relevant laws have been complied with.

  1. Draft Adequacy Decision

On 29 February 2016, the European Commission published a draft "adequacy decision" in which it concluded that the Privacy Principles issued by the US Department of Commerce "ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the principles laid down in Directive 95/46/EC".

The Commission pointed out that US law contains clear limitations on the access and use of personal data transferred under the Privacy Shield for national security purposes, as well as oversight and redress mechanisms that provide "sufficient safeguards" for those data to be effectively protected against unlawful interference and the risk of abuse. The Commission therefore concluded that "there are rules in place in the United States designed to limit any interference for law enforcement or other public interest purposes with the fundamental rights of the persons whose personal data are transferred from the Union to the United States under the EU-US Privacy Shield to what is strictly necessary to achieve the legitimate objective in question, and that ensure effective legal protection against such interference".

The European Commission commits to keep monitoring the functioning of the Privacy Shield with a view to assessing whether the US system continues to ensure an adequate level of protection of personal data transferred from the EU to organisations in the US that have registered under the Privacy Shield. If the European Commission finds that effective compliance with the Principles in the US might no longer be ensured, it will suspend the adequacy decision on the Privacy Shield.

The Privacy Shield is currently being reviewed by the EU's Article 29 Working Party, an independent European advisory body on data protection and privacy comprised of a representative of each national DPA of the EU Member States, which will give an opinion on the level of protection afforded within the next few months. Taking that opinion into account, the European Commission will then formally adopt the adequacy of the Privacy Shield under the comitology procedure (the European Commission aims for adoption by June or early summer 2016).

Further reading: Press release of the European Commission; Privacy Shield Framework Principles; and Draft European Commission decision on the adequacy of the protection provided by the EU US Privacy Shield

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.