EU-US Privacy Shield

On October 27 2015, we reported that the European Union and the United States seemed close to reaching an agreement on a data transfer pact. As per February 2, it was revealed by the European Commission that the European Union and the United States have agreed upon a new framework, named the “EU-US Privacy Shield”. On February 29 the European Commission published a draft adequacy decision along with the texts of the Privacy Shield (a general outline of the Privacy Shield you find below). This new framework, consisting of the Privacy Shield Principles and written commitments by the U.S. Government, is meant to replace the invalidated Safe Harbour Principles. An adequacy decision reflects the adopted position the European Commission takes regarding the level of personal data protection provided by a country outside the European Economic Area. The ‘Article 29 Working Party’, which consists of data protection authorities of each of the 28 European Union member states, have been asked to give their opinion regarding the Privacy Shield Framework before a final decision will be made and the Privacy Shield can be put into effect. On April 14th the Article 29 Working Party has published their opinion regarding the EU-US Privacy Shield (a general outline of which you will find below).

General outline

The EU-US Privacy Shield is meant to enable the adequately protected transfer of personal data for commercial purposes between the U.S. and the European Union. The Privacy Shield Framework imposes strong(er) obligations on companies and supervision mechanisms to safeguard that companies comply with its obligations, along with sanctions (including exclusion) if a company does not comply.  The Framework also includes written commitments by the U.S. Government that U.S. public authorities will be subject to limitations, safeguards and oversight mechanisms in order to prevent unlimited general access to personal data. The participating American companies will have deadlines (45 days) to respond to complaints by individuals regarding their data processing exercise(s). The United States has agreed to establish an Ombudsman mechanism. European Union individuals may address such Ombudsperson with questions and complaints in the context of potential access to their data by national United States intelligence authorities. A free of charge alternative dispute resolution solution will be in place. And as a last resort an enforceable decision can be awarded through an arbitration mechanism. To regularly monitor the execution of the framework, an annual joint review will take place, which will also address the matter of national security access mentioned above. The European Commission and the United States Department of Commerce will perform the review and will invite national intelligence specialists from the United States and European Data Protection Authorities to participate. In order for an American organization to participate a registration and annual self-certification procedure will have to be conducted. These organizations will be monitored and verified by the U.S. Department of Commerce. An up-to-date list will be in place with all registered participants. In addition to the self-certification process in which an organization certifies that it meets the necessary requirements, such organizations will be required to display an easily accessible and readable privacy policy on its website in accordance with the Privacy Shield Principles.

Proposal has been widely criticized

The Privacy Shield proposal has been widely criticized. The liberal Dutch member of the European Parliament, Sophie in ‘t Veld, stated that the “legal status of these safeguards is very unclear, since the assurances seem to rely exclusively on political commitment, instead of legal acts. So any change in the political constellation in the US may undo the whole thing.” In addition to that, the well-known privacy activist Max Schrems, has remarked that “a couple of letters by the outgoing Obama administration is by no means a legal basis to guarantee the fundamental rights of 500 million European users in the long run, when there is explicit US law allowing mass surveillance.”

Opinion of the Article 29 Data Protection Working Party

In summary the Article 29 Data Protection Working Party (WP29) is of the opinion that the Privacy Shield Framework is a major improvement to the Safe Harbour Principles, however, it has some concerns regarding some key EU data protection principles. The concerns addressed by the WP29 are in short: (a) the data retention principle is not expressly mentioned; (b) the application of the purpose limitation principle is not clear; (c) onward transfers should provide the same level of protection; (d) redress mechanisms are complex and may therefor proof ineffective; (e) massive and indiscriminate collection of personal data from the EU is not excluded; and (f) the institution of the Ombudsperson is not sufficiently independent and will not have adequate powers to exercise its duty. The WP29 urges the European Commission to resolve these concerns in order to ensure an essentially EU equivalent protection under the Privacy Shield Framework.

What to do in the mean time?

It remains to be seen how and in what time frame it will all turn out. For the moment, businesses can still make use of substitute instruments (e.g. Binding Corporate Rules or Standard Contract Clauses). Relying on the Safe Harbour, however, is – since last October – no longer a legal option.

Judicial Redress Act – US law

The Judicial Redress Act is a new American act in place since 1 February 2016 which enables citizens of designated foreign countries to bring civil actions against U.S. agencies that intentionally or willfully disclose records in spite of the conditions set for disclosure of such records without the necessary consent thereto from the data subject. It is likely that the member states of the European Union become designated countries under this Act, which would enable its citizens to bring civil actions against U.S. agencies.

General Data Protection Regulation (GDPR)

On 15 December 2015 the European Parliament en Council have reached a political agreement on the final text of the General Data Protection Regulation (GDPR), which agreement has been formally endorsed by the Council on 8 April 2016 and by the Commission on 11 April 2016. It is expected that the official signing will soon take place and consequent publication in the Official Journal of the European Union, upon which the grace period of two year will start after which the GDPR will take effect in all member states of the European Union without transposition having to take place into the 28 national laws.

In short the pan-European GDPR will replace the inconsistent national laws currently in place in the 28 member states of the European Union, is based upon a risk-based approach (the controllers and in some instances the processors, will have to take into account the nature, scope, context and purposes of processing and the risks involved – so called data protection impact assessments), impose direct obligations on processors (for instance with regard to data security and data breach notification), reinforce data subject’s rights and give them more control over their personal data, make it easier for them to access their data, give them a right to be forgotten, the right to be timely informed about relevant data breaches and a right to data portability (to transmit personal data between service providers), strengthen the principles of data processing (such as data minimization, transparency and accountability), impose the obligation to keep records of processing activities (including data breaches), impose the obligation to notify the data protection authority of data breaches not later than 72 hours after having become aware of such breach, appoint an internal or external Data Protection Officer with expert knowledge of data protection law and practices and whom assists the controller or processor with monitoring the internal compliance with the GDPR, ensure stronger enforcement of rules and supervisory authorities will be authorized to impose a fine up to 2 – 4 % of  a company’s global annual turnover.  The GDPR will also apply to controllers and processors established in a third country if they offer goods or services or monitor the behavior of data subjects in the European Union.

Prime focus 2016 of the Dutch Data Protection Authority

In its annual report the Dutch Data Protection Authority set out its prime focus for 2016: security of personal data (measures taken to prevent data breaches), big data & profiling (apps for kids and the privacy of children at schools), medical data (e-health applications, medical data in the cloud), personal data at public authorities and personal data in the employment relationship (audit mechanisms, health data).

Contact

If you would like to know more about this matter or any other privacy issue, please contact mr. I.M. Tempelman.

Read the press release of the European Commission here and here.