Putting the EU-US Privacy Shield into motion – what next?

5th August 2016

This article was first published on Lexis®PSL IP & IT on 29 July 2016. Click for a free trial of Lexis®PSL.

The European Commission finally adopted the EU-US Privacy Shield on 12 July 2016. The Regulatory Team at Walker Morris consider what this means for the transfer of personal data between the EU and US.

Original News

The EU-US Privacy Shield framework, created to protect the rights of those EU citizens whose personal data is transferred to the US, has been launched by the European Commission. The framework was also created to bring legal clarity to those businesses relying on transatlantic data transfers.

What is the Privacy Shield?

Under the EU’s data protection laws, personal data must only be transferred out of the European Economic Area (the EEA), if it is being transferred to a country which ensures an adequate level of protection for that data. The European Commission (the Commission) may find that a country ensures such an adequate level of protection by reason of its domestic law or of the international commitments it has entered into in order to protect the rights of individuals.

The US is not recognised by the Commission as providing an adequate level of protection. Historically, only US organisations who complied with the Safe Harbor provisions were deemed to provide adequate protection for data transferred from the EEA. However, Safe Harbor was held to be invalid by the Court of Justice of the European Union (the CJEU) on 6 October 2015 in C-362/14 Schrems v Data Protection Commissioner [2015] All ER (D) 34 (Oct) (the Schrems Decision).

On 12 July 2016, the Commission adopted an adequacy decision that concludes that US organisations which are registered under the EU-U.S. Privacy Shield (Privacy Shield) provide an adequate level of protection for personal data transferred from the EU to such US organisations.

Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes. The aim of the Privacy Shield is both to protect the fundamental rights of EU individuals where data is transferred to the US and to ensure legal certainty for businesses.

Have there been any issues with the adoption of the Privacy Shield?

The Commission published the draft Privacy Shield mechanism on 29 February 2016 to much fanfare. However, it received widespread criticism including from the Article 29 Working Party (the Working Party) (see Preparing for Privacy Shield – what’s next?), the European Data Protection Supervisor (the EDPS) (see European Data Protection Supervisor issues opinion on Privacy Shield) and the European Parliament.

The main concerns raised included:

• the Privacy Shield did not prevent mass and indiscriminate collection of EU personal data by US public authorities
• that the newly created Privacy Shield Ombudsman mechanism neither had adequate powers nor was it sufficiently independent to provide a satisfactory remedy for EU individuals whose personal data is misused
• the Privacy Shield had been drafted on the basis of the current data protection regime and did not take into account the changes to be introduced by the General Data Protection Regulation (GDPR) from 25 May 2018
• the lack of clarity and consistency arising from the fact that the Privacy Shield is set out across several documents making the information both difficult to find and, at times, inconsistent
• the inconsistency of the language used created a number of loopholes which organisations could use to avoid their obligations
• the framework did not address all of the basic principles contained in the current EU legislation and the provisions relating to data retention, automated processing, onward transfers, the right to access and the right to object were highlighted as needing further development
• the redress mechanisms were so complex that they were effectively ineffective, and
• the specific mechanics of the annual joint review mechanism had to be agreed.

The EDPS also believes that the concept of “self-regulation by private organisations as well as representation and commitments by public officials’ are not ‘sufficient to safeguard the rights and interests of individuals and fully satisfy the needs of a globalised digital world”.

In light of the heavy criticism the Commission reopened negotiations with the US in order to try and address these issues. A revised draft of the Privacy Shield was submitted to the Article 31 Committee (made up representatives of the EU Member States) and, on 8 July 2016, the Article 31 Committee approved the revised draft. Interestingly, while 24 Member States (representing 95.66% of the EU population) voted in favour, four Member States abstained.

The revised Privacy Shield was officially adopted by the Commission on 12 July 2016.

Does the revised draft deal with all of the criticisms?

In short, no, not all of the criticisms have been addressed:

• the Privacy Shield remains a self-certification mechanism
• the detailed framework of Privacy Shield is still spread across multiple documents (namely, the Commission’s communication dated 29 February 2016, the adequacy decision and its seven annexes)
• the Working Party’s request for a glossary of defined terms has not been granted
• the redress mechanisms remain as complex as ever, although the adequacy decision has been amended to make it clear that, except for arbitration by the Privacy Shield panel—which is a last resort and can only be invoked once all other methods of recourse have been exhausted—individuals can choose which redress mechanisms to use in what sequence, and
• the detailed mechanics of the annual joint review still need to be agreed.

However, there is now significantly more detail on the restrictions and limitations of the ability of the US authorities to carry out bulk collection of data and the Office of the Director of National Intelligence has provided assurances that such collection is neither ‘mass’ nor ‘indiscriminate’. There is also more explanation as to how the Privacy Shield Ombudsman mechanism will operate in practice to demonstrate its independence.

The Commission also clearly expects the Privacy Shield framework to be a ‘live’ set of documents which are subject to regular review and amendment and it acknowledges in the adequacy decision that the Privacy Shield will need to be reviewed:

• when section 702 of the US Foreign Intelligence Surveillance Act 1978 is reviewed in 2017 at which time the Commission will have to reassess the safeguards available to EU data subjects and
• when the GDPR comes into force in 2018 as the Privacy Shield currently makes no reference to privacy by design and default, data portability or the right to be forgotten.

The provisions relating to data retention, onward transfers, automated processing, right to access and right to object have also been developed (with some receiving more detailed amendments than others) but the Working Party has said that these amendments have not fully resolved all of the issues which it highlighted in its opinion (WP 238) dated 13 April 2016 (see Preparing for Privacy Shield – what’s next?).

What has the Working Party said about the revised Privacy Shield?

In its statement released on 26 July 2016, the Working Party welcomed the improvements which the Privacy Shield has made on the previous Safe Harbor mechanism. It also commended the Commission and the US authorities for taking the Working Party’s concerns about the Privacy Shield into consideration in the final version of the Privacy Shield.

However, the Working Party considers that a number of its concerns, particularly in relation to the lack of specific rules on automated decisions, the general right to object and how the Privacy Shield principles apply to processors, have not been fully addressed.

The Working Party also states that it would have expected stricter guarantees concerning the independence and powers of the Ombudsman mechanism and that it regrets the lack of concrete assurances that mass and indiscriminate collection of personal data does not take place.

What does the Working Party’s statement mean for the Privacy Shield?

The Working Party’s opinion is non-binding on the Commission and will not have any effect on the adoption of the Privacy Shield.

Although the Working Party cannot veto the adoption of the Privacy Shield, its members (which are representatives of the national data protection authorities (DPAs) of the Member States) are responsible for dealing with complaints about the transfer of personal data to the US under the Privacy Shield. The CJEU also confirmed in the Schrems decision that the DPAs are not bound by the Commission’s adequacy decision – they are therefore still able to exercise their powers to suspend data transfers to the US on the basis of the Privacy Shield if the compatibility of the Commission’s adequacy decision with the fundamental right to privacy and data protection is called into question. The Working Party has committed to “proactively and independently assist the data subjects with exercising their rights under the Privacy Shield mechanism, in particular when dealing with complaints”.

Will the Privacy Shield be subject to a legal challenge?

The general consensus appears to be that the Privacy Shield will almost certainly be challenged before the courts in the not too distant future.

Prior to its adoption, Christopher Graham, the UK’s former Information Commissioner suggested, that if the Privacy Shield was adopted without all of the issues highlighted by the Working Party being fully resolved, the Privacy Shield would almost certainly face a legal challenge, “the Article 29 Working Party…posed some very reasonable questions about the documentation surrounding the Privacy Shield…[a]nd I think those questions need answers…if the Article 29 Working Party can ask those questions then so can the Court of Justice”.

The Working Party itself has said that the first joint annual review will be a key moment for the robustness and efficiency of the Privacy Shield to be further assessed and that “the national representatives of the [Working Party] will not only assess if the remaining issues have been solved but also if the safeguards provided under the EU-U.S. Privacy Shield are workable and effective.”

It has been reported that during the ongoing Irish proceedings in respect of the complaints lodged by Max Schrems (the claimant in the Schrems Decision), the Irish Data Protection Commissioner has already suggested to the Irish court that the Privacy Shield should be reviewed by the CJEU at the same time as the model contract clauses.

Max Schrems, himself has said that the Privacy Shield “is little more than a little upgrade to Safe Harbor, but not a new deal. It is very likely to fail again, as soon as it reaches the CJEU”.

The fact that four Member States abstained from the Article 31 Committee vote also indicates that there is still doubt that the Privacy Shield provides adequate protection for European personal data.

In an unusual move, perhaps in a bid to address these doubts and head off any potential challenge to the Privacy Shield, the US Government has successfully applied to the Irish High Court to be joined as an amicus in the case between Schrems and Facebook, (see News Analysis: US joins case over Facebook data transfers from EU). The US Government will have to defend its mass surveillance systems under oath in a foreign court and Max Schrems is looking forward to the opportunity to grill the US government. “This may be a unique opportunity for us. I therefore very much welcome that the US government will get involved in this case. This is a huge chance to finally get solid answers in a public procedure. I am very much looking forward to raise all the uncomfortable questions on US surveillance programs in this procedure. It will be very interesting how the US government will react to the clear evidence already before the court”.

However, the US government may find it difficult to convince the Irish High Court that its behaviour, for example in the ongoing case between Microsoft and the US Department of Justice (the DoJ) which predates the invalidation of Safe Harbor, is compatible with the fundamental right to privacy and data protection. Microsoft has refused to hand over customer emails stored on a Hotmail server in Ireland which the DoJ is demanding should be delivered up under a US Government warrant. The DoJ is arguing that the demand is lawful under the US Electronic Communications Privacy Act 1986. A US federal judge has already ordered Microsoft to hand over the emails and the outcome of the appeal which was heard in September 2015 is still awaited.

Microsoft also filed a lawsuit against the US Government earlier this year claiming that over an 18 month period it had received 5,624 legal orders under the US Electronic Communications Privacy Act 1986, of which 2,576 had prevented Microsoft from disclosing that the US Government was seeking customer data through warrants, subpoenas and other requests. Microsoft said that most of the requests related to individuals and there was no fixed end date to the restriction on informing the individuals that their data had been requested by the US Government.

In the words of Max Schrems, “[a]s long as far-reaching US surveillance laws apply [to EU-US data flows], any legal basis will subject to invalidation or limitations under EU fundamental right”.

What does Brexit mean for the UK and the Privacy Shield?

The UK is still a member of the EU and so, for the time being at least, the Privacy Shield will be a valid mechanism for UK organisations to transfer personal data lawfully to the US.

It is difficult to say with any certainty at the moment, what will happen once the UK leaves the EU. However, it is possible the Information Commissioner’s Office will deem that US organisations registered under the Privacy Shield provide adequate protection for UK personal data.

What’s next for the Privacy Shield?

US organisations will be able to register with the US Department of Commerce (DoC) from 1 August 2016.

How do US organisations register under Privacy Shield?

In order to self-certify US organisations must:

• be subject to the investigatory and enforcement powers of the Federal Trade Commission, Department of Transport or other US statutory body
• file a self-certification submission signed by a corporate officer
• publish a privacy policy which complies with the Privacy Shield principles
• register with an independent recourse mechanism either in the US or the EU
• have in place a verification mechanism to review and confirm compliance with the Privacy Shield principles—this can either be an internal self-assessment or third party assessment programme
• designate a point of contact for handling all questions, complaints, access requests and other issues relating to the Privacy Shield, and
• include links on their websites to the relevant parts of the DoC’s website, the Privacy Shield list and the website of the independent recourse mechanism with which they have registered.

Further details of the registration process are expected to be published by the DOC shortly, see the DoC’s Privacy Shield website.

US organisations must comply with the Privacy Shield principles immediately upon certification. They must therefore ensure that their privacy policy and underlying procedures are compliant with the principles prior to submitting their self-certification application.

There are no transitional provisions, except in respect of the accountability for onward transfer principle. US organisations who register under the Privacy Shield before 1 October 2016 will have nine months from registration to bring their pre-existing commercial relationships with third parties, to whom they transfer EU personal data, into line with the Privacy Shield principles.

Can US organisations transfer their Safe Harbor certification to Privacy Shield?

No, US organisations which were registered under Safe Harbor will need to complete the self-certification process under Privacy Shield in full.

Are the model contract clauses and binding corporate rules still valid?

The Working Party has confirmed that, for the time being at least, binding corporate rules remain valid and can be relied upon for the purposes of transatlantic data transfers. However, the indication was that these would also be reviewed once the Privacy Shield was finalised.

Although the model contract clauses also remain valid for now and organisations can rely on them, the Irish Data Protection Commissioner announced on 25 May 2016 that, as part of its ongoing review of the complaint made by Max Schrems against Facebook Ireland, it intends to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under model contract clauses.

On the basis that the model contract clauses offer little (if any) additional protection against mass surveillance by the US authorities, it is likely that these will also be ruled as invalid (at least in respect of data transfers to the US) by the CJEU.

The Working Party has also indicated in its statement on the revised Privacy Shield that both the model contract clauses and the binding corporate rules may be reviewed in 2017 following the first joint annual review of the Privacy Shield “the results of the first joint review regarding access by U.S. public authorities to data transferred under the Privacy Shield may also impact transfer tools such as Binding Corporate Rules and Standard Contractual Clauses”.

What should US organisations be doing now?

US organisations should carry out a cost-benefit analysis of the various available transfer mechanisms and decide in accordance with their risk appetite whether they register under the Privacy Shield, adopt the model contract clauses or incorporate both into their compliance programme.

Given the uncertainty over the future validity of the model contract clauses and the potential legal challenges to the Privacy Shield, it may be prudent for US organisations to hedge their bets and employ both mechanisms. However, this will need to be weighed carefully against the costs and administrative burden of complying with two mechanisms.

Whichever option they choose, US organisations will need to monitor developments in this area closely.

Interviewed by Alex Heshmaty, Lexis Nexis