What is the EU-US Privacy Shield?
After two and half years of negotiations, the European Commission and the U.S. Department of Commerce on 2 February 2016 reached a agreement on a new framework for transatlantic exchanges of personal data for commercial purposes: the EU-U.S. Privacy Shield (IP/16/216). This new framework will protect the fundamental rights of individuals where their data is transferred to the United States and ensure legal certainty for businesses. On 12 July 2016, following a positive vote from the Member States (article 31 committee) on 8 July, the College of Commissioners formally adopted the Privacy Shield.
The EU-U.S. Privacy Shield reflects the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
The new arrangement will impose stronger obligations on companies in the U.S. to protect the personal data of individuals and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including an increased cooperation with the European Data Protection Authorities. The new arrangement includes written commitments and assurance by the U.S. that any access by public authorities to personal data transferred under the new arrangement on national security grounds will be subject to clear conditions, limitations and oversight, preventing generalised access. The newly created Ombudsperson mechanism will handle and solve complaints or enquiries raised by EU individuals in this context.
What is an adequacy decision?
An “adequacy decision” is a decision adopted by the European Commission, which establishes that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments.
The effect of such a decision is that personal data can flow from the 28 EU Member States (and the three European Economic Area member countries: Norway, Liechtenstein and Iceland) to that third country, without any further restrictions.
The EU-U.S. Privacy Shield framework ensures an adequate level of protection for personal data transferred to the U.S. The EU-US Privacy Shield consists of Privacy Principles that companies must abide by and commitments on how the arrangement will be enforced (written commitments and assurance by the State Secretary John Kerry, Commerce Secretary Penny Pritzker, the Federal Trade Commission and the Office of the Director of National Intelligence, amongst others).
What does the new EU-U.S. Privacy Shield bring?
The EU-U.S. Privacy Shield addresses both the recommendations made by the Commission in November 2013 and the requirements set out by the European Court of Justice in its ruling on 6 October 2015, which declared the old Safe Harbour framework invalid.
The new agreement will include:
o Strong obligations on companies handling data
Regular reviews of participating companies by the Department of Commerce as to their compliance with the applicable data protection rules.
The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies follow the rules they submitted themselves to. If companies do not comply in practice they face sanctions and removal from the Privacy Shield list.
Tightened conditions for onward transfers to third parties by the companies participating in the scheme. The obligation to provide the "same level of protection" was further clarified during the adoption process and includes now an obligation for the third party concerned to inform the Privacy Shield company when it is no longer able to ensure the appropriate level of data protection, which will then have to take appropriate measures.
The existing limitation of data retention has been made more explicit. Companies may keep personal data only as long as this serves the purpose the data was collected for.
o Clear limitations and safeguards with respect to U.S. government access
Strong commitments in written form by the Office of the Director of National Intelligence (White House), ruling out indiscriminate mass surveillance on data transferred under the Privacy Shield arrangement.
In the course of the adoption process, the Office of the Director of National Intelligence further clarified through an additional document how bulk collection of data could only be used under specific preconditions and needs to be as focused as possible, in particular through the use of filters and the requirement to minimise the collection of non-pertinent information. It also explains which safeguards are in place for the use of such data. The new document once more rules out the use of indiscriminate mass surveillance by the U.S.
US Secretary of State John Kerry committed to establishing a redress possibility in the area of national security for EU individuals through an Ombudsperson within the Department of State, who will be independent from national security services. The Ombudsperson will follow-up complaints and enquiries by EU individuals with respect to national security access and confirm to the individual that the relevant laws have been complied with or, in case of non-compliance, that any such non-compliance has been remedied.
To regularly monitor the functioning of the arrangement there will be an annual joint review, which will also include the issue of national security access. The European Commission and the U.S. Department of Commerce will conduct the review and associate national security experts from the U.S. and European Data Protection Authorities to it. The Privacy Shield is a living mechanism, which will be reviewed continuously to check whether it functions well. In case an adequate level of data protection by the Privacy Shield is no longer guaranteed, the European Commission will take the appropriate measures, including the suspension of its adequacy decision.
o Effective protection of European's rights
Any citizen who considers that their data has been misused under the Privacy Shield scheme will benefit from several accessible and affordable dispute resolution mechanisms:
- Ideally, and from experience, the complaint will be resolved by the company itself.
- Privacy Shield companies can opt between free of charge Alternative Dispute resolution (ADR) or voluntary submission to the oversight of the EU Data Protection Authorities.
- In any event, individuals can go to the EU Data Protection Authorities who will channel their complaints to the Department of Commerce and/or the Federal Trade
- Commission (FTC) to ensure that complaints by individuals are investigated and resolved. These cases should be resolved in a reasonable timeframe: if DPA refers a case to the US, the Department of Commerce will have a deadline to respond. As for the FTC, it has committed to give priority consideration to complaints from individuals.
- If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism available.
Redress in the area of national security for anyone whose data is transferred to the U.S. will be handled by an Ombudsperson independent from the US intelligence services. During the adoption process the functioning and the independence of the Ombudsperson have been further clarified, in particular its independence and its cooperation with other independent oversight bodies with investigatory powers.
How will the Privacy Shield work concretely?
US companies will register to be on the Privacy Shield list and self-certify that they meet the high data protection standards set out by the arrangement. They will have to renew their registration every year.
The US Department of Commerce will monitor and actively verify that companies' privacy policies are in line with the relevant Privacy Shield principles and readily available to the public.
The US has committed to maintaining an updated list of current Privacy Shield members and removing those companies that have left the arrangement. The Department of Commerce will ensure that companies that are no longer members of Privacy Shield must still continue to apply its principles to personal data received when they were in the Privacy Shield, for as long as they continue to retain them.
How can individuals obtain redress in the US if their data is misused by commercial companies?
Any individual who considers that his or her data has been misused will have several redress possibilities under the new arrangement:
- Lodge a complaint with the company itself: Companies commit to reply to complaints within 45 days. In addition, any company handling human resources data from individuals has to commit to comply with advice by the competent EU Data Protection Authority (DPA), while other companies may voluntarily make such a commitment. The Commission encourages companies to do so.
- Take their complaint to their ‘home’ DPA: The DPA will refer the complaint to the Department of Commerce, who will respond within 90 days, or the Federal Trade Commission, if the Department of Commerce is unable to resolve the matter.
- Use Alternative Dispute Resolution, a free of charge tool to which US companies may sign up as one of the redress mechanisms required for participation under the Privacy Shield. The companies will be required to include information in their published privacy policies about the independent dispute resolution body where consumers can address their complaints. They must provide a link to the website of their chosen dispute resolution provider and the Department of Commerce will verify that companies have implemented this obligation.
- If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Individuals will be able to have recourse to the Privacy Shield Panel, a dispute resolution mechanism that can take binding decisions against U.S. self-certified companies. It ensures that every single complaint is being dealt with and that the individual obtains a remedy. Several 'consumer-friendly' features (e.g. no cost, possibility to participate by video-conference, free of charge translation and interpretation) ensure that individuals are not discouraged from making use of the panel.
What changes have been made in the U.S. since the Snowden revelations?
The U.S. Government and Congress launched important surveillance reforms in response to the Snowden revelations.
In January 2014, President Obama issued Presidential Policy Directive 28 (PPD-28), which imposes important limitations for intelligence operations. It specifies that data collection by the intelligence services should, as a rule, be targeted. Additionally, the PPD-28 limits the exceptional use of bulk collection of data to six national security purposes (counter threats from espionage, terrorism, weapons of mass destruction, threats to cybersecurity or the Armed Forces, or transnational criminal threats) to better protect privacy of all persons, including non-U.S citizens.
Since 2015, the USA Freedom Act also limits bulk collection of data and allows companies to issue transparency reports on the approximate number of government access requests.
The Commission will continuously monitor the situation and follow the upcoming reports of the Privacy and Civil Liberties Oversight Board assessing the implementation of the PPD-28, as well as the review of the Section 702 FISA Programme relating to foreign surveillance due in 2017.
What are the guarantees regarding the national security access to data transferred to the US?
For the first time, the US has given the EU written assurance, to be published in the federal register, that the access of public authorities for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. The US explicitly assures that there is no indiscriminate or mass surveillance. To regularly monitor the functioning of the arrangement and the commitments made, there will be an annual joint review, which will also include the issue of national security access. The European Commission and the US Department of Commerce will conduct the review and invite national intelligence experts from the US and European Data Protection Authorities to it.
What will be the role of the Ombudsperson mechanism?
The possibility for redress in the area of national security for everybody whose data is transferred to the U.S. will be handled by an Ombudsperson, independent from the US intelligence services. This is a new mechanism introduced by the Privacy Shield arrangement.
The Ombudsperson mechanism will deal with individual complaints from individuals if they fear that their personal information has been used in an unlawful way by US authorities in the area of national security. This redress mechanism will inform the complainant whether the matter has been properly investigated and that either US law has been complied with or, in case of non-compliance, this has been remedied.
How are the requirements of the ECJ ruling satisfied?
Monitoring and oversight
The new arrangement will be transparent and contain effective supervision mechanisms to ensure that companies follow the rules they submitted themselves to. The US has committed to stronger oversight by the Department of Commerce as well as stronger cooperation between European Data Protection Authorities and the Federal Trade Commission. This will transform the system from a self-regulating one into an oversight system that is more responsive as well as proactive.
Limitations for access to personal data for national security purposes
The U.S. authorities set out the safeguards and limitation and oversight mechanism in place for any access to data by public authorities for national security purposes. The U.S. affirms that there is no indiscriminate, mass surveillance. For complaints on possible access by national intelligence authorities, a new Ombudsperson mechanism will be set up, independent from the intelligence services.
All individual complaints will be handled and resolved
There will be a number of ways to address complaints, starting with dispute resolution by the Privacy Shield company and free of charge alternative dispute resolution solutions. Individuals can also go to the Data protection authorities who will work together with the U.S. Department of Commerce and Federal Trade Commission to ensure that complaints by individuals are investigated and resolved. If a case is not resolved by any of the other means, as a last resort there will be an arbitration mechanism. Redress in the area of national security for individuals will be handled by an Ombudsperson independent from the US intelligence services.
Regular review of adequacy decisions
The EU and the US have now agreed to establish a new mechanism to monitor the functioning of the Privacy Shield through an annual joint review.
The Commission and the Department of Commerce will carry out this review, which will serve to substantiate the commitments made. The joint review would involve, as appropriate, representatives of the US intelligence community and will provide a dynamic and ongoing process to ensure that the Privacy Shield is functioning in accordance with the principles and commitments made.