The Raising of a Privacy Shield

The EU Data Protection Directive prohibits transfers of personal data from the EU to a non-EU country, unless the receiving country can assure an adequate level of protection of the data under domestic law or through international commitments. The determination of an “adequate level” is the crux of the issue. Given that data protection laws (and cultural expectations) have developed in differing ways in the EU and U.S., the Department of Commerce, in consultation with the Commission, developed the Safe Harbor as a framework for assuring adequacy. In July 2000, the Commission deemed the Safe Harbor to provide adequate protections to support the transfer of personal data of EU citizens to the U.S. Over the course of time, more than 4,000 companies self-certified to compliance with the Safe Harbor requirements.

On Oct. 6, 2015, the EU high court invalidated the Commission's adequacy decision in support of the Safe Harbor. See, Maximillian Schrems v. Data Prot. Comm'r, ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14. The court's decision has meant that data transfers from the EU to the U.S. are prohibited if based on the Safe Harbor. Given the widespread reliance on the Safe Harbor, the EU Data Protection Authorities (DPAs) agreed to a three-month grace period from enforcement, which ended Jan. 31, 2016, to allow policymakers time to agree on a replacement. See, “Statement of the Article 29 Working Party,” on the implementation of the judgment of the Court of Justice of the European Union of Oct. 6, 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14) (Oct. 16, 2015).

EU-U.S. Privacy Shield Framework

On February 2, just two days after the grace period ended, the Commission and Department of Commerce announced their agreement on the new Privacy Shield. See, Press Release, “European Comm'n, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield” (Feb. 2, 2016); “ Statement from U.S. Secretary of Commerce Penny Pritzker on EU-U.S. Privacy Shield” (Feb. 2, 2016). The agreement is based on the following key principles:

• Strong obligations on companies' handling of Europeans' personal data. U.S. companies that transfer personal data from Europe must commit to robust obligations on how that data is processed and that privacy rights are guaranteed. There is much to be learned about what these new obligations will be; in fact, many of them have yet to be negotiated and articulated. We know, however, that onward data transfers will be subject to additional protections. The Department of Commerce stated in a press release that the Privacy Shield will require new contractual protections and oversight for data transferred by participating companies to third parties or when data is processed by those companies' agents. See, Fact Sheet, Dep't of Commerce, “EU-U.S. Privacy Shield” (Feb. 2, 2016). Additionally, companies transferring human resource data from the EU must also commit to compliance with decisions by the DPAs.
• Strengthened enforcement and cooperation. The Department of Commerce will monitor companies utilizing the Privacy Shield and require them to publish their privacy commitments. There will be a special team, supported by significant resources within the Department of Commerce, to supervise compliance with the Privacy Shield. Failure to abide by published commitments will subject companies to enforcement by the Federal Trade Commission (FTC). The FTC brought enforcement actions against companies for substantive and technical violations of the now-defunct Safe Harbor, and it will continue in the same vein under the Privacy Shield. The Privacy Shield will also strengthen cooperation between the FTC and DPAs. FTC Commissioner Julie Brill has stated that clear mechanisms will be established to ensure that DPA complaints are triaged through the Department of Commerce and referred to the FTC when appropriate. See, Information Technology & Innovation Foundation, “What's Next After Safe Harbor Talks?” webcast (Feb. 4, 2016).
• Clear safeguards and transparency obligations on U.S. government access. The U.S. will give the Commission written assurances that access by public authorities for national security will be subject to clear limitations, safeguards and oversight mechanisms. European Justice Commissioner Vera Jourov' stated that the written assurances from the U.S. are a precondition for the Commission's unilateral decision to give adequacy to the Privacy Shield. See, Press Release, European Comm'n, “Speaking points by Justice Commissioner Jourov' at the press conference on the new framework for transatlantic data flows: the EU-US Privacy Shield” (Feb. 2, 2016). Joint annual reviews by the U.S. and the Commission will be used to substantiate the assurances made by the U.S. on this score.
• Protection of European citizens' rights and opportunities for redress. Any citizen who is concerned that his or her data have been misused will have several avenues for remediation. Companies will be obligated to meet deadlines in response to complaints by individuals. European DPAs can refer complaints to the Department of Commerce and the FTC. There will be an alternative dispute resolution process that will be free of charge to individuals seeking redress. European citizens' complaints relating to access by the U.S. government for national security reasons will be handled by an Ombudsman, who will be independent from U.S. intelligence services.

European Commission Adequacy Decision Process

The Commission is in the process of preparing an adequacy decision in support of the Privacy Shield. There is, however, much work to be completed between now and the Commission's adoption of the decision. The adequacy decision will presumably be informed by requirements and processes being developed by the U.S. as part of its commitments to the Privacy Shield.

On the EU side, final adoption of Commission adequacy decisions must pass through several levels of approval. Of particular importance to this process is receipt of a favorable opinion from the Commission's independent advisory group, the Article 29 Working Party (WP29), which is comprised of Member State DPA representatives and the European Data Protection Supervisor.

The WP29 has asked to receive the proposed adequacy decision by the end of February. See, “Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment,” (Feb. 3, 2016). The group has stated that it will review the adequacy of the Privacy Shield in light of ongoing concerns relating U.S. intelligence activities. These activities have been the cause of significant concern and consternation on the part of the European community and, therefore, have been at the forefront of the negotiations. The WP29 has expressly indicated that it will assess the Privacy Shield framework against the following four fundamental guarantees regarding intelligence surveillance:

1. Data processing should be based on clear, precise and accessible rules.
2. Necessity and proportionality with regard to legitimate objectives of the data access must be demonstrated.
3. An independent oversight mechanism should exist that is both effective and impartial.
4. Effective remedies must be available to an individual that can be adjudicated by an independent body.

A favorable review by the WP29 would be significant and set the stage for Member State endorsement. Notwithstanding an approval by the WP29, or even adoption by the Commission, the European Parliament and Council could request that the Commission amend or withdraw its adequacy decision. Additionally, commentators have speculated as to the likelihood of legal challenge through the European courts regarding the adequacy of the Privacy Shield.

What To Do While We Wait

Now that agreement has been reached on the Privacy Shield, stakeholders are eagerly awaiting the details on how it will be implemented. While the particulars are being finalized, companies should consider engaging in advance work to prepare for next steps. For instance, companies should use this time to:

• Take stock of whether they engage in transatlantic personal data transfers, whether in reliance on the Safe Harbor or not. If companies maintain servers in the U.S. and operations in the EU, there is a good chance that transfers involving personal data are occurring. For instance, this could include transfers of personal data of employees in the EU, EU consumers and EU business partners, as well as transfers of personal data through online websites.
• Identify what internal processes and contractual terms are in place governing EU-U.S. data transfers and protections. Consider model clauses and potential inclusion in agreements going forward. An understanding of which vendor relationships exist and whether potential changes to agreements will cause a significant shift in strategic relationships should be reviewed and mapped out.
• Identify vendor or subcontractor relationships in which personal data are processed. Consider whether the company or any of these vendors engage in onward transfers of personal data and assess contractual terms (both upstream and downstream) related to those relationships.
• Determine whether containment of all or some data within the EU is feasible for the organization.

Last, but not least, companies should stay tuned as details emerge regarding the more “robust obligations” that will be required of them to certify compliance with the new Privacy Shield and to developments from the Commission's approval process for the adequacy decision.

Alisa L. Chestler, CIPP-US, is a shareholder and Certified Information Privacy Professional (CIPP) with Baker Donelson's Washington, DC, office, and chair of the firm's Privacy and Information Security Team. She regularly assists clients in identifying, evaluating and managing risks associated with privacy and information security practices, and has significant experience working with companies to develop comprehensive programs for these areas. She may be reached at 202-508-3475 or'[email protected].'Tracy E. Weir'is a shareholder with Baker Donelson in Washington, DC, where she counsels clients on data privacy and security matters that arise from federal and state laws. She has experience analyzing transactions and business relationships, developing policies and procedures, and advising clients on data breaches and notification. She may be reached at 202-508-3481 or'[email protected].