The EU-US Privacy Shield is one of the legal mechanisms enabling the transfer of personal data outside the European Economic Area to US companies that have self-certified to a number of privacy principles (which correspond to EU data protection requirements). The Privacy Shield replaced the Safe Harbour scheme and came into effect almost two years ago in August 2016. Since then it has faced numerous criticisms and legal challenges and is under scrutiny once again, facing possible suspension and even invalidation.
The EU and U.S. competent authorities have one year to implement the recommendations that the Article 29 Working Party (WP29, which is a gathering of all EU national data protection authorities) made in its opinion of November 28, 2017 to increase the level of personal data protection provided by the Privacy Shield framework. As they announced in this opinion, failure to do so will result in these authorities challenging the validity of the Privacy Shield adequacy decision before courts. Such a cancellation could lead to certified U.S. companies losing their certification (2,400 companies, including web giants and major cloud providers), having to freeze data flows and implementing other legal mechanisms allowing them to import personal data from the EU.
It should be noted that the EU and U.S. authorities negotiated the Privacy Shield under a perspective that was more in line with Directive 95/46 (the main data protection applicable instrument at the time of negotiation) than with the General Data Protection Regulation (GDPR). The GDPR will repeal this Directive and increase the level of protection of personal data from May 25, 2018, and the WP29 will plan to prepare businesses for it.
In its report, the WP29 focuses on guarantees of enforcement and efficiency. Continue Reading The WP29 Issues an Ultimatum to Improve the Privacy Shield
On October 18, 2017, the European Commission issued its report on the first annual review of the EU- U.S. Privacy Shield, aimed at allowing personal data transfer from the EU to the U.S. through the implementation of a data protection framework providing an adequate level of protection in the U.S. Over 2,400 companies have now been certified under the Privacy Shield framework by the U.S. Department of Commerce.
From the European Commission’s perspective, the Privacy Shield continues to ensure an adequate level of protection, including new redress possibilities for individuals, enforcement procedures, and cooperation with the European data protection authorities. However, as “[t]he Privacy Shield is not a document lying in a drawer” but “a living arrangement that both the EU and U.S. must actively monitor”, the Commission made some recommendations to improve the current framework:
“More proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce.
More awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints.
Closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs), notably to develop guidance for companies and enforcers.
Enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorization and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA).
To appoint as soon as possible a permanent Privacy Shield Ombudsperson, as well as ensuring the empty posts are filled on the Privacy and Civil Liberties Oversight Board (PCLOB).”
Is this review a sufficient guarantee for U.S. businesses to continue to rely on their Privacy Shield certification with absolute trust? That remains to be seen. Indeed, the Commission negotiated the Privacy Shield agreement to reconcile the data exchange economy with the standard that must be reached in order to comply with the requirements imposed by the EU Court of Justice (CJEU). The Commission was expected to advocate for the ongoing validity of the compromise. However, a number of authorities and data protection defenders are of the opposite opinion.
The European Data Protection Supervisor, one of the strongest official voices on data protection in the EU, already had some concerns about its validity (Opinion n° 4/2016 of May 30, 2016). So did the Working Party of Article 29, gathering all national data protection authority at the EU level (Opinion n° 1/2016 of April 13, 2016). These two authorities will soon issue their own reports on this first annual review. Furthermore, these reports could have some impact on the outcome of the two actions currently pending before the CJEU, which aim at invalidating the Privacy Shield’s adequacy decision on the following grounds:
- The possibility for U.S. agencies to legally access, on a generalized basis, the content of electronic communications;
- The absence of complete transposition of the right to access, rectify, oppose and erase, that the EU regulations grant to data subjects; and
- The absence of a fully independent U.S. data protection authority, with complete effective and binding redress power.
U.S. entities certified with the Privacy Shield should closely monitor the development of those cases since, in the end, the CJEU will have the final say. It would also be prudent for them to take advantage of the opportunity to implement additional safeguards by using other data transfer mechanisms, such as Binding Corporate Rules, Certification (when available), adherence to approved Codes of Conduct or Standard Contractual Clauses.
For more information on the future of the Privacy Shield, please refer to the following Password Protected blog posts:
On September 15, 2017, the Trump White House released a Press Release regarding the EU-U.S. Privacy Shield—reiterating that they “firmly believe that the upcoming review [of the EU-U.S. Privacy Shield] will demonstrate the strength of the American promise to protect the personal data of citizens on both sides of the Atlantic.”
The first alliance of its kind, the E.U.-U.S. Privacy Shield provides a framework for the exchange of consumer personal data between the United States and countries in the European Union. Established in 2016, one of the purposes was to enable U.S. companies to more efficiently receive data from countries in the EU while staying compliant with privacy laws that protect EU citizens. The agreement also allows companies to store EU citizens’ personal data on U.S. servers.
The “upcoming review” referenced in the White House Press Release refers to the first annual review of the Privacy Shield since its adoption, with both EU and U.S. officials stating their support for the alliance in a joint statement released September 21, 2017. According to this statement, over 2,400 organizations have jointed the Privacy Shield since the program’s inception a year ago. The U.S. and EU both declared a “share[d] . . . interest in the Framework’s success and remain committed to continued collaboration to ensure it functions as intended.”
But what good is an agreement without any bite for potential violators? The Federal Trade Commission (FTC) recently signaled that it fully intended to keep companies accountable for potential violations of the EU-U.S. Privacy Shield.
According to an FTC Press Release dated September 8, 2017, three U.S. Companies agreed to settle FTC charges that they “misled consumers about their participation” in the EU-U.S. Privacy Shield. The FTC alleged that these companies violated the FTC Act by “falsely claiming that they were certified to participate in the EU-U.S. Privacy Shield” when they had all “failed to complete the certification process for the Privacy Shield.” Acting FTC Chairman Maureen K. Ohlhausen warned companies that these “actions highlight the FTC’s commitment to aggressively enforce the Privacy Shield frameworks, which are important tools in enabling transatlantic commerce.” Notably, these enforcement actions are the first cases the FTC has brought to enforce the Privacy Shield.
Moving forward, companies should carefully assess whether they have completed the steps and certification necessary to make certain representations about participation in the EU-U.S. Privacy Shield—as both the FTC and the current White House administration fully intend on continuing to “demonstrate the strength of the American promise” to pull their weight in the alliance.
Between the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) and the adoption of the Privacy Shield, a number of data exporters have relied on the Standard Contractual Clauses (SCC) as the safest export tool to transfer personal data from the EU to the U.S. But as announced in our previous blog posts, the validity of the SCC and the Privacy Shield had to pass the EU legal test as regard to the fundamental right to data protection.
Indeed, while the Privacy Shield is facing an action for annulment brought by Digital Right Ireland to the CJEU, it is now the turn of the SCC to be examined in the context of a request filed by Maximilian Schrems against Facebook Ireland Limited to the Irish data protection authority (DPA). This last case has been submitted by the DPA to the Irish High Court, which is now assessing the opportunity to refer the question to the CJEU.
On May 24, 2016, the Irish DPA issued a draft decision summarizing its concerns about the validity of the SCC. It is worth noting that this was a turning point for the Irish DPA: the former Irish Commissioner, Billy Hawkes, defended the Safe Harbor against Maximilian Schrems and some other DPAs, whereas the new Irish Commissioner Helen Dixon basically defends the opposite, despite some improvements in U.S. laws and the SCC that occurred after the cancellation of the Safe Harbor. This might be the sign of an evolution due to the entry into force of the EU General Data Protection Regulation, the new strong and unified piece of data protection legislation that will apply from May 2018.
The main concern of the Irish DPA about the use of the SCC is the absence of an effective court’s remedy in the U.S. legislation for EU citizens to enforce their right to data protection where it might be a risk that personal data is processed by U.S. State agencies for national security purposes. Indeed, even if an EU citizen meets the criteria for a remedy against surveillance under the U.S. Foreign Intelligence Security Act, it appears on foot of the U.S. court’s decisions they cannot sue the U.S. government.
Concerning the Privacy Shield, it is too soon to know if it will survive the new U.S. political era. As observed with the dead Safe Harbor, strong voices start to express themselves opposing the industry and the EU and U.S. Privacy Shield negotiators (pro) to the EU civil society and some members of the EU Parliament and DPAs (contra).
The key issue finally lies in the ability for the U.S. legislation to grant data subjects with enforceable data protection rights that EU authorities and courts would find at least equivalent to those granted by the EU. The two above-mentioned legal cases, as well as the economic stakes of EU-U.S. data flows should put a strong pressure on U.S. government to provide additional guarantees.
For more information on the future of the Privacy Shield and SCC, please refer to the following prior Password Protected blog posts:
Throughout the past several years, data privacy and security practices have evolved into more than just defending against identity theft and protecting sensitive data. In fact, since 2014, to help raise awareness for data protection issues, the United States designated January 28th as Data Privacy Day. In recognition of this internationally observed day, over the next eight weeks, our Data Privacy and Security team will examine eight of the most significant data privacy and security trends and how they may impact your company.
Week 1: The Relentless Progression of Malware
The internet has been plagued by malware since inception. But in 2016 several new forms of malware emerged. Spear phishing is one common form that involves targeting a specific victim. Another is angler phishing, which involves a fake customer-support account that purports to “help” customers, but actually steals their information. Perhaps the most malicious technique, certainly the fastest growing, is ransomware. Ransomware holds victims’ data hostage until the hacker is paid money. Despite the growing awareness of ransomware, it remains a highly effective revenue generating tool for hackers. In fact, it is evolving into new strains, including a form in which the victims are offered the decryption key in exchange for forwarding the virus to new potential victims. “To pay or not to pay” is indeed the question, and the answer often raises as many concerns as it does solutions.
Week 2: Data Privacy Litigation: Changes in the Liability Standard
There were several significant developments in data litigation in 2016. Chief among them was the U.S. Supreme Court ruling in Spokeo, Inc. v. Robbins. Spokeo held that a procedural violation of a statutory requirement, absent concrete harm, does not establish injury-in-fact. Since then, courts have struggled to consistently interpret and apply this standard in class action data privacy cases. In 2017, we expect courts around the country will continue to grapple with this standard, particularly as theories of harm continue to evolve. In addition, changes at the Supreme Court and new input into plaintiffs’ attempts at “no-injury” classes could further impact the landscape of data privacy class action litigation.
Week 3: Financial Services Sector
Beginning in January 2016, the Securities and Exchange Commission announced that the Office of Compliance Inspections and Examinations (OCIE) would focus on security protocols implemented by financial firms to protect against cyberattack. That began a long year of financial industry focus on data privacy and security issues. More recently the New York Department of Financial Services (DFS) proposed the first cybersecurity regulations that would require financial institutions to adopt minimum cybersecurity standards. Shortly thereafter G-7 financial leaders agreed to a set of best practices in the financial industry. Other developments in the industry include:
- The Federal Financial Institution Examination Council (FFIEC) updating its Information Security Booklet;
- The Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency publishing an advance notice of proposed rulemaking to require banks with more than $50 billion in assets to take additional steps to protect against cyber-attacks; and
- The International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association publishing a set of common principles to promote global policymaking on cybersecurity and data.
And all of this is in addition to existing standards and laws, such as the Gramm-Leach-Bliley Act. As the financial industry navigates through these various guidelines and requirements in 2017, it will be interesting to see how these standards will be interpreted, whether a uniform standard evolves, and what impact these standards may have on data protection efforts in other industries.
Week 4: Big Data
The amount of consumer data that is being collected and used is greater than ever. As companies adjust privacy policies and respond to increased consumer and regulatory scrutiny, they are constantly working to protect information and respect consumer choices while still monetizing consumer data. Information governance has quickly become the best way for a business to safeguard data and limit liability. With the development of new mobile applications, artificial intelligence platforms, and cloud data processing systems, Big Data analytics will continue to provide valuable information that must be appropriately harnessed and protected.
Week 5: Mergers and Acquisitions
By the end of 2016, the seemingly endless stream of data breaches made security incidents appear normal, almost predictable. But when Yahoo released statements concerning two separate data breach incidents, affecting more than one billion users, the potential consequences for the company extended far past the norm. Yahoo’s announcement came in the midst of negotiations of a multi-billion dollar sale. In light of Yahoo’s previously unknown data privacy and security issues, the transacting parties must now determine the impact these incidents will have on the deal. The lesson here is this: before any terms are finalized, both seller and buyer should engage in thorough data privacy due diligence in order to fully understand the target’s privacy and security risk profile. This includes an analysis of the target’s information security and governance programs, as well as information relating to known security incidents and vulnerabilities, disputes and enforcement actions. Engaging in appropriate due diligence from the outset could dramatically change the structure of the deal, as well as the value of the transaction. Security and privacy issues must also be considered during the negotiation of the transaction documents themselves, particularly with respect to representations and warranties, limitations of liability, indemnification obligations and closing conditions.
Week 6: Critical Infrastructure
The systems that support telecommunications, transportation, water, electricity and other critical networks are at substantial risk of being compromised by a far-reaching cyberattack. For example, since 2015, Ukraine’s power grid has been shut down twice by hackers, leaving thousands without heat during the snowy winter. Cognizant of this impending threat, both President Obama and President Trump have examined national cybersecurity and how it impacts critical infrastructure. Likewise, roughly one week into the new year, the National Institute of Standards and Technology (NIST) released draft revisions to the “Framework for Improving Critical Infrastructure Cybersecurity” to help clarify and enhance the 2014 version. Going forward, securing critical infrastructure will depend largely on safeguarding the devices that manage those systems. These devices and the interconnected manner by which they utilize and drive digital communication are known as the internet of things (IoT). Attacks on the IoT, including medical devices, the healthcare industry, and the internet itself were front and center in 2016. The government and private sector alike must come together in 2017 to combat these imminent and pervasive threats. For example, to help incentive companies to secure devices and avoid attacks, the Federal Trade Commission recently announced a competition to award up to $25,000 to anyone who creates a solution for securing outdated IoT devices.
Week 7: Safe Harbor Out, Privacy Shield In
In the midst of the summer heat, the European Commission officially adopted the U.S. Privacy Shield as an adequate framework for data transfers between the EU and those U.S. companies who self-certify their compliance with the Privacy Shield. The Privacy Shield replaces and updates the previous Safe Harbor framework which was invalidated by the European Court in 2016. While President Trump’s recent Executive Order, Enhancing Public Safety in the Interior of the United States, may call into question the effectiveness of the Privacy Shield, the US and the EU must continue to collaborate in order to determine the best way to permit and facilitate data transfers. There are also outstanding data implications resulting from BREXIT that will likely affect the UK-EU-US data privacy relationship. While we do not yet know what the post-BREXIT UK-EU relationship will resemble, if the UK also decides to leave the European Economic Area it would no longer be an automatically “safe” destination for EU personal data and so may need to adopt its own UK Privacy Shield in order to receive personal data from the EU. Additionally, the EU’s General Data Protection Regulation (GDPR) will continue to impact business decisions in 2017. In fact, one study found that 28,000 data protection officers will be needed in order to comply with GDPR. The GDPR will not only impact EU companies, but any non-EU company processing the personal data of individuals in the EU to offer goods or services, or to monitor their behavior. In light of the significant new fines imposed on organizations who breach the GDPR, businesses are well advised to be undertaking their compliance efforts now to be ready for the May 2018 deadline.
Week 8: National Cybersecurity Concerns
This list would not be complete without a mention of the cybersecurity challenges President Trump will face during his administration. Recently, Trump announced that Rudy Giuliani will serve as a cybersecurity advisor helping to bridge the gap between the government and private sector. Tom Bossert will also serve as an adviser on national security, terrorism and cybersecurity and will be equal in status to incoming national security adviser and former Army Lt. Gen. Michael Flynn. Bossert currently works as a private consultant on homeland security matters and formally worked in the Bush administration as a deputy homeland security adviser. Bossert, who previously held a position with the Small Business Administration, said this about his new position:
We must work toward cyber doctrine that reflects the wisdom of free markets, private competition and the important but limited role of government in establishing and enforcing the rule of law, honoring the rights of personal property, the benefits of free and fair trade, and the fundamental principles of liberty.
Bossert’s mention of the private sector comes as no surprise. The Trump administration will likely seek to ensure that any protection the government offers citizens in the form of new regulations will be balanced by strong support of technological innovation, free market enterprise and national security.
After its first draft of February 29, 2016, the European Commission adopted the EU-U.S. Privacy Shield adequacy decision on July 12, 2016. The first draft was adopted after the cancellation of the Safe Harbor by the Court of Justice of the European Union (CJEU) on October 15, 2015 (Schrems case). A new adequacy decision was therefore highly welcome to allow the tens of thousands of U.S. and EU companies that rely on Safe Harbor to transfer personal data across the Atlantic. After the first draft of the adequacy decision, several EU institutions addressed numerous concerns regarding this first draft. First, on April 13, 2016, Article 29 Working Party (WP 29), released an opinion, noting the Privacy Shield offers major improvements “compared to the invalidated Safe Harbor decision” but, at the same time, urged the European Commission to resolve all concerns expressed by WP 29 in order to ensure that the protection to be offered by the Privacy Shield is “indeed essentially equivalent to that of the EU“. This opinion was followed on May 26, 2016 by a resolution of the EU parliament where it also expressed several concerns about the proposed Privacy Shield. Finally, on May 30, 2016 the European Data Protection Supervisor (EDPS) published its opinion where, although it “welcomed the efforts shown by the parties to find a solution for transfers of personal data”, EDPS added that “robust improvements” were needed “in order to achieve a solid framework, stable in the long term”.
The EU-U.S. Privacy Shield adequacy decision adopted on July 12, 2016 by the European Commission was supposed to cure all the concerns expressed after the first draft. The surprise is of course that WP 29’s press release of July 26, 2016 does not consider that the improvements brought by the EU Commission and the U.S. authorities to the proposal of Privacy Shield adequately respond to the concerns expressed. For instance, WP 29 regrets:
- The lack of specific rules on automated decisions and of a general right to object;
- That it remains unclear how the Privacy Shield Principles will apply to processors;
- The lack of concrete assurance that bulk collection of personal data will not again happen, despite the commitment of the U.S. Office of the Director of National Intelligence (ODNI);
- The lack of strict guarantees concerning the independence and the powers of the Ombudsmen in case of conflict caused by access by U.S. public authorities to personal data.
After expressing these criticisms, WP 29 proposes however to decide on the viability of the Privacy Shield after the first annual review of the framework that will take place in May 2017. In other words, WP 29 will not push for a legal challenge of the Privacy Shield before the first review. This said, even though the timing proposed by WP 29 seems practicable, in case of action by data subjects of privacy activists, the “wait and see” attitude of WP 29 will probably be difficult to maintain. Finally, the position of WP 29 seems very practical. Indeed, it is difficult to assess the adequacy of the Privacy Shield because it is mainly based on commitments taken from letters by different U.S. heads of administrative bodies and among others the ODNI. This meets one of the very general remarks expressed by the EDPS in its May 30, 2016 opinion, which called “for longer term solutions” “with more robust stable legal frameworks to boost transatlantic relations”. The nearly one year deadline given by WP 29 is probably the opportunity to reach robust stable legal frameworks not only for the Privacy Shield, but also for Standard Contractual Clauses and Binding Corporate rules when they relates to transfers of personal data to the U.S.
The EU-U.S. Privacy Shield has been formally adopted by the European Commission, enabling U.S. companies who sign up to the framework to receive personal data from the EU. The new deal replaces the previous Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) last October.
The new framework includes enhanced privacy protections, including stronger rules regarding onward transfers, data retention and redress. One key development is that the Privacy Shield will be reviewed on an annual basis allowing it to evolve and adapt to future technological and legal developments.
Time will tell as to whether companies have confidence in the Privacy Shield and decide to rely on it as a means to justify their personal data transfers to the U.S. Major technology companies are already showing their commitment with Microsoft issuing a statement welcoming the decision and announcing that they will sign up to the new framework as soon as possible. Digital Europe, a group representing the European digital technology industry have also commended the approval.
The Privacy Shield will undoubtedly face legal challenge with privacy activists already threatening to take the agreement to court. Max Schrems, the individual responsible for bringing forward the CJEU case C-362/14 that invalidated the Safe Harbor decision, has criticized the deal and said that it is “very likely to fail again, as soon as it reaches the CJEU”.
Nevertheless, the Privacy Shield is an important step and provides some legal certainty for companies that have been left in limbo since the Safe Harbor invalidation. Without Safe Harbor, businesses have relied on Model Clauses and Binding Corporate Rules, both of which have their limitations. This approval is ever more important in light of the legal challenge against the Model Clauses. In addition, a key uncertainty is how the UK will participate in the Privacy Shield in light of Brexit.
This decision means, subject to any successful challenges, U.S. internet giants and cloud businesses will be able to continue to operate in Europe and retain EU data on servers in the U.S. It also enables the thousands of small and medium-sized businesses to continue sending EU citizens’ personal data to the U.S. which is critical for everyday business. U.S. businesses will be able to self-certify their compliance with the Privacy Shield from 1st August and an annual re-certification system will be in place.
For more information on the Privacy Shield and Safe Harbor, please refer to the following prior Password Protected blog posts:
While we wait to see what the BREXIT result will mean for the UK’s data protection regime, it is important to recognize that the result will not change anything immediately. The exact nature of the post-BREXIT UK-EU relationship will influence any UK data protection reform, and it is highly likely that the UK will continue to be heavily influenced by EU laws. Indeed, the UK’s data protection authority (the ICO) has emphasized that “international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens.”
So what should you be doing now?
Prepare for the GDPR and changes to UK data protection laws
Data controllers established in the UK processing personal data in the context of that establishment are currently subject to the UK’s Data Protection Act (DPA). Once the EU’s General Data Protection Regulation (GDPR) comes into effect on May 25, 2018, the UK will still be a member of the EU and so the GDPR will automatically replace the DPA. UK companies will then need to comply with the new regime until BREXIT occurs. Following that, the GDPR will fall away but we do not yet know what form any replacement legislation will take. If the UK wants to continue trading with other EU Member States, it will likely need to adopt legislation similar to the GDPR (see further below). With this in mind, businesses should continue with their GDPR compliance preparations.
In addition, the GDPR will not only apply to businesses established in the EU, but it will also apply to businesses outside the EU that processes personal data of EU citizens, either by offering services or goods or from monitoring behavior. Therefore, following BREXIT, the GDPR will still apply to UK based businesses trading with the EU or targeting EU citizens. Such businesses therefore should continue their GDPR compliance efforts.
Consider where personal data is processed and transferred
EU data protection laws prohibit transfers of personal data to countries outside the European Economic Area (EEA), unless they have been recognized as providing “adequate protection” to personal data. Companies need to consider whether they receive data in the UK from global regions which are currently compliant based on the UK being within the EU or EEA. If the UK is not classified as “adequate” post BREXIT, UK companies receiving data from the EEA will need to re-think their data protection compliance strategy and put in place adequate safeguards, such as Model Clauses and Binding Corporate Rules.
In addition, the converse (transfers outside the UK) may also be an issue and so companies should consider whether they send personal data from the UK and what compliance measures they may need to put in place. The new EU/U.S. Privacy Shield is due to be adopted early next week. Following BREXIT, the Privacy Shield will not cover transfers from the UK to the U.S. However, the ICO could approve the Privacy Shield as an adequate means of data transfer from the UK to the U.S., or it could establish a similar framework (e.g. like the U.S.-Swiss Safe Harbor framework).
Determine where the organization’s main EU establishment will be
Some GDPR provisions are dependent on the “main establishment” of a business being in the EU. Once the UK leaves the EU, a company with UK based headquarters will no longer count as the main establishment under the GDPR following BREXIT. This will affect a company’s lead data protection supervisory authority under GDPR for the purpose of enforcement and other reasons such as approval of Binding Corporate Rules.
It is hard to predict at the moment precisely the timing and scope of legal changes to the UK’s data protection regime resulting from BREXIT. We will continue to monitor developments closely and keep you fully informed and the post-BREXIT process unfolds.
SAVE THE DATE McGuireWoods Annual European Data Protection and Security Conference September 27, 2016 London
Learn more about data protection laws in light of BREXIT. The conference is designed for in-house counsel, risk managers, security officers, regulatory and compliance officers, directors, financial officers, information officers, human resource officers and managers of corporations with cross-border operations. A full agenda is under development, but topics and speakers from last year’s event can be viewed here.
Click here to ensure you receive an invitation to our 2016 conference.
Following twenty-seven EU and U.S. non-profit organizations in their letter of March 16, the Article 29 Working Party (WP29) in its opinion n° 01/2016 of April 13 and the EU Parliament in its resolution of May 26, it is now the turn of the European Data Protection Supervisor (EDPS) to express, in its opinion n° 4/2016 of May 30, its concerns about the compliance of the draft adequacy decision on the EU-U.S. Privacy Shield (available here) with the Schrems ruling. As a refresher, this ruling, issued on October 6, 2015 by the EU Court of Justice (CJEU) (C-362/14), invalidated the Safe Harbor framework, which allowed EU companies to transfer personal data to certain self-certified U.S. companies. Since the EDPS is one of the most influential voices on the CJEU regarding data protection matters, this opinion should be carefully considered.
The EU and U.S. negotiators are caught between competing sides. For obvious reasons, industry urges the negotiators to reach an agreement before the end of summer and the U.S. elections. On the other side, the WP29 and the EDPS outline the imperative to meet the requirements resulting from the Schrems ruling by reaching an agreement ensuring “a level of protection of fundamental rights and freedoms that is [not necessarily identical but] essentially equivalent to that guaranteed within the European Union“. The outcome of this negotiation relies on whether U.S. legislation will provide the guarantees of implementation and enforcement of the commitments made under the agreement.
In its opinion, the EDPS targets the lack of precision of certain provisions and recommends strengthening certain principles:
- Purpose limitation: data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- Data retention: data must not be retained longer than is necessary for the purpose for which it is processed;
- Automated processing: every person should have the right not to be subject to a decision based solely on automated processing which significantly affects him/her;
- Onward transfers: those transfers should not enable third parties and foreign importers to circumvent the Privacy Shield framework; and
- Data subjects’ right: the provisions addressing the right to access and the right to object should be improved.
The EDPS welcomes the efforts towards increased transparency in the information provided on access to data by U.S. authorities. However, according to the EDPS, the Privacy Shield should better specify the notion of “foreign intelligence” and the purposes for which derogations “necessary to meet national security, law enforcement or any public interest requirement” are possible.
The EDPS also recommends improving the redress mechanisms by providing specific commitments that (i) the proposed Ombudsperson will be able to act independently not only from the intelligence community but from any authority, (ii) the requests for information and cooperation from this Ombudsperson will be effectively implemented by all U.S. agencies, (iii) the level of protection of U.S. and non-U.S. data subjects will be identical. The EDPS encourages exploring the possibility of involving EU representatives in the assessment of the oversight system results.
One of the major merits of this opinion is to promote general and long-term objectives that can lead negotiations toward a stable agreement. According to the EDPS:
- The final adequacy assessment should not only include regulations directly related to the U.S. commitments but all federal and state laws that could allow access for public interest purposes;
- As required by the CJEU and the WP29, in order to check whether the finding relating to the adequacy decision is still factually justified, the annual joint review of the application of the Privacy Shield should not only include meetings with public and private entities but also “on-the-spot verifications“;
- Last but not least, the new elements of the General Data Protection Regulation (GDPR), which will replace the current Directive in about two years, should be put on the negotiating table, including the privacy by design and by default principles, data portability and the criteria for future third countries adequacy decisions.
For more information on the Privacy Shield and the GDPR, please refer to the following prior Password Protected blog posts: