2019
EU-US Privacy Shield: What You Need To Know
On December 19, 2018, the European Commission published its second report on the EU-US Privacy Shield, under which companies can certify adequate compliance with EU privacy standards to be able to receive data from or concerning EU citizens. If you obtain such data, we present an overview of what you should know about the EU-US Privacy Shield.
The Death of the Safe Harbor
In what now seems like ancient history, U.S. companies could receive data from and concerning EU citizens if they certified compliance with International Safe Harbor Privacy Principles (the “Safe Harbor”). This was so because the European Commission had found that United States law provided for “adequate” protection of personal data (the “Safe Harbor Decision”). All was well until an Austrian consumer filed a complaint that Facebook failed to protect his data, and challenged the Commission’s finding that U.S. law provided adequate data protection.
On October 6, 2015, the Court of Justice of the European Union reversed the Safe Harbor Decision, with its ruling centering on the revelations by Edward Snowden concerning “the activities of the United States intelligence services …” in conducting mass surveillance. In the face of this information, the Court of Justice could not, it reasoned, conclude that adequate data protection existed in the U.S.
Under E.U. law, the Court of Justice explained, the privacy of individual information, including information contained in electronic communications, is so important that “permitting the public authorities to have access … must be regarded as compromising the essence of the fundamental right to respect for private life.”
Accordingly, the Court of Justice upheld the complaint for three major reasons:
- First, the court found the decision flawed because it was only applicable to companies that voluntarily agreed to it, and that the U.S. government itself was not subject to the decision.
- Second, it found that it allowed U.S. national interests to trump E.U. law, such that the U.S. government was free to disregard European privacy requirements when they conflicted with national security, public interest, or law enforcement interests — thus enabling the U.S. government to interfere with the privacy rights of E.U. citizens at will.
- Third, it denied E.U. citizens, and member countries acting on their behalf, the ability to pursue legal remedies for the misuse of personal data and receive an individualized determination of whether a foreign country afforded “an adequate level of protection of personal data.”
The Court of Justice then directed the data supervisory authorities involved in the case to proceed “with all due diligence” to investigate the complaint and decide whether the “transfer of data of Facebook’s European subscribers to the United States should be suspended on the ground that the country does not afford an adequate level of protection of personal data.”
The Aftermath: The EU-US Privacy Shield
In the wake of the Court of Justice’s decision, the European Commission adopted the EU-US Privacy Shield (the “Privacy Shield”), which became operational on August 1, 2016. The Commission included in the EU-US Privacy Shield a provision for an annual review to monitor whether the adequate data protection continues to be provided under U.S. law.
Simply put, U.S. companies who obtain information from or about E.U. citizens have the option to sign up for the EU-US Privacy Shield with the U.S. Department of Commerce (the “DOC”).
Unlike under the Safe Harbor, the International Trade Administration of the DOC (the “ITA”) takes responsibility for making sure that U.S. companies live up to their Privacy Shield commitments. Once you sign on, all of the Privacy Shield commitments become enforceable obligations under U.S. law. And, if you fail voluntarily to sign up, you may be required to comply with even stricter requirements under European law with limited recourse to U.S. administrative agencies or courts in connection with complaints or investigations.
Privacy Shield: Key Requirements
While the program is complex, key requirements include:
Privacy Policies. In order to participate, U.S. companies must have a privacy policy that meets the requirements of the EU-US Privacy Shield.
“The privacy policy must [among other things] inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.”
Privacy Complaint Process. Participants must provide a no-cost internal mechanism for addressing individual complaints and disputes which includes a requirement that the participant must respond within 45 days and an obligation to submit to binding arbitration at the request of the complainant.
Full Cooperation with the DOC. Participants must respond promptly to inquiries and requests from the DOC for all relevant information related to the EU-US Privacy Shield, whether related to a complaint or otherwise.
Data Integrity and Purpose Limitation. Personal information must be used only purposes relevant to its processing and retained only as long as necessary to accomplish such purposes.
Ensuring Accountability for Outward Transfers. Participants must contract with with third parties to provide the same level of data protection and data usage limitations as are imposed under the Privacy Shield. This includes requiring third parties to provide notice if they can no longer meet these obligations. Moreover, transfers of data can only be for limited and specified purposes. If a participant discovers that a third party has breached its obligations, it must take immediate steps to stop and remediate any such breach.
The official EU-US Privacy Shield website also provides pages that address a limited list of frequently asked questions, and this can be a good resource for an initial understanding of important aspects of the program.
Privacy Shield: The Latest Report
As noted earlier, the European Commission just issued its second annual report on the state of U.S. privacy laws, striking an upbeat tone, but demanding more. Among its key findings:
- More than 3,850 companies have been certified.
- The DOC has increased its proactive oversight of the program and its participants, including via “spot checks” of participants and reviewing participants privacy policies for compliance.
- The DOC is working on a system to identify false claims which “prevents companies from claiming compliance with the Privacy Shield, when they have not be certified.”
- The Federal Trade Commission (“FTC”) is becoming more aggressive and proactive in enforcing EU-US Privacy Shield compliance, including by issuing subpoenas.
- Pointing out the failure of the US to appoint an privacy ombudsman, and expecting the failure to be remedied in short order.
You can obtain the full report here.
Next Steps
If you receive data from or about European citizens, it is important to look both at the European Union’s General Data Protection Regulation (“GDPR”), which may apply to you, and the EU-US Privacy Shield. Depending on your business, it may make sense to participate in the Privacy Shield.
Your legal advisors can help you navigate through this complex arena, and also prepare you for the next wave — burdensome and ever-more-complex U.S. privacy laws. A good example of the shape of things to come is California’s recent passage of the California Consumer Privacy Act of 2018 (the “CCPA”), which is set to take effect on January 1, 2020. The CCPA, which imposes onerous requirements on companies that sell to California consumers, is likely to be the subject of enforcement actions soon after its effective date.
No comments so far!
Leave a Comment