Privacy shield released: decision from EU data protection authorities due 13th April

02 March 2016

Ruth Boardman, Ariane Mole

On 29th February 2016, the European Commission released the text of the new Privacy Shield.

The Shield will not be operational until it has been reviewed by Member States and the Article 29 Working Party. After this the Commission can adopt an adequacy decision covering the Shield. The Commission also released a draft adequacy decision on 29th February.

The Article 29 Working Party has committed to give its opinion at its full meeting on 12 & 13 April.

The Shield will seem very familiar to organisations who participated in safe harbor: it relies on the same approach of self certification and compliance with privacy principles. The Department of Commerce will again maintain a list of participating organisations, who must be subject to FTC or Department of Transportation jurisdiction.

The Shield still contains derogations allowing use of personal data for national security purposes. The original safe harbor decision was invalidated because the Commission did not consider this. The new decision dedicates fifty recitals to reviewing this – including specific reference to PRISM and other initiatives revealed by Snowden.

The Commission decision also references statements in the Schrems decision noting that adequacy decisions are binding on all member states and on supervisory authorities and can only be invalidated by the European Court of Justice – perhaps a reminder to the Article 29 Working Party, given its current review of the impact of Schrems on standard contractual clauses and binding corporate rules.

Obligations on companies who want to hold a Shield

The following elements will all be familiar from safe harbor:

  • participating organisations must adopt and publish a privacy policy which commits the organisation to complying with the Shield principles
  • the Shield principles are structured similarly to the safe harbor principles (notice, choice, onward transfer etc) – although the requirements of some of the principles are more detailed and contain more EU-inspired text, see below on this
  • the FAQs remain, but are renamed Supplemental Principles. These still include broad journalistic exceptions and exemptions for ISPs and others which merely transmit, route, switch or cache information
  • participating organisations must be subject to the authority of the Federal Trade Commission or Department of Transportation
  • certification is annual
  • there will be a Privacy Shield list (there will also be lists of organisations who no longer participate, or who have been removed from the list due to non-compliance)
  • there is still a carve-out to the extent necessary to meet national security, public interest or law enforcement requirements, or where there are conflicting legal requirements (on a case by case basis and only to the extent that compliance is necessary to meet these overriding legitimate interests)
What is new?
  • information notices must be more detailed (including information about access rights and details of the relevant independent dispute resolution body). If an organisation anticipates that it will apply national security or other exemptions on a regular basis, this must be flagged in the privacy policy. The privacy policy must also explain that the Shield-bearer may be liable for onward transfers to agents.
  • stronger onward transfer rule:
    • recipients who can use the data for independent purposes  must agree to comply with the Principles and respect the purpose limitation principle 
    • where data is transferred to an agent, more detailed contract terms and enforcement of those terms is required and the disclosing party will be liable for the acts of the agent (subject to limitations)
  • transitional arrangements (for addressing onward transfer) will be available for organisations who certify in the first two months that the Shield is operational. Such organisations will have up to 9 months to meet the new onward transfer standards
  • a proportionality principle (although this still refers to information being ‘relevant’ to the purpose, rather than being ‘necessary’)
  • exiting organisations must either delete data, or commit to still apply Shield principles if they keep the data
  • stronger, quicker, no cost, dispute resolution mechanisms
  • commitments to make public any Privacy Shield related assessment reports, which are conducted pursuant to FTC or court enforcement action
  • the Department of Commerce to have a more active role (and to increase staffing accordingly) – for example:
    • active checking of self-certification documentation submitted, to make sure that privacy policies have been prepared and that these contain mandatory Privacy Shield information
    • undertake ad hoc compliance assessments on Shield bearers
    • follow up on lapsed Shield bearers, to ask them to confirm that they have deleted data
    • taking steps to identify false claims of participation in the scheme
    • increased and targeted information about the Shield, including resources for EU individuals
    • provision of a dedicated point of contact to liaise with EU data protection authorities and to handle complaints about the Shield
Restrictions on US government access

There is an assurance from the Office of the Director of National Intelligence that any access by public authorities for national security purposes will be subject to clear limitations and oversight mechanisms; there will be no generalised access to personal data (although there is reference to bulk collection of signals data for specifically listed purposes).  An explanation of the legal regime governing US signals intelligence work is also provided – this emphasizes the role of Presidential Policy Directive 28, in reforming these activities.

Secretary of State, John Kerry, commits to appoint an Ombudsperson to ensure a mechanism for redress for national security related complaints. This will be Under-Secretary of State Catherine Novelli. The Ombudsperson will perform this role not just in relation to Privacy Shield transfers, but all EU data transfers. In the event that a complaint is made to the Ombudsperson, she will provide a response confirming that the complaint has been investigated and that US law has been complied with (or remedied, in the event that non-compliance has been found). No details of remedies will be provided nor will the Ombudsperson confirm or deny whether the individual has actually been the target of surveillance. The Ombudsperson will not deal directly with complainants – who are to contact their national body responsible for national security related complaints.

Complaints handling

Companies have to resolve complaints within 45 days. Alternatively, individuals can use a free alternative dispute resolution service or can ask their national data protection authority to take the case.  Arbitration is also available as a last resort.

Annual review

There is to be a joint annual review of the Shield. This will take transparency reports into account, amongst other things.