EU-US Privacy Shield for Transatlantic Data Flow Adopted

July 15, 2016


On July 12, 2016, the European Commission (the “Commission”) adopted a new framework for commercial data exchange between the United States and the European Union, known as the EU-US Privacy Shield (the “Privacy Shield”), which became effective immediately. The Privacy Shield provides a substitute for the EU-US Safe Harbor regime that had been previously invalidated by the Court of Justice of the European Union (the Court) on October 6, 2015. The Privacy Shield allows transfers of personal data from a controller or processor located in the European Economic Area (EEA) to US organizations that have self-certified to the US Department of Commerce (DoC) their adherence to the required Privacy Principles and have committed to comply with them. Unlike in the US, in the EU protected “personal information” is very broad and can include all data about an identified or identifiable individual. The Privacy Shield provides the framework for transfer of even basic personal information of EU customers, employees, and others. In this alert, we outline the Privacy Shield’s framework and summarize the major obligations and protections it provides.

Background

European privacy laws are in many respects broader and stricter than privacy laws in the US and many other countries. Recognizing that the EU has taken steps to protect EU individuals’ personal data when handled by companies that have cross-border operations, the Data Protection Directive 95/46/EC requires special precautions when personal data is transferred to countries outside the EEA that do not provide EU-standard data protection. In particular, this Directive only allows data transfers to third countries that ensure an adequate level of protection by reason of their domestic law or the international commitments they have entered into (Article 25). Because US laws do not always meet the EU standard, an alternative process is needed to satisfy the Directive.

Historically, in order to facilitate data flows from the EEA to the US, the Commission recognized the adequacy of the Safe Harbor framework on July 20, 2000. US organizations that had signed on to the Safe Harbor Privacy Principles could freely import personal data from the EEA, despite the absence of a data-protection law in the US. However, by a judgment on October 6, 2015 (C 362/14), the Court declared the Safe Harbor invalid. The Court reaffirmed the importance of the fundamental right to protection of personal data and considered that the Commission had not determined, in recognizing the Safe Harbor, that the US in practice guaranteed and ensured an adequate level of protection.

Following the judgment, the Commission committed to restoring an adequate means of permitting transatlantic data flows by setting up a renewed framework. On February 2, 2016, the Commission reached a political agreement with the US government and published the draft adequacy decision on February 29, 2016. The Commission formally adopted the Privacy Shield on July 12, 2016.

Companies doing business in both the EU and the US need to understand the impact of the Privacy Shield on their day-to-day operations, as well as the interactions it entails with government agencies on both sides of the Atlantic. Companies seeking to transfer personal information from the EU to the US under the Privacy Shield framework will need to self-certify with the DoC and also publish a privacy policy that embodies the Privacy Shield privacy principles. Companies also have the option of handling their data through Binding Corporate Rules (that require approval of EU data-protection authorities), adopting Standard Contractual Clauses that already are EU-approved, or, in some cases, obtaining unambiguous consent to the transfer.

We summarize the key principles of the Privacy Shield below.

The Privacy Shield – Four Key Principles

     1.  Strong obligations for US organizations handling data, and robust enforcement

The new framework provides greater transparency and requires the establishment of a Privacy Shield List of the US organizations that have registered and self-certified, on an annual basis, their compliance with the Privacy Principles issued by the DoC. US organizations that register with the DoC must make their privacy policies public.

The Privacy Shield also contains several supervision mechanisms. First, the DoC committed to conduct regular reviews of the US organizations that have registered in order to verify their compliance with the Privacy Principles. These reviews could lead to sanction or removal from the Privacy Shield List by the DoC in case of non-compliance. Secondly, the DoC will maintain an updated list of current members and will ensure that US organizations that are no longer registered on the list nonetheless continue to apply the Privacy Principles to EU personal data received when they were registered for as long as they continue to retain such data.

As part of their self-certification, US organizations have to comply with the following seven principles:

  • Notice Principle – US organizations are obliged to provide information to EU data subjects on multiple key elements relating to the processing of their personal data.
  • Data Integrity and Purpose Limitation Principle – Collection and use of personal data must be limited to, and compatible with, the original purpose for which such data was collected, unless the organization has obtained specific and explicit permission from the customer to use their information for other purposes. Personal data must also be accurate, complete, and current.
  • Choice Principle – US organizations must offer EU data subjects the ability to “opt-out” when their data is to be either disclosed to a third party and/or used for a purpose that is materially different from the purpose for which it was originally collected.
  • Security Principle – US organizations creating, maintaining, using, or disseminating personal data must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data.
  • Access Principle – EU data subjects have the right (i) to obtain confirmation from a US organization as to whether it is processing their personal data, (ii) to have their data communicated within a reasonable time, and (iii) to correct, amend, or delete personal information when it is inaccurate or has been processed in violation of the Privacy Principles.
  • Recourse, Enforcement and Liability Principle – US organizations must put in place robust mechanisms to ensure compliance with the Privacy Principles and redress mechanisms to investigate and resolve individuals’ complaints of non-compliance.
  • Accountability for Onward Transfer Principle – Any transfer of personal data to third parties may only take place (i) for limited and specified purposes, (ii) on the basis of a contract, and (iii) only if that contract provides the same level of protection as the one guaranteed by the Privacy Principles.

     2.  Clear safeguards and transparency obligations on US government access

The US government has given the EU written assurance from the Office of the Director of National Intelligence that any access to personal data by public authorities for national security purposes will be subject to clear limitations, safeguards, and oversight mechanisms. As part of the assurance, the US also affirms that there is no indiscriminate or mass surveillance of personal data transferred to the US. In addition, the US Secretary of State has established an Ombudsperson mechanism to receive and resolve complaints from European individuals in the area of national security inquiries.

     3.  Effective protection of EU data subjects’ rights

In order to reinforce the enforceability of the Privacy Shield’s obligations, many redress mechanisms are made available to EU data subjects who believe that their data has been misused. These include the right of a data subject to:

(i) Lodge a complaint with the US self-certified organization;

(ii) Lodge a complaint directly to an independent dispute body resolution designated by the US organization (i.e., alternative dispute resolution);

(iii) Lodge a complaint to a national Data Protection Authority (DPA), which could be channeled to the DoC and to the Federal Trade Commission (FTC);

(iv) As a last resort, invoke binding arbitration by the “Privacy Shield Panel,” which is made up of at least 20 arbitrators designated by the DoC and the Commission with experience in US privacy- and EU data-protection law.

Additional avenues for judicial redress may be available under the laws of the US, which provide for legal remedies under tort law and in cases of fraudulent misrepresentation, unfair or deceptive acts or practices, or breach of contract.

     4.  Periodic review of adequacy finding

The Commission will check periodically on whether the findings relating to the adequacy of the level of protection ensured by the US under the Privacy Shield are still factually and legally justified. In doing so, the Commission and the DoC – in association with US national intelligence experts and European DPAs – will oversee an annual review of the Privacy Shield to monitor its functioning and to substantiate the commitments and assurances made by the US. The Commission will issue a public report to the European Parliament and the Council based on the annual joint review and other relevant sources of information. Furthermore, the Commission will hold an annual privacy summit with NGOs and stakeholders on developments in the area of US privacy law and its impact on Europeans.

Key differences between the old Safe Harbor and the Privacy Shield

The primary differences between Safe Harbor and the Privacy Shield are the greater transparency about transfer of personal data of EU data subjects to the US and the stronger protection of personal data. Most importantly, the Privacy Shield provides for (i) the regular review of adequacy findings and the effective supervision mechanisms, (ii) the limitation of access to personal data for national security purposes, and (iii) the effective redress mechanisms to handle and resolve individuals’ complaints. The redress mechanisms are likely to have the greatest impact on companies seeking to comply and self-certify under the Privacy Shield.

Next steps

US companies will be able to self-certify with the DoC from August 1, 2016, after having had the opportunity to review the framework and update their compliance. The DoC published a guide to self-certification to assist companies as they review the framework and prepare to self-certify. Such guide can be found here. Once self-certified, the US organizations will have to comply with the Privacy Shield Principles immediately.

One exception relates to onward transfers of data where a US company self-certifying to the Privacy Shield already has pre-existing commercial relationships with third parties. In that case, US organizations that self-certify in the first two months (i.e., until September 13, 2016) will be given a transitional period of nine months to address their relationships with third parties and to ensure that the third parties’ use of personal data is also consistent with the Privacy Shield.

The Privacy Shield already is controversial in some quarters and is likely to be challenged in courts in the future by activists or data-protection authorities, as was the Safe Harbor. However, the Commission now has a stronger defense with which to face those potential challenges given the number of improvements to the protection of personal data. For now, US companies that wish to import to the US the personal data of EU data subjects should examine their operations either to comply with the details of the Privacy Shield requirements or to ensure an alternative means of compliance through BCRs, model contracts, or (in some cases) unambiguous expressed consent.

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Ron Cheng, an O'Melveny partner licensed to practice law in California, Randy Edwards, an O’Melveny partner licensed to practice law in California, Danielle Gray, an O’Melveny partner licensed to practice law in New York, Chrians Riis-Madsen, an O’Melveny partner licensed to practice law in Denmark and Brussels-Capital Region, Stéphane Frank, an O’Melveny counsel licensed to practice law in Paris and Brussels-Capital Region, Ashley Pavel, an O’Melveny counsel licensed to practice law in California, Charlotte Jacquot, an O’Melveny associate licensed to practice law in Paris and Brussels-Capital Region, and Mallory Jensen, an O’Melveny associate licensed to practice law in California and New York contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.



Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York's Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, Phone:+1-212-326-2000. © 2016 O'Melveny & Myers LLP. All Rights Reserved.