EU/U.S. Data Flows: New Privacy Shield List

Axel Spies

German attorney-at-law (Rechtsanwalt)

Dr. Axel Spies is a German attorney (Rechtsanwalt) in Washington, DC, and co-publisher of the German journals Multi-Media-Recht (MMR) and Zeitschrift für Datenschutz (ZD).

U.S. Data Importers Need to Understand What They Are Getting Into.

There was a resounding call for action by regulators and industry and the legal documents are now out in public. The European Commission and the U.S. government both hope that the new EU-U.S. Privacy Shield will fully address the European Court of Justice’s criticisms in the landmark “Schrems” ruling last year.  On February 29, the EU Commission released the Privacy Shield draft adequacy decision which has been put forth as the replacement for the invalidated Safe Harbor program that previously governed transfers of personal data between the European Union and the United States.  As expected, the European Commission has attempted to tighten up the information governance obligations for U.S. companies that import personal data from Europe following the European Court of Justice’s criticisms. Several letters signed by high officials of the U.S. government are attached to the release—in total 132 pages.  It is a complex set of documents.  It’s not a done deal yet, but most of the picture is now clear, and it is not pretty for U.S. data importers. Some data importers may argue that even if it isn’t perfection, at least it allows them to transfer EU data overseas. The EU Commission will vote on the “adequacy” of the EU-U.S. Privacy Shield probably in May or June, perhaps even later. The EU Parliament and the Data Protection Agencies will play an active role in the process.  We should expect further discussion and efforts to modify and tighten the requirements for U.S. data importers within the next few weeks. Here is an overview on where we stand right now:

Privacy Shield More Burdensome than Safe Harbor—So Who Will Sign Up?

Similar to the Safe Harbor, the U.S. Department of Commerce will maintain and make available to the public an authoritative list of U.S. organizations (Privacy Shield List) that have self-certified to the department and declared their commitment to adhere to the Privacy Shield Principles. The EU-U.S. Privacy Shield is premised upon the Privacy Shield Principles issued by the U.S. Department of Commerce: notice, choice, accountability of onward transfers, data security, data integrity, purpose limitation, data access, recourse, enforcement, and liability. These principles are comparable to the commitments of data importers under the Safe Harbor, but the necessary disclosures that come with them are much more detailed.

Signing up is voluntary, but compliance is compulsory. The key question is whether there are sufficient incentives for U.S. companies to join the Privacy Shield. The new Privacy Shield is not the only tool to ensure compliance with the EU data protection laws for international data transfers. For many data importers the Privacy Shield List is not even open because they are outside of the jurisdiction of the Federal Trade Commission or the U.S. Department of Transportation.

There are various additional legal risks for those companies signing on to the new Privacy Shield rules, compared to Safe Harbor, even if they eligible to enter the list. U.S. data importers must commit to employ effective mechanisms for assuring compliance with the Privacy Shield Principles. In particular, they must provide recourse for individuals who are the subjects of the data. They must also implement follow-up procedures for verifying that the attestations and assertions they have made about their privacy practices are true, and remedy problems arising from a failure to comply with the Privacy Shield Principles.  They face much more rigorous obligations, compared to the invalidated Safe Harbor, to document their privacy programs. This documentation could be subject to investigations and discovery in a legal proceeding.

If the data importers cross this hurdle and decide to sign up, the new requirements to give notice and report back to the regulators are much more prescriptive than under Safe Harbor. It is also fair to say that the level of oversight is far more extensive than under any other existing EU adequacy tool. Administering the Privacy Shield requirements within a company will be complicated and prone to errors. Under the envisaged Privacy Shield, in addition to giving notice and choice to consumers, the companies will need a detailed contract with various disclosures which fully imposes the Privacy Shield obligations on any third parties with access to the data. Companies on the new Privacy Shield List will also have to pledge to not collect more personal information than what they need for the purposes of their service.  The released documents contain very detailed obligations as to what needs to be in a notice; it is a fairly long prescriptive list. Some notification and reporting obligations survive even if the company leaves the Privacy Shield, unless the company will be able to the purge or anonymize the personal data from Europe successfully.

Moreover, a data importer must cooperate with the EU Data Protection Authorities (DPAs) by declaring in its Privacy Shield self-certification submission to the Department of Commerce that the organization adheres to the Privacy Shield Recourse, Enforcement, and Liability Principles by committing to cooperate with the DPAs, including during investigations to resolve complaints. Specifically, a data importer must agree that it “will comply with any advice given by the DPAs where the DPAs take the view that the organization needs to take specific action to comply with the Privacy Shield Principles, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Principles, and will provide the DPAs with written confirmation that such action has been taken.”  There are even tighter requirements for HR data. A data importer that self-certifies to join the Privacy Shield List to cover EU human resources data transferred in the context of the employment relationship must commit to cooperate with the DPAs with regard to such data. In some instances, there may be a shift in the burden of proof for liability if there is a potential violation of the data transfer rules against the data importer.

Overlapping Avenues of Filing Complaints

While the Department of Commerce announces in the documents that it will publicly “name and shame” U.S. companies that are not in compliance with the commitments under the Privacy Shield, the Federal Trade Commission and other U.S. agencies will likely enforce the obligations more vigorously than they did under Safe Harbor. There are several overlapping avenues by which the individuals can file a complaint. For a complaint filed with a company, there is a deadline of 45 days to address it. To resolve a dispute, a no-cost Alternative Dispute Resolution solution must be available.  If an EU data subject files a complaint with their national DPA, the DPA will then contact the FTC to ensure that unresolved complaints by EU citizens are investigated and resolved.  As a last resort, there will be an arbitration mechanism to help ensure an enforceable remedy.

Once More Back to the European Court of Justice –And Then What?

Even if there are fixes for the Privacy Shield List, the entire package of rules may wind its way back to the European Court of Justice.  There are already various complaints from Europe on the lack of reforms on the U.S. surveillance practice. Where the Privacy Shield principles are in conflict with U.S. national security or law enforcement needs, national security still trumps the Privacy Shield. Annex II Article I.5 of the Principle states: “Adherence to these Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations […].” To help substantiate that U.S. government access to data is usually targeted and to avoid a suspension by the EU of the new framework, the European Commission wants U.S. companies to release aggregate figures of government access requests and submit to oversight by EU data protection authorities.  It is doubtful that such an anonymized reporting is even feasible and legal under U.S. law to keep such access secret.

How Independent and Effective Is the New Ombudsperson?

A letter from U.S. Secretary of State John Kerry describes the role of the new Privacy Shield Ombudsperson at the U.S. State Department in the context of surveillance. It states that the ombudsperson will work closely with “other United States Government officials, including appropriate independent oversight bodies, to ensure that completed requests are processed and resolved in accordance with applicable laws and policies.” It is intended that the ombudsperson will coordinate national security access to data transmitted from the European Union to the United States pursuant to the EU-U.S. Privacy Shield, standard contractual clauses (SCCs), and binding corporate rules (BCRs).

Whether the new regime with an ombudsperson complies with the ECJ’s requirements in the Schrems decision is open to debate and may be the Achilles heel of the entire concept. The ombudsperson in the U.S. Department of State provides no individual redress. She cannot hold any U.S. surveillance practice and deals with the DPAs, not with individuals. That may not be sufficient given the clear concerns against the mass surveillance of the ECJ in the Schrems decision. The U.S. law allows it to conduct surveillance for very broad purposes. Nothing has changed with the Privacy Shield in this respect. The Privacy Shield could hence go back to the ECJ for the same reasons the Safe Harbor was invalidated and suffer the same fate.  With all these impending challenges to the Privacy Shield and different DPAs potentially being involved, it is unclear when there will be a final ruling. If the ECJ rules against the Privacy Shield, the U.S. may fight back claiming that such a ruling amounts to a discrimination of U.S. companies and U.S. practices and constitutes a WTO trade violation, given the surveillance practices of other countries.

Many small and large U.S. and European companies will have to live with these uncertainties. The new agreement, as it was released, will place more burdens on each company using the Privacy Shield, although the companies weren’t really the problem for the ECJ, but the U.S. government’s bulk data collection. Resolving the international data flow issue on a larger scale, maybe in the form of international treaties, as preferable as it is, remains a wishful thought.

Dr. Axel Spies, Morgan Lewis & Bockius, Washington, DC. Dr. Spies is the author of AGI Issue Brief 46: German/U.S. Data Transfers: Crucial for Both Economies, Difficult to Regain Trust and A Reasonable Expectation of Privacy? Data Protection in the United States and Germany.