Since the repeal of the Safe Harbor Agreement in October 2015, the 4400 businesses, law firms and technology providers who took advantage of the Safe Harbor have been eagerly, and perhaps anxiously, waiting for replacement legislation, writes Lauren Grest, Legal Researcher at Kroll Ontrack.
In February 2016, the European Commission unveiled the Safe Harbor’s successor; the EU-US Privacy Shield which is awaiting final approval. What do we know so far, what is the agreement trying to achieve and what can companies who need to transfer data do until the Privacy Shield is finalised?
Privacy is a great concern to EU citizens as indicated by research undertaken by the European Commission as part of their wider schedule of privacy reforms. With this in mind and the gaps in protection exposed by the Schrems case, the EU-US Privacy shield aims to offer greater protection for EU citizens whose personal data is being transferred across the Atlantic. However, the Agreement also aims to facilitate digital trade with the US and minimise the amount of red tape involved for businesses. Finalising an agreement with these often conflicting aims is challenging but following extensive talks between both the USA’s Department of Justice and European Commission, it was possible to outline a draft agreement.
What does the EU-US Privacy Shield say?
The draft agreement states that there will be:
• Strong obligations on companies and robust enforcement including:
• Greater transparency
• The introduction of effective supervision methods such as sanctions and exclusions
• Tightened conditions for onward transfers to other partners
• Clear safeguards and transparency obligations on U.S. government access:
• The US government has given the EU written assurance that personal data required for national security purposes will be subject to clear limitations
• The creation of an Ombudsperson within the Department of State, independent of national security services, whose task will be to respond to complaints and enquiries from EU citizens and data protection agencies
• Any complaints to the Ombudsperson will be written up and published in the US federal register
• Effective protection of EU citizens’ rights with several redress possibilities
• Annual joint review mechanism:
• Every year the European Commission and the US Department of Commerce will monitor how well the Privacy Shield is functioning in commercial and law enforcement spheres
• The Commission will hold an annual privacy summit for interested NGOs and stakeholders to discuss broader EU-US privacy law
• The Commission will issue a public report based on this annual review.
How will the Privacy Shield work?
American companies wishing to use the Privacy Shield will first have to register and self-certify that they meet the requirements set out. Once complete, the companies are eligible to use the Privacy Shield for a year, after which they will have to renew their registration. The US Department of Commerce has been given the task of ensuring companies comply with the agreement. As part of this commitment, the USA has agreed to:
• Maintain a list of current members
• Remove members who no longer meet the requirements
• Ensure that current members are working within the agreed parameters
What if a US company misuses an EU citizen’s data?
The Privacy Shield includes several options for redress, with escalating involvement from data protection authorities:
• Lodge a complaint with the company:
o The Privacy Shield requires that companies have 45 days to reply to complaints and companies commit to replying to complaints within 45 days
• Contact the local data protection authority:
o If the company does not respond or the response is not satisfactory, citizens can refer to their local data protection authority (e.g. for the UK, the Information Commissioner’s Office (ICO)
o The authority will then contact the Department of Commerce which has 90 days to respond. Should the Department of Commerce be unable to resolve the matter, the complaint is forwarded to the Federal Trade Commission
• Use the Alternative Dispute Resolution tool.
To become a member of the Privacy Shield, companies are obliged to sign up for this free of charge tool and submit their privacy policies, and provide a link to the website of their chosen dispute resolution provider. Individuals can use this tool as a way of communicating their complaints.
o Refer the case to the Privacy Shield Panel:
o If a resolution is not achieved via the above options, the Privacy Shield includes an arbitration procedure whereby individuals can contact the Privacy Shield Panel. The panel has the power to take binding decisions against self-certified companies and ensures that all complaints are adequately dealt with.
When will the Privacy Shield be in force?
The EU-US Privacy Shield agreement is awaiting final approval from the independent Article 29 Working Party which comprises of:
o A representative of the supervisory authority (ies) designated by each EU country
o A representative of the authority (ies) established for the EU institutions and bodies
o A representative of the European Commission.
The Article 29 Working Party will give their opinion, before a final decision. In the meantime, the US will prepare to implement the necessary monitoring procedures and the new Ombudsperson mechanism. As yet there is no indication as to when this decision might be made and the draft agreement has met with criticism from various privacy commentators such as Jan Albrecht, the German MEP who was prominently involved in the new General Data Protection Regulation and NSA whistle-blower, Edward Snowden. With this in mind, and the general feeling that the Article 29 Working Party will take a tough line on the draft agreement, it is likely to take some time before the Privacy Shield is finalised.
I need to transfer data now, what can I do?
Companies needing to transfer data across the Atlantic will need to implement binding corporate rules or make use of standard contractual clauses, details of which can be found on the UK data protection regulator’s ICO website: https://ico.org.uk/for-organisations/binding-corporate-rules/.
A simpler solution may be to take advantage of mobile ediscovery technology which can process, filter and analyse data onsite and allow companies to avoid the risks and costs involved with transferring data across borders.
