EU-U.S. Privacy Shield is Go…nearly

March.02.2016

On 29 February 2016 the European Commission issued the legal texts of the EU-U.S Privacy Shield which aims to replace the defunct EU-U.S Safe Harbor Framework as a legitimate mechanism for transferring personal data from the EU to the U.S.

In contrast to its predecessor, the Privacy Shield contains commitments from US government in relation to controls on access to personal data by public authorities. This is an aspect of the new scheme which aims to address the jurisprudence of the Court of Justice of the European Union and criticisms of the previous Safe Harbor Framework.

The new arrangements will include the following elements:

1. Stronger obligations on companies and robuster enforcement

Privacy Principles – organisations wishing to make use of the Privacy Shield must self-certify their commitment to and compliance with a set of Privacy Principles. The principles are similar to those previously found under Safe Harbor (although in many cases they are more enhanced) and include principles relating to: providing individuals with notice about data processing; providing choice about data being disclosed to third parties, used for new purposes, the collection of sensitive data and being subject to direct marketing; requirements to implement security measures to protect data and have in place contracts with sub-processors; limitation and integrity obligations which require that only data which is necessary for the purpose it is collected for is processed and that such data is kept accurate and current for its intended use; access rights of data subjects to their data for a non-excessive fee and rights for individuals to have data amended or deleted where it is inaccurate or processed in violation of the principles; accountability for onwards transfers (see further information in relation to this below); and principles which subject organisations to recourse, enforcement and liability and result in obligations to annually certify compliance with the principles and ensure ongoing compliance.

Greater transparency – including a public register of companies that have self-certified compliance with the principles of the Privacy Shield, a Department of Commerce ("DoC") maintained list of companies removed from the register and reasons for removal and links to FTC decided cases relating to the Privacy Shield. In addition, company privacy policies will need to contain links to the official Privacy Shield website and to an independent complaints mechanism that the company is subject to.

Oversight mechanisms to ensure companies abide by Privacy Shield rules – for example, the DoC will monitor false claims of Privacy Shield participation (e.g. through actively checking whether organisations that leave the scheme have removed statements about their participation in the Privacy Shield from their privacy policies and that such companies continue to adhere to the principles as long as they process personal data received under the Privacy Shield), EU data protection authorities ("DPAs") will have a single point of contact at the DoC to refer organisations to for review and the DoC and Federal Trade Commission ("FTC") will provide certain investigatory assistance to DPAs.

Sanctions or exclusion of companies if they do not comply – including companies being subject to independent dispute resolution procedures, administrative orders brought by the FTC and the imposition of "individual-specific, non-monetary equitable relief" by the Privacy Shield Panel (a new recourse mechanism of last resource – see further information below).

Tightened conditions for onwards transfers – transfers of personal data from Privacy Shield registered entities to other organisations must only take place for limited and specified purposes, on the basis of a contract (or comparable arrangement within a corporate group) and only if the contract provides for the same level of protection as provided by the Privacy Shield.

2. Clear safeguards and transparency obligations

Written assurances from the U.S. that any access to data by public authorities will be subject to clear limitations, safeguards and oversight mechanism – the U.S government, through the Department of Justice and the Office of the Director of National Intelligence, has provided the EU with written representations and assurances that access by public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.

No indiscriminate surveillance – the U.S. government has given the European Commission explicit assurances that the U.S. Intelligence Community "does not engage in indiscriminate surveillance of anyone, including EU citizens".

New redress possibility through EU – U.S. Privacy Shield Ombudsperson – the U.S. will establish a new redress mechanism through an Ombudsperson who will be tasked with following-up complaints and enquiries from EU individuals with regard to national security access.

3. Several Redress Possibilities

Direct with the company – companies must reply to complaints from individuals within 45 days.

Alternative dispute resolution – companies must make available and submit to a free of charge, independent alternative dispute resolution procedure.

With Data Protection Authorities – DPAs will work with the DoC and FTC to ensure unresolved complaints from EU citizens are addressed. Companies will be obliged to comply with the decisions of DPAs where they handle human resource data from the EU.

Privacy Shield Panel – if the other redress mechanisms fail, individuals may invoke binding arbitration by the "Privacy Shield Panel" (a panel made up of privacy specialist arbitrators selected by the DoC and the EU Commission).

4. Monitoring

Annual Joint Review Mechanism – the European Commission and the DoC will conduct an annual review of the functioning of the Privacy Shield, including review of the access to data for law enforcement and national security purposes. Based on the annual review the Commission will publish an annual report. The Commission will also hold an annual privacy summit with interested NGOs and stakeholders to discuss the development of US privacy law and its impact on Europeans.

What next?

While the Commission is encouraging companies to begin preparation for joining the new framework, this may be an early call. Further work and analysis will be required for companies to decide if the new Privacy Shield is a suitable data transfer method for them when compared to alternative mechanisms (such as the EU Standard Contractual Clauses).

While similar to the previous Safe Harbor Framework, the Privacy Shield requires a more comprehensive compliance program to implement and maintain. It also creates significant consequences for failure to adhere to its principles. Joining the Privacy Shield should therefore not be undertaken lightly.

In addition, the published text has no legal effect until further approval is gained from relevant EU institutions. Reliance on the Privacy Shield is also further complicated by the possibility that privacy activists may launch court action against the scheme which may in turn undermine businesses confidence in the proposals.

In terms of timing, the Privacy Shield text will now be put before representatives of the Member States and the Article 29 Working Party (the representative body of data protection authorities in the EU) before being finalised.. The U.S. is now expected to begin preparation for the framework, monitoring mechanisms and the new Ombudsperson. No definitive timeframe has been provided for the Privacy Shield to come into force, however, expectation is that it will be available for use in the next few months.

You can read the official communication from the EU Commission regarding the Privacy Shield here.

Authors

Dr. Christian Schröder Partner, Cyber, Privacy & Data Innovation, Technology Transactions

Düsseldorf

See my bio

D:+49 211 3678 7269
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Technology Companies Group
Automotive Technology & Mobility
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Dr. Christian Schröder Partner

Düsseldorf

Dr. Christian Schröder leads Orrick's Cyber, Privacy & Data Innovation Group in Europe and collaborates with team members in the United States (U.S.), Europe (EU), and Asia to provide support to global clients. As a technology-focused partner, Christian advises on cybersecurity and privacy regulatory compliance, incident response, regulatory investigations and enforcement, litigation and intellectual property licensing, and transactional matters.

Christian helps clients consider the privacy and artificial intelligence implications of new technology, supports their compliance programs, and helps them stay ahead of enforcement trends. One particular focus of his work deals with internal data transfer agreements, external data transfers with external providers, and product launches that comply with international data protection standards, as well as privacy requirements for connected cars. Christian provides guidance on privacy and data protection considerations for developing, acquiring, using, licensing and selling technology, data and intellectual property, including M&A transactions and IP focused joint ventures. He supports companies on the set-up of webshops, outsourcings, license agreements, in cases of trademark or unfair and deceptive trade practice issues, as well as on hard and software license and information technology (IT) project agreements.

Christian maintains strong working relationships with German data protection authorities and EU regulatory authorities with jurisdiction over privacy and data security matters. He effectively defends companies in cybersecurity and privacy-related investigations initiated by EU regulatory authorities. He also engages with authorities on behalf of clients and helps clients avoid proceedings and possible litigation. When litigation can't be avoided, Christian vigorously defends his clients.

For companies facing global cybersecurity incidents, Christian helps with crisis mitigation, including counseling on notification requirements, coordinating media strategies, and representing clients before data protection authorities in related regulatory investigations.

Christian regularly contributes practical thought leadership to global privacy industry publications and German privacy books and journals. Christian authors the Chapter V (international data transfers) of Germany’s leading GDPR commentary Kühling/Buchner (3rd ed.) and is co-author to the Corporate Privacy Handbook (Betrieblicher Datenschutz). As an active member of the Sedona Conference, Christian drives the development and understanding of cross border privacy. He also participates in, hosts and moderates speaking programs with fellow private practitioners, EU data protection authorities, and academics focused on privacy and data security. Legal 500 Germany named Christian one of the top 15 practitioners in 2022 and noted that he is "a pioneer in the legal field, a data protection guru." They also recognized Christian and Orrick as "truly global" and how that it is "vital as they require the various leaders of each region to participate and bring issues to the table as a forum".

Prior to working in private practice, Christian interned with the German Federal Data Protection Commissioner and www.epic.org.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

Data is igniting a global, technological revolution. Increased collection, use, storage, and transfer of data has shifted the paradigm of innovation – and created a global security problem. Fortune 500 companies with large quantities of data, cities with vulnerable infrastructure, and every institution in-between must manage that risk, without encumbering progress or technological advancement. To do so, they turn to Aravind Swaminathan. Aravind is ranked by Chambers USA in the categories of both Privacy and Data Security: Litigation (Band 2) and Privacy and Data Security: Incident Responses, as well as Chambers Global, which described him as "formidable in assisting clients with both the noncontentious and litigious elements of cyber-attacks and security breaches, including resulting class actions." Clients endorse Aravind, telling Chambers, that he is "very substantively knowledgeable" and has "knowledge gained from prosecuting hackers, meaning he fundamentally understands what they do."

As a strategic cybersecurity advisor, Aravind partners with clients to proactively plan for a crisis and develop strategies to improve resiliency, respond efficiently and effectively, protect their business and brand, and defend them in the onslaught of litigation and enforcement actions that follow. He guides organizations from large public company financial institutions to start-up technology companies to critical infrastructure providers through incidents, and develops business and brand-centric strategies to mitigate and manage risk. He has directed more than 200 cybersecurity incident and data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications.

With extensive trial, litigation and appellate experience, he defends his clients in cyber, privacy, and payments-related class actions and other civil litigation (particularly Computer Fraud and Abuse Act matters), and when these issues lead to regulatory investigations by the Securities and Exchange Commission (SEC), the Department of Justice (DOJ), the Federal Trade Commission (FTC), and State Attorneys General.

Aravind’s background as an assistant United States attorney and Computer Hacking and Intellectual Property Section attorney gives him first-hand understanding of federal agencies that allows him to swiftly navigate the system, partner with investigators and find creative solutions for his clients. As a federal cybercrime prosecutor, Aravind investigated and prosecuted a broad array of cybercrime cases, including hacking, phishing, trade secrets theft, click fraud, cyber threats, and identity theft. Aravind also led the cybercrime outreach program, where he worked with members of the Department of Justice, state and federal regulators, law enforcement and other organizations on cybersecurity and related privacy issues. During his time as federal prosecutor in the Complex Crimes Unit, he also investigated and prosecuted a wide array of white-collar crimes, including investment schemes, corporate fraud and embezzlement, securities fraud, tax evasion and the nation’s largest bank failure.