The new EU - US Privacy Shield
February 29, 2016
The European Commission has today issued the texts forming part of its draft adequacy decision, and which will form the new EU - U.S. Privacy Shield framework. The Privacy Shield is the successor of the Safe Harbour transfer framework, which was invalidated in early October last year by the Court of Justice of the European Union (CJEU).
The draft adequacy decision is composed of the draft body of the decision, which follows usual EU Commission Decision parameters, and several annexes containing the core agreement reached between the EU and the US, much like the Safe Harbour adequacy decision.
Of particular importance is Annex 2, which describes the principles of the Privacy Shield framework.
Annex II – Privacy Shield Principles (issued by US Department of Commerce)
Annex II contains seven core principles and 16 supplementary ones, which demonstrates how in depth the Privacy Shield requirements are. The core principles relate to notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability.
Unlike Safe Harbour, the Privacy Shield also covers access to personal data by public authorities, including for national security purposes. This has great significance given that it was the revelation of the US surveillance activities which triggered the fall of Safe Harbour, following a challenge by the activist Max Schrems.
The new Shield will also require organisations to self-certify to the US Department of Commerce and provide follow up procedures for verifying that the statements they made about their Privacy Shield privacy practices are true, and implemented in practice.
The right of access is fundamental in the Privacy Shield Principles, with individuals having the ability to verify the accuracy of information held about them by obtaining a copy and having the data corrected, amended or deleted where it is inaccurate or processed in violation of the principles.
Individuals are given the opportunity to choose (opt out) whether their information is disclosed to a third party or used for a purpose which is materially different from the purpose(s) for which it was originally collected and where this involves sensitive information, organisations must obtain affirmative express consent (opt in).
Consumers have several recourse mechanisms, the first of which is to the relevant organisation, which must respond within 45 days of receiving a complaint. Complaints can also be made to the EU Data Protection Authorities, who may refer these to the US Department of Commerce and the Federal Trade Commission, and if still unresolved, to the new Privacy Shield Panel. This will consist of arbitrators designated by the US Department of Commerce and the EU Commission, who can make binding and enforceable decisions.
The Principles state that 'sanctions need to be rigorous enough to ensure compliance' and that they may include both publicity for findings of non-compliance, the requirement to delete data, suspension and removal of a seal, compensation for individuals for losses incurred and for persistent non-compliance, removal from the Privacy Shield List.
European Commission Communication
The European Commission grouped the new arrangement into 4 main types of achievement:
- Strong obligations on companies and robust enforcement.
- Clear limits and safeguards with respect to US government access.
- Effective protection of EU individuals’ privacy rights with several redress possibilities - 'several accessible and affordable avenues to obtain individual redress, including cost-free alternative dispute resolution bodies', including a new Ombudsman created for complaints relating to access by national intelligence authorities.
- An annual joint review mechanism for the Commission to monitor the functioning of the Privacy Shield, which goes beyond the GDPR, which only requires reviews every four years.
In its communication, the Commission stated that 'companies are encouraged to already begin their preparations so as to be in a position to join the new framework as soon as possible after it is in place following the adoption of the Commission decision.'
The next step will be for the Article 29 Working Party to give their opinion and for the US to carry out their preparations for the new framework, prior to the adoption of the decision.