Who: European Commission, US Department of Commerce, Federal Trade Commission, Dept of Transportation, Office of the Director of National Intelligence and US Department of State
When: 29 February 2016
Where: Brussels and Washington DC
Law stated as at: 14 March 2016
What happened: Full details were released of the “EU-US Privacy Shield,” (“PS”) the platform for EU-US personal data (“PD”) transfers which it is proposed will replace the discredited and invalidated “Safe Harbor”.
In a barrage of documentation the US Department of Commerce published a 132 page package which included Privacy Shield Principles, an arbitral model and letters of comfort and assurance from various US government departments.
For its part the EC published the legal texts that will put PS in place, a paper summarising the actions taken over the last two years to restore trust in transatlantic PD flows and a lengthy “Draft Adequacy Decision” with copious annexes.
The next milestones will be as follows according to the European Commission:
Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the College. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.
Following the adoption of the Judicial Redress Act by the U.S. Congress, signed into law by President Obama on 24 February, the Commission will shortly propose the signature of the Umbrella Agreement. The decision concluding the Agreement should be adopted by the Council after obtaining the consent of the European Parliament.
How long all this will take is unclear, but with the Article 29 Working Party due to give their above mentioned opinion by 13 April 2016, June 2016 may be achievable.
No major changes likely for Safe Harbor-compliant US data importers
In terms of the content of the package, on past form it is probably best not to tempt fate by focusing on too much of the detail before all the moving parts have come to a standstill and the deal is finally done.
However this author’s initial assessment is that when all is said and done, other than in the HR arena, life for US organisations who walked the talk and followed the letter of Safe Harbor does not look like being a great deal more challenging under PS.
Some things US data importers look likely to have to do:
- display privacy notices that state the types of PD collected, the purpose of the processing, data subjects’ rights of access, conditions for onward transfer and a declaration of the organisation’s participation in PS;
- certify annually that they comply with PS and put in place a procedure for verifying their commitments to PS, either through self-assessment or use of outside compliance procedures;
- only transfer imported PD on to third parties under a written agreement ensuring their processing is consistent with the data subject’s original consent and monitor their processing to ensure compliance;
- allow the data subject (“DS”) to opt out of their PD being processed for direct marketing at any time;
- reply within 45 days to any complaint made to them by EEA DSs direct or within 90 days to any PS compliance issue raised with them via an EU national data protection authority (“DPA”) and the FTC;
- provide a fair and freely available ADR procedure for unresolved EU DS complaints and if that fails submit to arbitration by a “PS Panel” but NB none of these mechanisms include the possibility of a financial penalty;
- if the PD being transferred to the US is human resources data relating to EU citizens, commit to comply with the advice of a relevant EU DPA;
- provided they publicly commit to the PS framework within 2 months of the date that the PS comes into force, ensure that within 9 months thereafter they align their relevant commercial relationships with third parties with the PS; and
- if they are banks or insurance or other financial services companies, take advantage of this platform for compliant EEA-US PD transfers for the first time as these sectors were previously excluded from Safe Harbor.
For relevant EU and US institutions and data authorities, however, life could become much busier if they live up to the extensive oversight and enforcement commitments imposed on them throughout the PS documentation,
For example the FTC commits to reviewing on a priority basis any referrals alleging PS breaches received from EU Member States, the US Department of Commerce, and various independent agencies.
There will also be an annual high level joint review mechanism to ensure any slippage is addressed and risks of “Schrems 2.0” challenges minimised.
Why this matters: It is disappointing that after all the layers of PS are peeled away, there is no clear path in the proposals by which EU data subjects can recover financial redress directly against delinquent US importers of their data. However with the GDPR offering little in the way of obvious new gateways for compliant international PD transfers, it is gratifying that the publication of these extensive details of the PS shows clear commitment to getting “Safe Harbor 2.0” in place as soon as possible.