European Union (EU) countries have some of the strictest data protection laws in the world, under which the transfer of personal data by companies based in EU member states to the United States is generally prohibited. For the past 15 years, US organizations that complied with the principles laid down by the Safe Harbor agreement between the European Union and the US Department of Commerce were deemed to provide adequate protection for data transferred from European Union countries.
But in October 2015, the European Court of Justice ruled that this agreement could no longer be relied upon as providing protection for personal data being transferred to the US.
Following this ruling, the European Commission and the US Department of Commerce have agreed on a new framework agreement called the EU-US Privacy Shield, published on Feb. 29, 2016.
The Schrems Case
The case that led to this change was brought by Austrian law student Max Schrems — inspired by the revelations of Edward Snowden about the extent of government surveillance of personal data in the US and elsewhere — to complain about the way his personal data was being processed by Dublin-based Facebook. Some or all of the data provided by Schrems to Facebook was transferred from Facebook’s Irish subsidiary to servers located in the United States, where it was processed. The court ruled that the Safe Harbor agreement was inadequate as it did not prohibit the US government authorities from inspecting the data, and therefore ordered the Irish Data Protection Commissioner to investigate the complaint.
The CJEU ruling has significant implications for EU-US trade, with approximately 4,500 businesses having certified as complying with the Safe Harbor principles. In the UK, they could face fines of up to £500,000 if the Data Protection Commissioner takes enforcement action for continuing to transfer data on the basis of Safe Harbor. Organizations that use cloud-based services may be unwittingly transferring data to the US if data is stored on servers located there.
EU-US Privacy Shield
The new agreement requires US organizations to register and self-certify annually that they comply with the Privacy Principles issued by the US Department of Commerce (DoC). Compliance will be enforceable under the US Federal Trade Commission Act.
The DoC will monitor and actively verify compliance by those organizations, and will maintain a current register of those that have signed up as well as those that leave. Organizations that cease to sign up to the Framework must continue to observe the Privacy Principles for as long as they retain the data.
Organizations that register must:
- Make a public declaration of their commitment to comply with the Privacy Principles and implement them fully;
- Publicly disclose their privacy policies which must be in line with the Privacy Principles; and
- Subject to the investigatory and enforcement powers of the Federal Trade Commission, Department of Transportation or other statutory body with responsibility for compliance.
The important difference between the Safe Harbor agreement and the Privacy Shield framework is that it is backed by promises from the US authorities of more rigorous supervision and enforcement. The US government has also agreed that EU personal data will not be subject to mass or indiscriminate surveillance and will only be accessed for the purposes of law enforcement, national security or other public interest and such access will be subject to clear limitations and safeguards.
The seven Framework Privacy Principles with which organizations must comply:
- Notice – A US organization must notify individuals about the data it processes, and how to complain;
- Choice – US organizations must offer EU citizens the right to opt out for disclosures to a third party, or the use of data for a purpose materially different to that for which it was collected. If the data is sensitive personal data, individuals must give express consent to such processing;
- Security – US organizations must take reasonable and appropriate measures to protect EU citizens’ personal data from loss, misuse, unauthorized access or disclosure, alteration and destruction;
- Data Integrity and Purpose Limitation – Personal data must be accurate, complete, up-to-date and limited to information that is relevant for the purposes for which it is being processed;
- Access – Individuals must have access to the personal data held about them and be able to correct, amend or delete incorrect information or data that is processed in violation of the Privacy Principles;
- Accountability for Onward Transfer – Where a US organization intends to transfer EU citizens’ personal data to a third party they must enter into a written contract with the third party to require them to comply with the Privacy Principles;
- Recourse, Enforcement and Liability – US organizations must have robust mechanisms in place for ensuring compliance with the Privacy Principles and offer EU data subjects recourse to independent mechanisms to resolve complaints, including the award of damages where available. EU citizens may complain, free of charge, directly to the US organization within 45 days or complain to the data protection authority in their own country who will work with the DoC and FTC. As a last resort the individual may invoke binding arbitration by the Privacy Shield Panel.
What Should Organizations Do?
Registration with the Privacy Shield is voluntary, so US organizations need to consider whether their business practices involve the transfer of personal data between the EU and US and whether their current policies comply to the extent of the Privacy Principles, to provide adequate protection to EU citizens.
There are two ways in which EU companies may protect data that is being transferred on the basis of Safe Harbor arrangements and these involve the use of standard data protection clauses in contracts between companies, so-called Model Contract Clauses; or Binding Corporate Rules for transfers within a multi-national corporate group.
Binding Corporate Rules take time to implement, as they require authorization from the relevant Data Protection Authority, and the process can take two to four years. Model contract clauses are easier to implement but may require many contracts to be drafted or amended where the data is transferred between several different entities. Alternatively, data can still be sent out of the EU with the free and informed consent of the individual.