A new, "safer" harbor for personal data transfer?

  • E-mail E-mail
  • Google+
  • Reddit Reddit

The European Court of Justice ruling in Schrems vs. Data Protection Commissioner seriously complicated operations for more than 4,400 American companies that had relied on the EU-U.S. Safe Harbor Agreement (“Safe Harbor”).[1] Safe Harbor had been the easiest way for U.S. companies to transfer personal data between the United States and Europe.[2] Finding Safe Harbor inadequate to protect the privacy of EU citizens,[3] the court’s October 6 decision stripped U.S. companies like Facebook, Google, Airbnb, LinkedIn,[4] Domino’s Pizza, and the women’s clothier Tory Burch, LLC,[5] of permission to transfer EU citizens’ personal data among EU member countries and the United States for commercial purposes.[6]

Fortunately for the affected companies, enforcement did not begin until the end of January 2016, leaving them a grace period to comply.[7] Many already had a “Plan B” for legal transfer of personal data.[8] Companies without such a plan were given the option to temporarily implement one of three other avenues—Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and Derogations.[9] These alternatives essentially allow legal transfer of personal data through forming “contract clauses or ad hoc agreements,” “establishing [certain] rules that permit transfers of personal data within a multinational corporation or international organization,” or “obtaining the ‘unambiguous consent’ of the data subject to the transfer of personal data.”[10] However, these alternative solutions require additional steps and expenses[11] that are prohibitive for many smaller companies.[12]

Penny Pritzker
U.S. Secretary of Commerce Penny Pritzker talks with German business 
officials in Munich in November 2013. Pritzker recently sent her EU counter-
parts a 132-page proposal to replace the longstanding Safe Harbor 
Agreement that facilitated U.S.-EU data transfer before the ECJ struck it
down in October.Photo via Wikimedia Commons.

Around the end of the Safe Harbor grace period, the European Commission and its U.S. counterpart announced an agreement of a revised Safe Harbor Agreement, the so-called EU-U.S. Privacy Shield.[13] On February 29, the U.S. Department of Commerce released a 132-page “package,” which included Privacy Shield Principles and a so-called "Arbitral Model".[14] The Privacy Shield Principles cover seven categories that provide guidance for companies in complying with European data protection laws:[15] “notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.”[16]

The notice principle requires that organizations clearly provide individuals with “notice of the organization’s participation in the Privacy Shield, the type of data collected, . . . the purposes for which the data is collected . . . any third parties to whom their data will be transferred, their right to access their data, and the means for limiting the use and disclosure of their personal data.”[17] The individual must also be told about the avenues for redress and “the FTC’s . . . enforcement authority.”[18] The choice principle addresses information regarding how an individual can opt-out of having their personal information disclosed to a third party or collected for other reasons than originally designated.[19] As for disclosure and collection of particularly sensitive information, such as data regarding “health, racial or ethnic origin, political and religious opinions, trade union membership, or information revealing an individual’s sex life,” individuals must affirmatively consent.[20] Accountability for onward transfer lays out requirements for participating organizations in their transfer of personal data to third parties.[21] The principle broadens the participating organization’s responsibility beyond just their own organizations, to now include third parties when third parties act as agents.[22] The security principle requires that participating organizations “take reasonable and appropriate measures to protect [data] from loss, misuse and unauthorized access, disclosure, alteration and destruction,” while being particularly aware of the “risks involved and the nature of the personal data.”[23] The data integrity and purpose limitation principle requires that organizations maintain accurate and relevant data.[24] Access involves providing individuals with “access to their personal data as well as the opportunity to correct, amend, or delete information that is inaccurate or processed in violation of the Principles.”[25] This principle also provides organizations with guidelines on when access to data can be restricted.[26] Lastly, recourse, enforcement, and liability describe “detailed mechanisms for recourse and dispute resolution.”[27] In addition to these principles, there are supplemental principles informing businesses on how to handle “sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.”[28]

Like the old Safe Harbor framework, the Privacy Shield is binding[29] on any organization that seeks the Privacy Shield certification.[30] The new Privacy Shield introduces a few revisions including choice and onward transfer, which are explained above.[31] Furthermore, the Privacy Shield improved “commercial oversight”[32] and now provides EU citizens with several new avenues for redress should they feel their privacy has been violated.[33] EU citizens can file complaints of non-compliance to the violating organization or to their national Data Protection Authority, with an expectation of a forty-five-day turn around for organizations that receive complaints.[34] If none of the other remedies right the alleged wrong, EU citizens can pursue a legal remedy through the Arbitral Model, which submits participating organizations to binding arbitration.[35] Organizations must provide this avenue for remedy, but a complaining individual has to exhaust all other options before seeking arbitration.[36]

The Privacy Shield package, not yet implemented, is subject to a final adequacy determination from the European Commission.[37] The determination will be made through a “comitology procedure, which involves insight from the Article 29 Working Party, a binding opinion from the EU Member State representatives, and a formal adoption of the adequacy decision by the EU College of Commissioners.”[38] Until the Privacy Shield’s implementation, the EU data protection supervisory authorities are allowing businesses to use one of the three aforementioned alternatives.[39] Businesses that did not want to turn to any of the three Safe Harbor alternatives will have to hold on for a little longer until the adequacy determination is approved, which is predicted for early summer.[40]

[1] Stephen Gardner, EU Privacy Chiefs to Assess Safe Harbor Alternatives, Bloomberg BNA (Nov. 16, 2016)http://www.bna.com/eu-privacy-chiefs-n57982063579 [https://perma.cc/555G-WVGT]; see Case C-362/14, Schrems v. Data Protection Comm’r, available at http://curia.europa.eu/juris/liste.jsf?num=C-362/14.

[2] Cara McGoogan, What Does the End of Safe Harbour Mean for You?, Wired UK (Oct. 6, 2015)www.wired.co.uk/news/archive/2015-10/06/what-does-the-end-of-safe-harbour-mean [https://perma.cc/6CUK-HQ38].

[3] Gardener, supra note 1 (“The European Court of Justice invalidated the U.S.-EU Safe Harbor Oct. 6, saying that the self-certification framework . . . wasn't in line with EU privacy rights because of the possibility that the data of EU citizens might be accessed as part of U.S. government surveillance programs, and because it offered insufficient redress in case of data protection breaches.”).

[4] McGoogan, supra note 2.

[5] U.S.-EU Safe Harbor List, U.S. Commerce Dep’thttps://safeharbor.export.gov/list.aspx (last visited March 4, 2016).

[6] Martin A. Weiss & Kristin Archick, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield, Congressional Res. Serv. 1, 1 (2016) , available at https://ia801304.us.archive.org/20/items/R44257TheEU-USSafeHarborAgreementonPersonalDataPrivacyInBrief-crs/R44257%20The%20EU-U.S.%20Safe%20Harbor%20Agreement%20on%20Personal%20Data%20Privacy_%20In%20Brief.pdf. The end of Safe Harbor also had implications for the U.S. Justice Department regarding jurisdictional issues of data from American companies stored in European countries. Tom Risen, How Ending the Safe Harbor Law Threatens U.S. Businesses, U.S. News & World Report (Oct. 5, 2015)http://www.usnews.com/news/articles/2015/10/05/rejecting-safe-harbor-law-threatens-us-and-eu-businesses [https://perma.cc/U6PW-XPZG].

[7] Gardner, supra note 1.

[8] Jedidiah Bracy, With Safe Harbor Invalid, What’s Next for Privacy Pros?, Int’l Ass’n Privacy Prof’ls (Oct. 6, 2015)https://iapp.org/news/a/with-safe-harbor-invalid-whats-next-for-privacy-pros [https://perma.cc/NQG9-DPZM] [hereinafter With Safe Harbor].

[9] Katie M. Sluss, Life After Death (of Safe Harbor)—EU Data Protection in the Wake of Schrems, Cyber L. Monitor (Nov. 20, 2015)http://cyberlawmonitor.com/2015/11/20/life-after-death-of-safe-harbor-eu-data-protection-in-the-wake-of-schrems [https://perma.cc/QP6B-SZJW] (“1. Standard Contractual Clauses (SCCs) – The Commission has approved four sets of SCCs, which include rights and obligations regarding personal data transfers. Because these SCCs, in principle, require national authorities to accept these clauses, the national authorities cannot refuse the transfer of personal data on the sole basis that these SCCs do not offer adequate safeguards. This is without prejudice to their power to examine these clauses in light of the Schrems decision. 2. Binding Corporate Rules (BCRs) – BCRs allow personal data to be transferred freely among the various entities of a corporate group. BCRs are binding on members of a corporate group, are enforceable in the EU, and require a designated entity within the EU to accept liability for breaches of the rules by any member of the group outside the EU which is bound by the BCRs. 3. Derogations – Derogations allow personal data to be transferred outside the EU when, among other reasons, the transfer is necessary for the performance of a contract, the transfer is necessary or legally required for the establishment, exercise, or defense of a legal claim, or unambiguous consent is given by the data subject prior to the proposed transfer. The Article 29 Working Party, which advises the Commission, states that these derogations are to be strictly interpreted.”).

[10] James S. DeGraw et. al., The U.S.-EU Safe Harbor Framework is Invalid: Now What?, Ropes & Gray (Oct. 9, 2015), https://www.ropesgray.com/newsroom/alerts/2015/October/The-US-EU-Safe-Harbor-Framework-Is-Invalid-Now-What.aspx [https://perma.cc/RV6E-DGB8].

[11] Sluss, supra note 9. 

[12] With Safe Harbor, supra note 8.

[13] Ulrich Wuermeling, Gail Crawford & Jennifer Archie, Proposal of EU-US Privacy Shield Leaves Businesses in State of Uncertainty, Global Privacy & Sec. Compliance L. Blog (Feb. 4, 2016)http://www.globalprivacyblog.com/privacy/proposal-of-eu-us-privacy-shield-leaves-businesses-in-state-of-uncertainty [https://perma.cc/VT89-RDW8].

[14] EU-U.S. Privacy Shield, U.S. Dep’t Commerce (Feb. 23, 2016)https://beta.commerce.gov/sites/commerce.gov/files/media/files/2016/eu_us_privacy_shield_full_text.pdf.pdf [https://perma.cc/LWT9-MMNB]; Jedidiah Bracy, Privacy Shield Details Released, Int’l Ass’n Privacy Prof’ls (Feb. 29, 2016)https://iapp.org/news/a/privacy-shield-details-released [https://perma.cc/K48B-PBCX] [hereinafter Privacy Shield Details].

[15] Sluss, supra note 9.

[16] Id.

[17] Gabriel Maldoff, We Read Privacy Shield So You Don't Have To, Int’l Ass’n Privacy Prof’ls (Mar. 7, 2016)https://iapp.org/news/a/we-read-privacy-shield-so-you-dont-have-to/ [https://perma.cc/2458-UBYA].

[18] Id.

[19] Id.

[20] Id.

[21] Id.

[22] Id.

[23] Id.

[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Sluss, supra note 9.

[29] European Commission Press Release IP/16/216, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm [https://perma.cc/D6JF-YWAW].

[30] Maldoff, supra note 17.

[31] Michelle Gyves, Privacy Shield Details Released, Proskauer Rose LLP (Mar. 1, 2016)http://privacylaw.proskauer.com/2016/03/articles/uncategorized/privacy-shield-details-released/ [https://perma.cc/T99N-RHTV].

[32] EU-U.S. Privacy Shield Fact Sheet, U.S. Dep’t Commerce (Feb. 2, 2016)https://www.commerce.gov/news/fact-sheets/2016/02/eu-us-privacy-shield [https://perma.cc/5X79-PHG8].

[33] EU and US Announce New Privacy Shield for International Data Transfers, Dentons (Feb. 5, 2016), http://www.dentons.com/en/insights/alerts/2016/february/5/eu-and-us-announce-new-privacy-shield-for-international-data-transfers [https://perma.cc/H45C-GQ52].

[34] Gyves, supra note 31.

[35] EU-U.S. Privacy Shield Fact Sheet, supra note 32.

[36] Maldoff, supra note 17.

[37] Privacy Shield Details, supra note 14.

[38] Id.

[39] Wuermeling, supra note 13.

[40] Privacy Shield Details, supra note 14.

Posted by Sharon G. Lin on Thu. March 10, 2016 11:47 AM
Categories: Cyberlaw, European Union, Free Trade, United States

Comments for this post are now closed.

UNC School of Law | Van Hecke-Wettach Hall | 160 Ridge Road, CB #3380 | Chapel Hill, NC 27599-3380 | 919.962.5106

If you are seeing this, you are either using a non-graphical browser or Netscape 4.x (4.7, 4.8, etc.) and this page appears very plain. If you are using a 4.x version of Netscape, this site is fully functional but lacks styles and optimizations available in other browsers. For full functionality, please upgrade your browser to the latest version of Internet Explorer or Firefox.