EU-US Privacy Shield
The so-called EU-US ‘Privacy Shield’, agreed between the European Commission (“EC”) and the US Department of Commerce (“DOC”) in February 2016, is a new framework for transatlantic data flows. It entered into force on 1st August 2016 and allows for transfers from a data controller or data processor in the EU to self-certified US companies.
This follows the declaration in October 2015 that the old 'Safe Harbor' framework did not provide adequate protection for transfers of individuals' data to the US (see our previous article European Ruling that 'Safe Harbor' is invalid). This new framework is intended to protect the fundamental rights of Europeans in relation to transatlantic transfers of their data and ensure legal certainty for businesses.
The EC has published a Guide to the EU-US Privacy Shield which explains how individuals' rights are protected under the Privacy Shield framework. The Information Commissioner's Office (“ICO”) has also published a blogpost summarising the current position on EU-US data transfers.
What do US companies need to do under the Privacy Shield?
It is entirely voluntary but US companies have been able to self-certify with the DOC from 1st August 2016 (see DOC: How to Join Privacy Shield: Guide to Self-Certification).
In practice, if American companies decide to certify, they will need to:
- self-certify annually that they meet the Privacy Shield requirements;
- display their Privacy Shield-compliant privacy policy on their website;
- reply promptly to any complaints at no cost to the individual;
- have procedures in place for verifying compliance; and
- provide a contact to handle complaints, access requests etc arising under the Privacy Shield.
Privacy Shield Principles
Companies that participate in the Privacy Shield must adhere, where relevant, to the following Privacy Shield principles (“Principles”), which are largely based on Safe Harbor, although requirements around their implementation have been enhanced:
- Notice - organisations must inform individuals when they are first asked to provide personal information eg of the organisation’s participation in the Privacy Shield, the type of data collected, the purposes for which the data is collected, contact details, the identity of any third parties to whom their data will be transferred, their right to access their data, the means for limiting the use and disclosure of their personal data and the independent dispute resolution body designated to address complaints and provide appropriate recourse mechanisms;
- Choice - organisations must eg offer individuals the opportunity to choose or opt out of any disclosure of personal data to a third party or the use of data for a purpose other than the one for which it was originally collected;
- Accountability for onward transfer of data to:
- a controller - to transfer personal information to a third party acting as a controller, organisations must comply with the Notice and Choice Principles. They must also enter into a contract with the third party that provides that: (a) such data “may only be processed for limited and specified purposes” consistent with the data subject’s consent; and (b) the third party will provide the same level of protection as the Principles;
- an agent - where the third party is acting as an agent, the organisation must in addition “take reasonable and appropriate steps” to ensure the agent provides at least the same level of privacy protection as required by the Principles, including to “stop and remediate” any unauthorised processing. On request, the organisation must also provide the DOC with a summary or copy of the relevant contractual privacy provisions;
- Security - organisations must take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorised access, disclosure, alteration and destruction;
- Data integrity and purpose limitation - data collected must be limited to the information that is relevant for the purposes of processing. Organisations must also take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current. In addition, they must adhere to the Principles for as long as they retain such information;
- Access - organisations must provide individuals with access to their personal data as well as the ability to correct, amend or delete information that is inaccurate or has been processed in violation of the Principles. This is subject to various exceptions including where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, where the rights of persons other than the individual would be violated or for reasons of national security, defence or public security;
- Recourse, enforcement, and liability - the introduction of a requirement for detailed mechanisms for recourse and dispute resolution is new. Amongst other things, organisations need to provide recourse to deal with individuals’ complaints and to investigate disputes at no cost to the individual, follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true and mechanisms to remedy problems arising out of failure to comply with the Principles and the consequences for such organisations.
Organisations also need to implement processes for responding to inquiries and requests from the DOC regarding compliance with the Principles.
Regarding onward transfers of data, organisations remain liable if the agent processes data in a way that is inconsistent with the Principles, unless it proves that it is not responsible for the event giving rise to the damage.
Further details of the Privacy Shield Principles can be found here and participating organisations must also adhere to 16 supplemental principles, where applicable.
The Privacy Shield applies to both controllers and processors (agents) and processors must be contractually bound to act only on instructions from the EU controller and assist the latter in responding to individuals exercising their rights under the Principles.
What does this mean for existing mechanisms to transfer data such as the Model Contract Clauses and Binding Corporate Rules?
The ICO has confirmed that these are still valid ways to transfer personal data to the US. Details of other options can be found in the relevant ICO guidance which the ICO will be updating to cover the Privacy Shield.
Looking forward and further information
We will have to see what the take up of the Privacy Shield will be. Certainly several hundred companies appear to have already self-certified. The Privacy Shield may possibly offer an advantage where a US company is receiving data from multiple EU based businesses since it could perhaps obviate the need to enter into the Model Clauses with each one. However, self-certifying undoubtedly comes with its own burdens and costs and, currently, there is no certainty that EU based businesses will all accept the Privacy Shield. Some may prefer the existing Model Clauses not least because there is some ongoing debate as to whether the legality of the Privacy Shield will be challenged.
There is an EC Factsheet as well as a DOC Factsheet, which have some useful information on the key elements of the Privacy Shield and requirements for participating companies respectively. We will be keeping a watch on any further developments and will update this article accordingly.
28th September 2016