1) To Join or Not to Join: Is the EU-U.S. Privacy
Shield Right for You?
By Aaron K. Tantleff
11 April 2016
Legal News: Privacy, Security & Information Management
With the Article 29 Working Party’s position on the adequacy of the EU-U.S. Privacy Shield
framework agreement (Privacy Shield) decision expected this week, U.S. businesses should be
evaluating privacy options and preparing to make significant adjustments to internal procedures. In
this newsletter, we cover key considerations for businesses weighing whether to join the Privacy
Shield, what to expect from last week’s leak, and the impact of a possible rejected decision.
Joining the Privacy Shield is completely voluntary, and is a decision that every U.S. organization
should not take lightly, especially as there are other methods of transatlantic data transfers, such as
the EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The Privacy
Shield introduces a lot of additional obligations and liability for U.S. organizations, including:
q
q
An annual registration and self-certification process
Agreeing to the Privacy Principles, which include:
Notice
Choice
r Security
r Data Integrity and Purpose Limitations
r Access
r Accountability for Onward Transfers
r Recourse, Enforcement, and Liability
Subjecting the organization to oversight by the U.S. Department of Commerce and the
Federal Trade Commission (FTC)
Including a declaration of the organization’s commitment to comply with the Privacy Principles
in their privacy policy, including a link to the Department of Commerce’s Privacy Shield
website for any online privacy policy
A commitment to cooperating with the relevant Data Protection Authorities (DPA) for any
organization that processes EU human resources data with respect to the investigation and
resolution of complaints
r
r
q
q
q
Accordingly, in addition to registering with the Privacy Shield, a U.S. organization must also publicly
commit to comply with the Privacy Shield’s requirements. Once publically committed, that
commitment will become enforceable under U.S. law.
Unfortunately, failure to comply with the Privacy Shield requirements could result in sanctions or
exclusion from the framework. Even if an organization determines that it no longer wants to
participate in the Privacy Shield and elects to withdraw, it may remain subject to the Privacy Shield
for a long time. Any U.S. organization that was part of the Privacy Shield and elects to withdraw, yet
wishes to retain information collected while a part of the Privacy Shield, would be required to
2) annually re-certify its commitment to apply the Privacy Principles to information received under the
Privacy Shield to the Department of Commerce. Or, the organization must provide some alternative
means to show that it can apply “adequate” protection by another authorized means, which may be
the SCCs or BCRs. Thus, every U.S. organization should give careful consideration before electing
to be part of the Privacy Shield.
Transatlantic Transfer of EU Personal Data
In light of the voluntary nature of the Privacy Shield, and because it has not yet been adopted, U.S.
organizations that have received personal data from the EU under the invalidated Safe Harbor
must consider and utilize alternative mechanisms in order to be compliant with the data sharing
requirements of the Data Protection Directive 95/96/EC. In short, because the Directive regulates
the export of personal data outside of the European Economic Area (EEA), it prohibits EU
organizations from transferring or exporting personal data unless such recipient organizations are
able to ensure adequate protection for the data. This may be accomplished by the Privacy Shield, if
and when it is approved, or the SCCs or BCRs noted above. Thus, a U.S. organization can
continue to receive personal data from the EU if it enters into the SCCs or adopts the BCRs.
Since the Directive is implemented through the local laws of each Member State, a local DPA has
the right and ability to launch a local enforcement action against any organization that it believes
has not implemented an acceptable alternative compliant data transfer mechanism. Should an
organization fail to have a compliant transfer mechanism, the local DPA may impose monetary
fines and sanctions, including the prohibition on the transferring of personal information.
What to Expect from the Leak
While the opinion is not scheduled to be released for a few more days, speculation across the
internet has been rampant as to which way the opinion of the Article 29 will go – ranging from clear
statements that the Privacy Shield will be deemed adequate to not even a remote chance of
receiving the blessing of Article 29. Of course, all this landed on the back burner once extracts of
the Article 29 opinion started to leak.
“Until these issues are addressed, the WP29 considers it is not in a position to reach
an overall conclusion on the draft adequacy decision. It stresses that some of the
clarifications and concerns — in particular relating to national security — may also
impact the viability of the other transfer tools.”
“Therefore, the WP29 is not yet in a position to confirm that the current draft adequacy
decision does, indeed, ensure a level of protection that is essentially equivalent to that
in the EU.”
If true, the content of the leak should not come as a surprise. As you will recall, the purpose of the
Privacy Shield was to make certain that there was a mechanism in place to “ensure a level of
protection [in the U.S.] that is essentially equivalent to that in the EU.” Back in February, the Article
29 group published a set of conditions to be met by the Privacy Shield in order to comply with
European privacy laws as well as to ensure protection of basic human rights. If this leak is true, it
would be a clear statement that the Article 29 group does not believe that the Privacy Shield has
satisfied each of its conditions and Article 29 can, therefore, not support the European
Commission’s adequacy decision.
Implications of a Possible Rejection
3) Given the magnitude of this decision, any rejection would likely not sit well with the U.S. government
or U.S. organizations, and ultimately, may have a negative impact on cross-Atlantic business and
drive up the cost of global commerce.
While true that a rejection would be a major blow for the European Commission, approval by the
Article 29 group is not required to implement the Privacy Shield framework. It is unclear whether the
Commission would implement the Privacy Shield, despite a rejection by the Article 29 group, but
there is a lot of speculation that it may be the case, given the significant pressure from the U.S.
government and organizations on both sides of the Atlantic. The continued state of uncertainty is
not conducive to business, the government, or citizens. It is worth noting that approval by the Article
29 group is just one of many hurdles still to be cleared before it can be finalized by the EU and U.S.
governments, including a resolution in the European Parliament. All of that is a prerequisite for
approval by the European Court of Justice (ECJ), Europe’s highest court, and the ECJ will most
likely seek to weigh in on its validity.
Of course, one should bear in mind that regardless of what happens with the Privacy Shield this
week, we are likely to see several rounds of changes in the next two-plus years in order to bring the
Privacy Shield into compliance with the General Data Protection Regulation (GDPR). GDPR was
signed off by the Council of the European Union on Friday, and is getting very close to becoming
law. One of the last steps is the final adoption of the text by the European Parliament, which is
expected to happen later this week. Once GDPR is finally adopted, organizations will have two
years (likely to be May of 2018) before the European Commission begins enforcing it. GDPR is
another regulation directed at governing the processing of commercial data and, among its many
obligations, will institute additional requirements on data controllers, as well as provide additional
enforcement mechanisms and power. That includes providing for significant fines, subjecting the
processing of any EU personal data to the EU rules, regardless of where such processing takes
place or by whom, and granting new and additional rights to the data subjects.
Thus, despite any changes adopted by an organization to comply with the Privacy Shield, U.S.
organizations will likely have to adjust their internal procedures and enter new SCCs or develop
new BCRs under the GPDR. Despite all of that, any existing SCC and BCR structures may be
subject to further review under the Directive, since some DPAs have expressed their belief that
these suffer from the same flaws as Safe Harbor. But for now, U.S. organizations may continue to
receive and process EU personal data by entering into the SCCs and BCRs.
--------------------------------------------------------Legal News is part of our ongoing commitment to providing up-to-the-minute information about
pressing concerns or industry issues affecting our clients and our colleagues. If you have any
questions about this update or would like to discuss this topic further, please contact your Foley
attorney or the following:
Aaron Tantleff
Chicago, Illinois
312.832.4367
atantleff@foley.com