EU-US Privacy Shield - Update
The GDPR requires companies to meet certain standards when transferring personal data to non-EU countries - a key mechanism for ensuring data protection for EU-US transfers is the Privacy Shield, which was recently reaffirmed by the European Commission.
The Privacy Shield was accepted by the European Union authorities as protecting the rights of EU citizens when their data was transferred to the US.
Despite the constant controversy and criticism as to the adequacy of protection (as discussed here in our previous Insight), on 19 December 2018, the European Commission reaffirmed the validity of the EU-US Privacy Data Shield – albeit we await full implementation of the requirements by the US authorities before the Privacy Shield is fully compliant.
What is a Privacy Shield?
The rules on transmitting data to third countries have strict requirements. You can the transfer if the EU has already decided the country you are transferring to has an adequate level of protection, if you can show that the country you are transferring to has the appropriate legal safeguards, or if you have the consent of the person whose data you wish to transfer.
A personal data transfer from the EU to the US could be obvious, like during administration from an EU subsidiary to an American parent company, or it could be behind the scenes, if your company is sharing a cloud for customer data and the servers are located in the US.
A Privacy Shield protects the rights of EU citizens and comply with the GDPR by introducing additional protections when data is transmitted to the US for commercial purposes.
A system of self-certification
The EU declared that the transfer of data to the US is permissible to certain companies if they self-certify under the Privacy Shield Scheme and renew this certification every year. The US Department of Commerce reviews whether these companies are complying with the regulations, and publishes a list of all the self-certifying companies it has reviewed.
Pressure on the Adequacy of the EU-US Privacy Shield
There have been doubts over the adequacy of the Privacy Shield since its creation in 2016. The US can access personal data if it can justify it on the basis of national security, and the EU Data Protection Working Party has suggested that it’s safeguards to restrict arbitrary access are vague. In light of these controversies, the recent European Commission approval does provide comfort for business and individuals alike as regards the protection and security of personal information.
In 2017, after its first annual review, the EU determined that the EU-US Privacy Shield was adequate, but made recommendations for the US to pro-actively monitor compliance and make sure an ombudsman is always appointed for any complaints from EU citizens which was not implemented by the US authorities. In July 2018, the European Parliament passed Resolution 2018/2855(RSP) stating that there had been no moves by the US to show better compliance. The European Parliament therefore pledged to ask the EU to withdraw from its adequacy decision of 2017 in respect of the EU-US Privacy Shield.
Second annual report on the Privacy Shield
Despite the ongoing pressure and criticism, the European Commission released its second annual report on 19 December 2018: the Privacy Shield remains valid.
In its report, the European Commission acknowledges that the U.S. Department of Commerce has taken enough steps to strengthen introduce new oversight mechanisms that would help find compliance issues, such as random spot checks; and has recognized the more proactive role taken by the Federal Trade Commission to better monitoring compliance with the Principles of the Privacy Shield, such as issuing subpoenas to request information from the companies that participate in the framework.
The European Commission has also recognized that for the Privacy Shield to continue being adequate, there are further steps and developments that need to be taken, putting a special emphasis on the importance of appointing a permanent Privacy Shield Ombudsman. The US authorities are expected to make the nomination by 28 February 2019. Failure to do so may result in the Privacy Shield being invalidated. Furthermore the European Data Protection Board is concerned with whether the Ombudsman will have enough powers to regard it as an effective remedy before a tribunal. Whilst we have a decision of reaffirmed validity, things are still not totally certain.
What do companies need to do?
For now, companies which benefit from the EU-US Privacy Shield mechanism for personal data transfers from the continent to the US have nothing to do immediately, aside from monitor the appointment of the Ombudsman and ongoing opinion from the European Commission to make sure that they are on top of the latest best practices and recommendations.
Furthermore, whilst things are reaffirmed for now, it is possible that the EU could repeal or suspend the Privacy Shield in the future – especially if the US authorities fail to appoint a Privacy Ombudsman, meaning that transfers of personal data to the US from the EU under the Privacy Shield scheme would not be compliant with GDPR requirements. In such an event, there are some alternative options, and EU based companies can still lawfully transfer personal data to the US using alternative options, such as:
EU Standard Data Protection Clauses (Commission Contractual Clauses);
Binding Corporate Rules;
Individual Clauses;
Consent from data subjects.
The best plan of action is to keep continually reviewing the procedures you have in place for your own data transfers to third countries, making sure you are compliant for the time being until any big changes are made clear. For now, the Privacy Shield remains adequate and we hope that there will be an ongoing collaboration between the EU and the US to keep transfers of personal data compliant with the GDPR requirements.
As always, if you are uncertain on the agreements you have in place or would like to consider alternative protection mechanisms, please get in touch.
Article by Soraya Redondo and Charlotte Gerrish @ Gerrish Legal, February 2019