Tag Archive: safe harbor

Privacy Shield adopted by European Commission and US Department of Commerce

Earlier this month, the European Commission (EC) voted to adopt the final version of the new EU/US data protection scheme, the Privacy Shield, which provides a mechanism for the valid transfer of personal data from the EU to the US.  The scheme was approved simultaneously by the US Department of Commerce (DoC).     The Privacy Shield is a replacement for the previous EU/US data transfer scheme,  the Safe Harbour Agreement,  which was declared invalid by the European Court of Justice in Autumn 2015.   Click here and here for previous Be Aware posts on Safe Harbour and here for our GENIE post on the impact on employee data.

New improved scheme?

The purpose of the Privacy Shield scheme is to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The EC considers that the Privacy Shield arrangements satisfy the requirements identified by the ECJ when it declared the Safe Harbour scheme invalid.   The DoC believes that it “provides a set of robust and enforceable protections for the personal data of EU individuals”.    The scheme is intended to give EU nationals more transparency about transfers of their personal data to the US; stronger protection of their personal data; and easier and cheaper options for making a complaint which can be made directly or with the assistance of their local Data Protection Authority.

Businesses in both the EU and US will have to understand the details of the new scheme; US corporations will have to take steps to comply, while businesses in the UK and elsewhere across the EU transferring data to the US will need to verify that the recipient in the US is compliant.   To join the Privacy Shield framework,  US corporations must –

  •  Self-certify annually to the DoC that they meet the requirements of the scheme and agree to adhere to the Privacy Shield Principles which cover notice, choice, access, accountability for onward transfer, security, data integrity and purpose limitation, recourse/enforcement and liability.
  • Publicly commit to comply with the framework’s requirements. This commitment will be enforceable under US law.
  • Publish a Privacy Shield Privacy Policy on their website.
  • Reply promptly to any complaints and provide an independent recourse mechanism.   Further redress will also be available through data protection authorities (DPAs) and the Privacy Shield Panel.
  • Ensure accountability for data transferred to third parties.

Specific rules for HR data

For companies that transfer or receive human resources data for the purposes of employment relationships, there are certain specific Privacy Shield rules which apply. In particular:

  • Where an EU employee complains about a breach of data protection rights, their ultimate recourse will lie with the national DPA in the jurisdiction in which they work. This is because primary responsibility for their data remains with the EU employer organisation. As such, the framework makes clear that US organisations using EU human resources data must commit to cooperate and comply with requirements of the competent EU authority.
  • Organisations that are required to utilise EU DPAs in this way must pay an annual fee to cover the operating cost of the EU DPA panel. The fee is not to exceed USD 500.
  • Where an organisation’s self-certification relates to human resources data, the privacy policy covering that data must made available to the organisation’s employees whose data will be transferred to the US, but need not be made publically available.

Action points

The US DoC has indicated that it will begin accepting self-certifications to the Privacy Shield on 1 August 2016.   Steps that organisations will need to take prior to self-certification include –

  1. Checking eligibility to participate in the Privacy Shield – organisations that are subject to the jurisdiction of the US Federal Trade Commission or the Department of Transportation may participate.
  2. Identifying and putting in place an independent recourse mechanism.
  3. Developing a Privacy Shield compliant privacy policy which must –
    • Conform to Privacy Shield Principles.
    • Specifically refer to Privacy Shield compliance.
    • Identify the organisation’s independent recourse mechanism.
    • Be made publically available.
  4. Ensuring that the organisation has procedures in place to verify compliance with the Privacy Shield. This can be either an internal self-assessment procedure or an external assessment program.
  5. Designating a Privacy Shield contact within the organisation who will be responsible for handling questions, complaints, access requests and other issues arising under the Privacy Shield.

Sign up or wait and see?

The Privacy Shield framework has been a long time in the making but, now it is finalised, perhaps the biggest question for companies is whether or not to use it as a means of protecting their EU/US data transfers.   Despite the strongly expressed views of both the EC and the DoC that the framework satisfies EU requirements, there is nonetheless some doubt about its long term validity. Certain EU DPAs are believed to be critical of the scheme; it is not clear that its terms are sufficient to satisfy the more stringent requirements of the EU General Data Protection Regulation which will come into force in 2018; and given the continued mass surveillance by the US Government, litigation challenging the new scheme is fully expected.   In view of this uncertainty, rather than immediately signing up to the Privacy Shield, some organisations may choose to adopt a wait and see approach, preferring, for example, to execute or continue to use other mechanisms available for international data transfers such as standard contractual clauses or binding corporate rules.  All organisations are recommended, however, to use the implementation of the Privacy Shield as the impetus for reviewing their data protection and international transfer arrangements and verifying that they are using the method best suited to their organisation.

Permanent link to this article: https://www.dlapiperbeaware.co.uk/privacy-shield-adopted-by-european-commission-and-us-department-of-commerce/

Ground-breaking European Court Decision – US Safe Harbor declared invalid

In a ground-breaking Decision on 6 October 2015 the Court of Justice of the European Union (CJEU) declared the US Safe Harbor scheme to be invalid, as well as confirming that individuals have the right to challenge any similar schemes that may be established by the European Commission through their national data protection authorities.

This summary by Andrew Dyson and Patrick van Eecke in our Data Privacy team provides more details. More information on the implications for employment data will follow shortly.

The US Safe Harbor framework was established 15 years ago to provide a mechanism by which European businesses could validly transfer personal data from the EU to the US. The framework has been widely adopted, with over 5000 companies currently using the scheme to support the free flow of data across the Atlantic. It is commonly adopted to support data transfers needed to support intra-group operations (for example to assist a US parent in managing EU based activities) and outsourced services involving a US cloud or software-as-a-service (SAAS) provider.

The Decision of CJEU will have a significant and immediate impact for any business relying on Safe Harbor to enable these operations to date and will require a change in approach to cross-border data transfers.

Impact for businesses

We expect it will take time for the full practical implications of the decision to flow down and take effect, with national data protection authorities likely to develop their own interpretation and positions.  What is clear, however, is that Safe Harbor as it stands at the moment is not valid.

  • The decision will have an immediate impact on any organization currently relying on Safe Harbor as a basis for transferring data to the US, either intra-group or through their supply chain. Subject to any guidance issued by local supervisory authorities (see below), these arrangements are now likely to be invalid. To understand the risks and plan effectively, organizations should quickly identify any arrangements they rely on that are underpinned by Safe Harbor. A strategy can then be adopted to consider alternative arrangements to authorize continuing data transfers to the US. In many cases this may involve adoption of EC approved standard contractual clauses.
  • In the medium term, we expect to see a more fragmented approach from the 28 national supervisory authorities to future decision making around transfers of data to the US . This is likely to create greater uncertainty for any multinational business operating within Europe as regulators may feel empowered by the decision to make independent assessments on adequacy for any alternative arrangements organizations may be considering instead of Safe Harbor – potentially replaying concerns noted in the court decision about the wide scope of the Patriot Act as a basis for undermining the viability of other well established transfer routes such as the EC model clauses.
  • A more fragmented regulatory approach on cross-border issues at a time when legislators are trying their best to support a more integrated global information society will be unwelcome, adding significant cost and regulatory burden to organizations who may feel exposed and vulnerable to challenges from changing political landscapes.
  • If a European national supervisory authority has the power to investigate and suspend the transfer of the personal data in question to the US, irrespective of Safe Harbor , this will create a new and substantial obstacle for any US business looking to establish as a ‘data importing’ business model in the EU market. This could lead to a position where US companies will need establish separate consent arrangements to data sharing which may put them at a major disadvantage when building a consumer facing business model in comparison with EU based companies.
  • Although these other legal avenues exist for sharing personal data between EU companies and citizens and US companies, these solutions are often onerous and difficult to implement on a global scale. Safe Harbor functions as a kind of ‘one stop shop’, a practical solution to allow data transfers from the EU to a trusted business partner in the US – Europe risks endangering this important relationship for transatlantic economic growth.
  • Over the past two years, the EU Commission has been working and negotiating intensively with US authorities to reach a joint solution for the public concern and distrust generated by the revelations based on leaked documents from Edward Snowden back in June 2013 (which confirmed that US authorities can have access on a mass basis to personal data of individuals living in the EU). The two sides of the Atlantic are almost at the end of this extensive negotiating period but the Decision of the CJEU halts momentum to reach a safe solution and risks a swift return to square one.
  • More broadly, the Decision of the CJEU does not only have an impact on Safe Harbor but potentially opens the scope for national authorities to challenge other Decisions of the European Commission (such as, for instance, the standard contractual clauses for controller-controller or controller-processor data transfers).

For further information please email dataprivacy@dlapiper.com

Permanent link to this article: https://www.dlapiperbeaware.co.uk/ground-breaking-european-court-decision-us-safe-harbor-declared-invalid/