Will the new European Union (EU) Privacy Shield really work for such dissimilar groups as private businesses, governments, regulators, private citizens and the courts? How and when will the new regulations change the ways that companies do business? How are the Privacy Shield laws going to address privacy concerns in a more effective and comprehensive manner than Safe Harbor? Answers to these difficult questions will have to be pondered and examined in the weeks, months and years ahead.
The Privacy Shield replaces the data transfer arrangement generally known as Safe Harbor, which was invalidated by the European Court of Justice (ECJ) last year in the Schrems decision. The new Privacy Shield was adopted on 12 July 2016 and became effective on 1 August 2016. Under the prior Safe Harbor provisions, companies that desired to transfer data out of EU member states are required to self-certify that they were meeting EU privacy concerns and register this self-certification with the United States government.
Key difference between Safe Harbor and Privacy Shield
The key changes agreed to for the new Privacy Shield are threefold. First, the United States government will create an ombudsman to hear and dispose of complaints from EU citizens about the United States spying on their data. Second, the United States Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to United States government surveillance unless it is ‘justified’; whatever that might mean going forward. Third, the EU and United States will conduct an annual review to check the new system is working properly.
Under the new Privacy Shield, United States companies must self-certify to the United States Department of Commerce and publically commit to comply with the Privacy Shield’s requirements. While joining the Privacy Shield is voluntary, once an eligible organisation makes the public commitment to comply with the framework’s requirements, the commitment will become enforceable under United States law.
Will any or all of this work going forward?
That, of course, is the big question on everyone’s mind. The EU Article 29 Working Party, which is an advisory body comprising representatives of the supervisory authorities for each EU member state, representatives of the EU institutions and a representative of the European Commission on data protection, issued a statement raising concerns in four areas. First, there was a lack of specific rules on decisions and the right to raise concerns. Second, there was a general discomfort with data processors. Third was the above noted lack of concrete assurances by certain United States governmental agencies against unjust surveillance. Fourth was the concern about the ombudsman scheme for investigation and resolution of disputes between companies and individuals.
There is also the looming prospect of yet another court challenge by Max Schrems, who has a case in Ireland working its way through that country’s court system. It will eventually be heard by the ECJ, who threw out Safe Harbor last year. Finally, there is of course the United States Presidential election. Depending on which candidate is elected, EU officials may have much more or less confidence that the United States will honour its treaty obligations going forward.
In addition to Max Schrems, the 28 separate national data protection commissions have yet to weigh in with their views on the legality of the Privacy Shield. However, this group has announced that they will not challenge the Privacy Shield until mid-2017, if at all. This will allow time for all interested parties to compile evidence of both United States government and United States company compliance with the new agreement or lack thereof. Of course, it will also be after the next United States government is determined and sworn into office.
There can be some apprehension from companies about building up a new data privacy programme that is in line with the Privacy Shield requirements only to see them go the defunct way of Safe Harbor in a couple short years. As the two laws are similar in many ways, companies might already be in compliance with the requirements with the exception of a few minor elements of reporting, response to complaints and crossing out ‘Safe Harbor’ from the top of policies and replacing with ‘Privacy Shield’.
Requirements for companies to self-certify compliance
Beginning 1 August 2016, United States companies can apply to be covered by the Privacy Shield and can do so through United States Department of Commerce Privacy Shield website. According to the site, a company must self-certify to the following:
- Confirm your organisation’s eligibility to participate in the Privacy Shield. Under this requirement, any United States entity subject to the jurisdiction of the United States Federal Trade Commission (FTC) is eligible to participate in the programme.
- Identify your organisation’s independent recourse mechanism. Under this condition, a company must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual. This means that each company will have to self-fund an arbitration procedure and process for disputes over data privacy. Note that this requirement gives EU citizens’ rights in the United States that many United States employees do not have with their own employers.
- Ensure that your organisation’s verification mechanism is in place. Under this obligation, a business is required to have procedures in place for verifying compliance. This can be done through either an annual self-assessment or by a third-party assessment programme, administered by someone outside your organisation.
- Designate a contact within your organisation regarding Privacy Shield. Under this requirement, a company must provide a contact for the handling of questions and complaints, the accessing of requests, and any other issues arising under the Privacy Shield. The contact can be either the corporate officer who certifies the entity’s compliance with Privacy Shield, or another designated official within your organisation such as a Chief Privacy Officer. You should note that there is a short timeframe for responding to a complaint, only 45 days of receiving a complaint.
- Review the information required to self-certify. Prior to submitting a request for self-certification to the Department of Commerce, a company must review and compile the information required as part of the Department of Commerce’s online self-certification process. In other words, you must document, document and then document your process.
- Submit your organisation’s self-certification to the Department of Commerce. A business can submit its application for self-certification directly on the Department of Commerce’s website. There is a sliding fee scale that is available on the same site.
So should your company sign up for the Privacy Shield? We think the answer is a qualified yes. Clearly, there will be increased costs in terms of the self-assessment and annual review. Furthermore, someone in your organisation will have to take the mantle of Chief Privacy Officer (most certainly in addition to their day job). If your company was in the Safe Harbor programme, the requirements of the Privacy Shield should be easy to achieve. Even with the uncertainty of the Article 29 Working Group, the national data privacy commissioners and the very ubiquitous Max Schrems, it appears to be the best manner through which to demonstrate to your stakeholders, both internal and external, your commitment to data privacy and data protection.