The EU-US Privacy Shield

On 12 July 2016, 7 months after the famous Schrems
judgment of the European Court of Justice, the European Commission adopted the EU-US Privacy Shield. However,
the question remains whether the Privacy Shield will
be considered to be in conformity with the
Data Protection Directive and the General
Data Protection Regulation.

Pursuant to Article 25 of the Data Protection Directive (95/46/EC), personal data may only be transferred to a third country, if the third country in question ensures an adequate level of protection. This is also foreseen by Article 45 of the General Data Protection Regulation 2016/679 of 27 April 2016 (GDPR) which replaces the Data Protection Directive and will take effect as from 25 May 2018 in all Member States.

According to the European Court of Justice, an adequate level of protection implies that a third country must ensure a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed within the Union by the Data Protection Directive and the Charter of Fundamental Rights.

Given that the US is still not considered as a country, which provides adequate protection, the European Commission, together with the US, has searched for solutions to make a safe transfer of personal information between the EU and the US possible. The Safe Harbor provisions turned out to be insufficient and did not provide adequate protection. The new Privacy Shield serves as the replacement of the Safe Harbor provisions.

The Privacy Shield is based on a system of self-certification by which US organizations and companies commit to a set of principles. These Principles should protect the transfer of personal information across the Atlantic. In order to ensure that the Principles will be complied with, the US 'Department of Commerce' has made commitments to ensure that the Privacy Shield operates effectively.

The protection afforded by the Privacy Shield applies to any EU individual whose personal data have been transferred from the EU to organizations in the US that have self-certified. Different US companies, such as Google Inc., have already joined the Privacy Shield. Under the Privacy Shield, all kinds of personal information can be transferred from the EU to the US, such as client data, sensitive information, HR-data, etc.

1.  The Principles

The Privacy Shield sets out various principles, which have to be respected both by controllers as by processors, from the moment they have self-certified. The principles as such are not new and existed already under the Safe Harbor provisions. The difference however is that some of the principles have been strengthened and should provide the individuals with more adequate safeguards.

The Notice Principle entails that organizations are obliged to provide information to individuals on a number of key elements relating to the processing of their personal information. Although the Notice Principle is not new and existed under the Safe Harbor, it has been strengthened.

The Data Integrity and Purpose Limitation Principle and Choice Principle on the other hand have not really been changed. These imply that personal data must be limited to what is relevant for the purpose of the processing, and that personal information may be retained only for as long as it serves its purposes for which it was initially collected. Furthermore, the Choice Principle ensures that the individual has the possibility to object or to opt out.

The Security Principle obligates organizations to take reasonable and appropriate security measures, taking into account the risks involved in the processing and the nature of the data. Again, the Safe Harbor provisions required this obligation as well.

Under the Access Principle, individuals have the right to obtain from an organization confirmation whether that organization is processing personal data related to them. Individuals must be able to delete, amend or correct personal information in case it is inaccurate or processed in violation with the Principles.

Furthermore, the Recourse, Enforcement and Liability Principle requires that organization or company must provide for robust mechanisms to guarantee compliance with the other Principles and recourse for EU individuals whose personal data have not been processed according to the Principles. Organizations must also take measures to verify that their privacy policies are in line with the Principles and are in fact complied with.

One of the newer principles is the Accountability for Onward Transfer. This principle provides that any onward transfer can take place for limited and specified purposes, on the basis of a contract, and only if that contract provides the same level of protection as the one guaranteed by the principles.

2.  Self-Certification and enforcement

Under the Privacy Shield, US companies will have to self-certify. The decision to self-certify is voluntary, however, once a company undertakes to self-certify, its commitment is enforceable under US law. To be allowed to continue to rely on the Privacy Shield, the company will have to recertify its participation to the framework annually.

The European Commission held that in order to guarantee a proper application of the Privacy Shield, individuals, data exporters or national Data Protection Authorities must be able to identify the companies or organizations that have self-certified. As a result, the US 'Department of Commerce' has made a website available, www.privacyshield.org, where the Privacy Shield list can be consulted.

Organizations that persistently fail to comply with the Principles, will be removed from the Privacy Shield List, and must return or delete the personal data received under the Privacy Shield. This will be ensured by the US 'Department of Commerce', who has undertaken a monitoring obligation.

Moreover, the US 'Department of Commerce', as well as the US 'Federal Trade Commission' or the 'Department of Transportation', will search for false claims of participation to the Privacy Shield or improper use of the Privacy Shield certification mark, and will take enforcement actions.

3.  Complaints by individuals

The Privacy Shield provides the individuals with different possibilities to enforce their rights. An individual choose to bring a complaint directly to the organization or company, to an independent dispute resolution body designated by that organization or company, to a national Data Protection Authority or to the US 'Federal Trade Commission'.

3.1 The self-certified organization must provide for effective and readily available independent recourse mechanisms by which individual complaints can be investigated and resolved. The individual can lodge a complaint with the company itself. The company or organization must put in place an effective redress mechanism to deal with such complaints. When it receives a complaint from an individual or following referral by the Data Protection Authority or the US 'Department of Commerce', the company has 45 days to provide a response. The response must contain an assessment of the merits of the complaint and information on how the problem will be rectified.

3.2 Additionally, an individual can also bring his complaint to an independent dispute resolution body, designated by a company to investigate and resolve complaints. This must be free of charge to the individuals.

3.3 Complaints can also be lodged with the Data Protection Authorities. Companies are obligated to cooperate with Data Protection Authorities. The Data Protection Authority will render an advice after both sides have had a reasonable opportunity to comment and provide evidence. The advice will be delivered as a general rule 60 days after receiving the complaint. The company has then 25 days to comply. If the company fails to react, the Data Privacy Authority can either submit the matter to the US 'Federal Trade Commission' or to the 'Department of Commerce'.

3.4 The Privacy Shield makes arbitration available to an individual for claims whether a Privacy organization has violated its obligations under the Principles.

However, it should be noted that the arbitration is considered as a last resort in case none of the other available mechanisms have brought relief. The arbitration will be carried out by the 'Privacy Shield Panel' and this panel will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and by the European Commission. The Privacy Shield Panel will have the authority to impose individual-specific, non-monetary equitable relief necessary to remedy non-compliance with the Principles.

4. Access of personal information by the US Public Authorities

The US government has guaranteed that its intelligence services will respect due process when collecting personal data transferred under the Privacy Shield. The European Commission has assessed the limitations and safeguards available under US law and decided that these are sufficient to be effectively protected against unlawful interference and the risk of abuse.

In this regard, the US government has decided to create an ombudsperson to ensure that individual complaints are investigated and addressed.

5.  Conclusion

On the one hand, the Privacy Shield has strengthened the obligations, which have to be respected in the light of a EU-US transfer of personal data, and on the other hand, the Privacy Shield provides a number of redress mechanisms in case of non-compliance with the Principles.

The Principles as such are not innovatory, but it is the availability of a number of redress mechanisms that differentiate the Privacy Shield from the Safe Harbor provisions. However, critics of the Privacy Shield argue that these redress mechanisms are far too complex to be effective. If the Principles cannot be enforced, the Privacy Shield has not much use.

The question then remains if the Privacy Shield will considered to be in conformity with the Privacy Directive (and soon enough the Data Protection Regulation) when challenged before the European Court of Justice. (The key changes introduced by the new Data Protection Regulation can be consulted by clicking here)

04 October 2016

Lynn Pype - lynn.pype@peeters-law.be

Earlier articles about this matter on our website :
- Does the United States provide an adequate level of protection
for EU personal data?

- New "EU-US Privacy Shield" for the transfer of EU personal data to the US

Should you wish more information about this matter,
please contact :
- Griet Verfaillie, griet.verfaillie@peeters-law.be or
- Lynn Pype, lynn.pype@peeters-law.be

Learn more about this topic: subscribe to our newsletter!

E-mail *