Earlier this week, the European Commission voted to formally approve the Privacy Shield—a set of principles agreed between the E.U. and the U.S. to enable certified U.S. companies to receive and process personal data from the E.U. The finalization of the Privacy Shield has followed months of political and regulatory wrangling over its terms, with previous drafts being subject to criticism from an array of concerned parties, which ultimately delayed the Privacy Shield’s original June 2016 implementation target. Now that we have the new and improved version, we take a look at some of the key changes made to the previous proposal and consider what U.S. companies should be thinking about when weighing up their options to facilitate trans-border data flows.
Government Snooping— One key change is a commitment from the White House regarding bulk collection of data sent from the E.U. to the U.S. A key driver behind the court case that ultimately led to the downfall of the Safe Harbor regime was the almost unfettered right of the U.S. government to collect personal data of E.U. citizens en masse. On the face of the framework, the U.S. appears to have made significant promises in this area, where only targeted (rather than indiscriminate) collection is permitted other than in exceptional circumstances, and there are checks in place regarding the amount and purpose of data collection. The reality of what this means remains to be seen.
Redress Mechanisms— Each potential avenue of individual redress is more clearly delineated in the final version. Obligations are placed on Privacy Shield organizations to establish free complaints procedures and individuals can also bring complaints to the FTC (in the U.S.) or DPAs (in the E.U.). In addition, the Ombudsperson’s role has been strengthened with a view to ensure legitimate policing—stronger language has been introduced emphasizing his or her independence, ability to obtain necessary information and overall cooperation from intelligence agencies.
Onward Transfers of Data— If a U.S. entity wishes to transfer E.U. personal data to a third party (effectively, a subcontractor or subprocessor), there must be a contract in place with the third party that imposes the same level of protection required by the Privacy Shield Principles. It is unclear how this will play out in practice as there is no guidance as to how this must be achieved, so there will likely be the same “shades of grey” facing companies as there are when trying to flow down provisions of the Model Contract Clauses to subprocessors. There is a mechanism in place to deal with subprocessing contracts that are already in force, but this is still likely to be an area that will cause the confusion in the short term.
Data Retention— To address concerns surrounding the ability of U.S. companies to indefinitely retain personal data, an express obligation has been introduced to delete data once it is no longer relevant for the purpose for which it was collected. Companies will have to consider the practicalities of this from a technical perspective.
Any U.S. organization that is under the jurisdiction of either the Federal Trade Commission or the Department of Transportation can self-certify on the Privacy Shield website of the Department of Commerce from August 1, 2016 onwards. In doing so, it must conform to the core principles set out in the Privacy Shield including notice, data integrity, security, access, resource and accountability, each as described in more detail in the Privacy Shield documentation. Following this, the Department of Commerce will review the self-certification form in order to confirm that required information has been provided and that it addresses all the Privacy Shield requirements. If so, the Department of Commerce will list the relevant entity (and any certifying affiliates) on its Privacy Shield List.
While self-certification may seem a relatively painless operation (the very reason that Safe Harbor was subject to so much skepticism in Europe), ensuring that a flexible but robust compliance procedure is put in place will be the challenging part. In the U.S., the Department of Commerce and Federal Trade Commission will be primarily responsible for monitoring and enforcing compliance, and the DPAs will continue to chase down those who abuse the system from the E.U. For noncompliance, businesses may be required to return or delete personal data, certification may be revoked, and under E.U. law, transfers without the correct mechanism in place to legitimize those transfers may be subject to fines.
While usual business considerations are likely to factor into this decision (How much will it cost? How hard is it to maintain? Will it increase revenue or create efficiencies?), the single biggest dark cloud hanging over the Privacy Shield is the likelihood that it will be challenged in the E.U. courts and the possibility it will suffer the same fate as its Safe Harbor predecessor—invalidation. Four countries abstained from last Friday’s vote, implying skepticism at the highest level. The Article 29 Working Party, which was heavily critical of the previous draft, is soon to pass judgment on the final version and it is hard to predict which way that will go. Privacy advocates continue to be active in this area, and it is highly likely that somebody somewhere will challenge the Privacy Shield.
To put this risk into context, since the invalidation of the Safe Harbor regime, many U.S. companies have been scrambling to put in place Model Contract Clauses to plug the void left by the Safe Harbor. This has often necessitated a wholesale audit of data flows to ensure compliance with the Model Contract Clauses, including, for example, ensuring that all obligations of those clauses are flowed down to all subprocessors. The entire supply chain, from end to end, has begrudgingly had to accept the Model Contract Clauses and the increase in risk that they bring. Therefore, in order to successfully comply with the obligations of the Privacy Shield, it is likely that U.S. companies will have to go through the exact same process—something that will need to be considered carefully in view of the risks involved.
In yet another twist to the saga, Model Contract Clauses are now subject to legal challenge in the E.U., so their future is hanging in the balance even more so. We are therefore left in the impossible position of choosing between, on the one hand, a Privacy Shield, which may be subject to legal challenge and is likely to require significant attention to ensure compliance, and on the other, Model Contract Clauses, which are subject to legal challenge but are likely to be more familiar to companies at present. It may be that other methods of legitimizing transfers, like binding corporate rules or independent assessments of adequacy move more into the spotlight.
For those who want to be conservative, or perhaps prudent, a dual approach of Model Contract Clauses and the Privacy Shield may be the best approach. For those with less time and/or resources that are currently complying with the Model Contract Clauses, an option would be to monitor the developments with regard to both the legal challenge to the Model Contract Clauses and the impending opinion of the Article 29 Working Group on the Privacy Shield, with a view to transitioning to the Privacy Shield expediently, if it looks like that is the safer bet. On a practical note, E.U. DPAs have been relatively uniform in permitting an enforcement grace period following the Safe Harbor invalidation, so one would hope that the same would apply to any invalidation of the Model Contract Clauses.
*Heidi Liu is a Summer Associate in Fenwick's Litigation Group.