Nine months after the invalidation of the Safe Harbour Agreement, the European Commission (EC) confirmed that the new EU-US Privacy Shield affords adequate protection to the privacy of EU citizens. The framework imposes stronger obligations on US companies and requires the US government to more robustly enforce the new provisions and monitor their implementation.
The different privacy and data protection regimes in the EU and the USA have for long been a matter of concern for the EU, which has been intent on ensuring that the personal data of its citizens are adequately protected when transferred to and processed in the USA.
Up until October 2015, this issue was tackled within the context of the Safe Harbour Agreement, through which US companies committed to handle personal data in accordance with EU rules. In October, the Court of Justice of the European Union declared the framework invalid, sparking a wave of negotiations between European and US diplomats in search for a new mechanism. These negotiations resulted in the Privacy Shield, approved by EU member states in July, with four countries abstaining – Austria, Bulgaria, Croatia, and Slovenia.
The Privacy Shield aims to ensure a stronger protection for the personal data of EU citizens, when transferred to the USA. In practice, US companies will self-certify annually to meet the Privacy Shield requirements, while individuals will be able to make use of new complaint and redress mechanisms if their data is not adequately processed.
There are seven major privacy principles that companies self-certified under the Privacy Shield must adhere to:
Notice: Users must be provided with information on several aspects relating to the processing of their personal data (type of data collected, purpose of data collection and use, third parties to which data is disclosed, etc).
Choice: Users must be able to object to the processing of their personal data when this is done with a new purpose, different from the one for which the data was initially collected.
Accountability for onward transfer: Any transfer of personal data to a third party can only take place for limited and specified purposes, and on the basis of a contract which provides the same level of protection.
Security: Companies must take reasonable and appropriate security measures to ensure the protection of personal data.
Data integrity and purpose limitation: Personal data must be limited to what is reliable, accurate, complete, current, and relevant for the purpose of the processing. Moreover, personal data can only be retained for as long as it serves the purpose for which it was initially collected, or subsequently authorised.
Access: Users have the right to obtain information as to whether companies are processing their personal data; they must also be able to request that the data is corrected, amended, or deleted where it is inaccurate or has not been processed in line with the principles.
Resource enforcement and liability: Companies must provide robust mechanisms to ensure compliance with the principles, as well as recourse for users whose personal data have been processed in a non-compliant manner.
Under the Privacy Shield, individuals will be able to raise complaints directly with the company (which must reply within 45 days), to make use of Alternative Dispute Resolution solutions (to be provided free of charge), or to submit their complaints to data protection authorities (which will work with US authorities to ensure that such complaints are investigated and swiftly resolved). As a last resort, an arbitration mechanism will ensure an enforceable decision.
In addition, the Privacy Shield also addresses one issue that has presented a major area of concern: the US government’s access to personal data of EU citizens. The Shield brought in written assurances from the USA that any such access will be subject to appropriate limitations, safeguards, and oversight mechanisms.
Moreover, the US government has brought clarifications related to the fact that bulk collection of data by intelligence agencies does not equate to mass surveillance; it explained that any bulk data collection involves the application of methods and tools to filter collection in order to focus it on needed material, while minimising the collection of non-pertinent information.
In addition, the US government has committed to creating an Ombudsperson mechanism for receiving and responding to complaints from individuals regarding US government access to their personal data. The Ombudsperson will oversee operation of the Privacy Shield, independent of US intelligence services, and will report directly to the Secretary of State.
The US government further commits to cooperate with data protection authorities in EU member states, and conduct annual joint reviews to monitor the functioning of the Privacy Shield. In addition, the USA will inform the EC of material developments in US law relevant to the Privacy Shield.
The Commission is to assess the level of protection provided by the Privacy Shield following the entry into force of the General Data Protection Regulation, in May 2018.
The US Department of Commerce began accepting Privacy Shield self-certification applications from US companies as of 1 August. On the other side of the Atlantic, the Commission has issued a guide for EU citizens on how to file complaints against US companies which self-certify under the Privacy Shield, but fail to handle personal data in line with its principles.
This article was first published in Issue 13 of the Geneva Digital Watch newsletter. The author is a Curator for the GIP Digital Watch observatory.