Who: European Commission
Where: Europe
When: 12 July 2016
Law stated as at: 9 August 2016
What happened:
The law around transferring personal data to the United States has been in something of a state of flux this year, and may have left some businesses struggling to keep up. The advertising industry, with its heavy reliance on personal data for targeting and large number of service providers based in the United States, is perhaps particularly exposed to the current uncertainties. However the latest development – the introduction of the EU – US Privacy Shield framework on 12 July 2016 – is one that may be of some use to advertisers seeking a way to remain compliant.
The Privacy Shield is the replacement for the Safe Harbor Framework, developed in response to the latter’s invalidation last year by the European Court of Justice, following a legal challenge by a privacy campaigner. The campaigner argued that the walls of the Safe Harbor were, in effect, too easily breached, and did not really offer European citizens’ data any safety – a view endorsed by the court. The overall aim of the framework has not changed: the purpose of the Privacy Shield is to ensure that, when EU citizens’ data is transferred to the US, they do not completely lose control of this data or, in effect, forfeit all of the rights they have over it in the EU.
US companies signing up to the scheme with the Department of Commerce are required to self-certify annually that they meet the requirements, display a privacy policy on their website, reply promptly to any complaints and, if handling human resources data, co-operate and comply with European Data Protection Authorities. The Privacy Shield also includes assurances by US intelligence authorities affirming the absence of indiscriminate or mass surveillance.
A more in-depth consideration of the Privacy Shield may be found elsewhere on the Osborne Clarke website, however, broadly speaking, US companies signed up to the scheme must comply with the framework principles in Annex II of the implementing decision:
- Notice
- Choice
- Accountability for onward transfer
- Security
- Data integrity and purpose limitation
- Access
- Recourse, enforcement and liability
Each principle contains a number of more specific requirements, which broadly mirror the data protection rights that EU citizens have in the EU.
One of the key principles of the Privacy Shield is that EU citizens should be provided with a remedy if a US company processes their personal data in a way that is incompatible with their EU rights. It is a requirement of membership of the Privacy Shield that an independent recourse mechanism is available to resolve unresolved complaints by EU citizens. A designated Ombudsperson has been set up to resolve complaints from individuals.
The systems and controls put in place by certified US companies must be verified at least once a year by self-assessment or external review.
Why this matters:
What does this mean for advertisers?
- Can I use the Privacy Shield to cover my transfers of data to the US? Potentially, yes. Advertisers transferring personal data to the US may now be able to rely on the Privacy Shield system to legitimise this in some cases. However, this depends on the recipient company being a member of the scheme, so in order to do so, you should be finding out from your recipients of data in the US if they are (a) able to and (b) planning to sign up to the Privacy Shield, and the timelines for this.
- Can I still rely on Safe Harbor? No. The UK’s data protection regulator has made very clear, (most lately in a blog entry dated 8 August 2016) that the previous Safe Harbor framework may no longer be relied upon, so ignoring this issue risks trouble with the regulator and the possibility of enforcement action.
- Do I have any other options? Yes, there are a limited set of other options. For example,for some third-party transfers a suitable approach may be to use the EC-approved model clauses. However, advertisers may run up against the limitations of this framework, as there are no approved model clauses designed to legitimise transfers between a data processor and a second data processor – a situation not uncommon in the industry. While the UK data protection regime does not entirely rule out the possibility of using alternative contractual means to ensure adequacy in such a situation, such solutions do not come with the “stamp of approval” from the European Commission, so are potentially higher risk. In this type of scenario, ensuring that the recipient organisation is also registered with the Privacy Shield may provide additional comfort.
- Is the Privacy Shield indestructable? No. There is always a chance that the new Privacy Shield could be challenged in the courts and ruled inadequate in a similar way to the Safe Harbor framework. Indeed, the same privacy campaigner who instigated the court challenge to Safe Harbor has already indicated that he intends to do so. The framework has also already come in for some criticism from the Article 29 Working Party and will be reviewed in a year’s time. However this should be viewed in the context that the same privacy campaigner has already challenged the EC-approved model clauses in the courts in Ireland, and this looks likely also to end in a reference to the ECJ for consideration.Where does this leave businesses craving certainty? While the Privacy Shield is unlikely to be indestructible, businesses may be able to take some comfort in the fact that the Privacy Shield is the newest of the available transfer methods, and one which has been specifically developed to address allay judicial concerns, so may be more durable than some of the other methods. However only time will tell whether it has successfully balanced commercial practicalities and the protection of EU citizens’ rights.