Since October 2015, when the Court of Justice of the European Union invalidated the Safe Harbor Agreement, numerous US and EU companies have struggled to provide a legal basis to the transfer of personal information across the Atlantic. On July 12, representatives of the European Commission and the U.S. Department of Commerce signed the “EU-US Privacy Shield” agreement, which replaces the Safe Harbor agreement. The new EU US Privacy Shield become effective as of August 1, 2016.
The documents that form the executed Privacy Shield agreement are an updated version of those that were published in late February 2016. The signed Shield documents clarify numerous issues that were of concern to Europeans and introduces several new requirements.
The primary changes are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the EU-U.S. Privacy Shield (“Decision”). The Decision clarifies that the Principles will apply solely to the processing of personal data by a U.S. organization insofar as the processing by such organization does not fall within the scope of EU legislation.
Shield Certified companies will have to require their subcontractors and service providers to delete or de-identify personal data when no longer needed for the identified processing or compatible purposes. This will also have to require recipients of personal data to notify them if the recipient can no longer provide the same level of protection as required by the Privacy Shield Principles (Principles).
Data Quality and Data Uses
The Decision stresses that organizations will have to ensure that personal data is reliable for its intended use, accurate, complete, and current. Special rules will apply to the use of personal data for direct marketing purposes, to allow individuals to opt-out at any time.
Regarding cross-border transfers, the Decision stresses that the obligation to provide the same level of protection must apply to all parties involved in the processing of the data, irrespective of their location, when the original recipient itself transfers that data to a third party, for example a subprocessor.
Recourse, Enforcement, and Liability
The Decision clarifies that organizations that have failed to deal appropriately with complaints will be subject to oversight and enforcement actions by the Federal Trade Commission, the Department of Transportation or another U.S. authorized statutory body. It provides a lengthy analysis and details the eight levels of redress and the escalation procedure that will be available to EU residents.
Transparency and Oversight
Part of the new measures to ensure transparency and allow for oversight will include the monitoring by the U.S. Department of Commerce whether the self-certified organizations on the Privacy Shield list are current in their obligations. If an organization is not current in its obligations, the Department of Commerce will enforce the return or deletion of the personal data that the entity received on the basis of the Privacy Shield.
Access by U.S. Public Authorities
The Decision clarifies that the EU Commission has determined that U.S. law contains a number of limitations on the access to, and use of, personal data transferred to the United States for national security purposes, and that sovereign and redress mechanisms provide sufficient safeguards for those data to be effectively protected against unlawful interference and the risk of abuse.
It also confirms that bulk collection will only be authorized exceptionally where targeted collection is not feasible, and will be accompanied by additional safeguards to minimize the amount of data collected and subsequent access (which will have to be targeted and only be allowed for specific purposes).
For a detailed analysis of the updated Shield Documents see article co-authored by Francoise Gilbert and Marie Jose van der Heijden, “Privacy Shiel 2.0 Sighned, Sealed and Delivered, published in the Bloomberg BNA Privacy and Data Security Law Report on July 11, 2016.