The 1995 European directive on personal data protection allows companies to transfer personal data between Member States without restrictions. (1) However personal data transfers outside of the European Union are prohibited, except to a limited number of countries providing an adequate level of protection (such as EEA Member States and countries ensuring an adequate level of protection subject to a decision from the European Commission). The Safe Harbor principles provided the legal framework for data transfers to the US.
In its ruling dated 6 October 2015, the Court of Justice of the European Union (CJEU) decided to cancel the Safe Harbor privacy principles. (2) Since July 2000, European companies working with US companies adhering to Safe Harbor could transfer personal data legally to the United States. Such data transfers occur between companies belonging to a multinational group located on both sides of the Atlantic, or between a European client company and a service company located in the US (e.g. a US hosting company, a cloud service company or a company providing any types of data management services). With the cancellation of Safe Harbor, personal data can no longer be transferred legally from the EU to the US under these privacy principles.
The European Commission and the United States have been negotiating to set up a new privacy framework to better protect personal data transfers of the European citizens to the United States. The goal of the Commission was to reach an agreement on a “2.0 Safe Harbor” before the end of January 2016. (3) An agreement was reached at the beginning of February 2016 and on 29 February, the text of the EU-US Privacy Shield was released.
We describe below the main principles applicable to the new Privacy Shield framework and recall the other legal “tools” available for European companies which have to transfer personal data to the United States.
1. The main principles of the EU-US Privacy Shield framework
The text of the new EU-US Privacy Shield framework regarding personal data transfers between the European Member States and the United States was published on 29 February 2016. (4)
The purpose of the Privacy Shield framework is to provide protection principles for the personal data of the European citizens transferred to the United States, equivalent to the principles applicable within the European Union. More specifically, with the Privacy Shield, the authorities wanted to fix the issues identified with the Safe Harbor principles and put an end to the mass surveillance practice developed by the US National Security Authority (NSA), disclosed by Edward Snowden in 2013.
The Privacy Shield principles include the following rights which are similar to the rights issued form the EU privacy regulation:
- a) notice to the data subject regarding the data processed by the organization, details about the data processed and how to contact the company with enquiries and complaints;
- b) choice to opt out if the data is to be disclosed to a third party or used for a purpose which is different from the original purpose when the data was collected. Sensitive data process is subject to an opt in consent from the data subject;
- c) accountability for onward transfers to a third party;
- d) security of the data process against loss, misuse, unauthorized access, disclosure, alteration and destruction;
- e) data integrity and purpose limitation. As in the EU, personal data collected must be limited to data relevant for the purpose of the processing being carried out;
- f) access by the data subjects to their personal data to ensure that they can correct, amend or delete their data;
- g) recourse, enforcement and liability mechanisms for individuals affected by non-compliance with the Privacy Shield.
The main provisions of the Privacy Shield framework, which differ from the Safe Harbor principles, can be summarized as follows:
- Companies will adhere to the Privacy Shield through self-certification. These organizations will be subject to strict compliance obligations. The US Department of Commerce will monitor and verify compliance by the companies which have registered. Companies adhering to the Privacy Shield principles must publicly declare their commitment to comply with the Privacy Shield, disclose their privacy policies (which must be in line with the Privacy Shield principles), and implement the Privacy Shield.
- Access to personal data by the US authorities will be regulated and only allowed for specific purposes, including law enforcement and national security. General access to data is prohibited.
- Several legal redress mechanisms are included in the new arrangement. Such legal recourse rights will be available to European as well as US citizens. One of the issues raised with Safe Harbor was that the European citizens had not legal recourse in the US if a US company using their data and adhering to Safe Harbor did not comply with its legal obligations. From now on, European citizens will have the option among several legal recourse mechanisms in case of personal data misuse:
(i) Mediation: a mediation service through an Ombudsperson mechanism, independent from the US security services, will be set up within the US Department of State;
(ii) Complaints to the US data processor: individuals will be able to send a claim to the US companies adhering to the Privacy Shield for problems regarding their personal data. Companies will have to respond to such claims within 45 days;
(iii) Claims to the national supervisory authority: individuals will be able to send a claim to their national supervisory authority (such as the ICO in the UK or CNIL in France). Each national data supervisory authority will communicate with the Department of Commerce and the Federal Trade Commission (FTC) so that the claims are actually processed and settled;
(iv) Alternative dispute resolution: an out-of-court settlement mechanism will be available, free of charge;
(v) Arbitration: an arbitration mechanism will be available as a last resort by a Privacy Shield panel.
US companies may also choose to comply with the advice and guidelines issued by the national supervisory authorities. Companies processing human resources data will however have to comply with such guidelines.
The Department of Commerce will maintain an updated list of current companies adhering to the Privacy Shield and a list of companies which have left the Privacy Shield arrangement.
- Finally, the Privacy Shield framework includes an annual joint review mechanism between the European Commission and the US Department of Commerce, and national surveillance experts working with the US and European data protection authorities. The purpose of this annual reassessment exercise will be to check the effectiveness of the Privacy Shield and the actual compliance regarding access to personal data for law and order and national security purposes.
The main differences between Safe Harbor and the new Privacy Shield principles are the rights of recourse by the European citizens who feel that their personal data has been misused, a strong commitment by the US authorities regarding supervision and enforcement, and a joint annual review process between the EU and US authorities.
However, this new privacy framework is not yet in effect. The European Commission must issue its adequacy decision on the new EU-U.S. the new Privacy Shield, pursuant to article 31 of the 1995 directive on the protection of personal data. The adequacy decision means that the safeguards provided when personal data are transferred under the Privacy Shield are equivalent to data protection standards in the EU. Indeed, absent such adequacy decision, European companies cannot yet transfer personal data to US companies unless an alternative contract is in place. The legal adequacy assessment of the EU-US Privacy Shield will be conducted by the article 29 working party (art. 29 WP - representatives of the national data protection authorities of the Member States).
Meanwhile, European companies that must transfer personal data to the United States may still use the other existing legal tools available for transborder data transfers.
2. The other legal “tools” available to transfer personal data to the US
Until the Privacy Shield adequacy decision of the European Commission is released, the European companies which must transfer data to the United States must implement alternative legal tools. (5)
As experienced with the October 2015 CJEU ruling cancelling Safe Harbor, and with the new annual joint review mechanism of the Privacy Shield, companies adhering to such privacy frameworks are no longer assured of a stable long-term privacy protection environment for their transborder data transfers. The existing legal options are strong and stable alternatives to the Privacy Shield.
Three options are available : the EU Standard contractual clauses (SCC), private ad hoc contracts, and Binding corporate rules (BCRs).
The EU Standard contractual clauses (SCC) are relatively easy to implement subject to identifying the types of Standard clauses that are relevant to the data processes, and have them executed “as is” by each party. Should any of the clauses be amended by the parties, the document will have to be approved by a national data protection authority.
The ad hoc contractual option, is a contract drafted by the parties and adapted to the data process under consideration. This may be the best option. An ad hoc contract is indeed more flexible and adapted than the Standard contractual clauses. It is however necessary to take into account the cost, process and delays to receive an authorization from a national data protection authority. This contractual option may be used between two commercial entities or between affiliates (in lieu of BCRs).
Lastly, the Binding Corporate Rules (BCRs) option can only be used within a multinational group of companies. BCRs are not an alternative to govern the relationship with third party commercial partners or service providers. BCRs also usually require several months to be drafted and approved by a national authority prior to being rolled out within the group of affiliated companies. However, once the BCRs are approved and rolled out, this system is then a stable option.
As a reminder, penalties for illegal cross-border data transfers can reach up to €300,000 and 5 years in prison. This includes data transferred to the United States under the Safe Harbor principles, which are no longer valid.
* * * * * * * * * * * *
(1) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
(2) CJEU, Gd Chamb., 6 October 2015, Maximillian Schrems / Data Protection Commissioner
(3) European Commission - Press release dated 6 November 2015 “Commission issues guidance on transatlantic data transfers and urges the swift establishment of a new framework following the ruling in the Schrems case” : and see our article “Personal data transfers from the EU to the US after the cancellation of Safe Harbor by the CJEU”, published on this blog in December 2015
(4) European Commission - Press release dated 29 February 2016 “Restoring trust in transatlantic data flows through strong safeguards: European Commission presents the EU-U.S. Privacy Shield”
(5) The decision concluding the Umbrella agreement including the Privacy Shield should be adopted by the European Council after obtaining the consent of the European Parliament.
Bénédicte DELEPORTE
Avocat
Deleporte Wentz Avocat
www.dwavocat.com
March 2016