In October of 2015, when the European Court of Justice struck down the US-EU Safe Harbor framework – which allowed EU organizations to transfer EU citizens’ data to the US in compliance with stricter EU privacy laws – thousands of companies that transfer data across the Atlantic were left at sea. Since the Safe Harbor’s downfall, organizations that transferred personal data from the EU to the US could not be certain that they were complying with EU privacy laws. As of this July, the European Commission, in partnership with the US Department of Commerce, has approved a new legal framework for these intercontinental data transfers, deemed the EU-US Privacy Shield. The goal of the new program is the same as the old one: to ensure that EU citizens’ data being transferred to the US is sufficiently protected. However, the new Privacy Shield program provides more, and stricter, obligations on US companies, greater governmental oversight by US regulators, and several options for the enforcement of these obligations.This post will discuss the major differences between the old Safe Harbor framework and the new Privacy Shield, and will provide an overview of practical considerations for those businesses that need to send and receive sensitive information abroad.
Increased Measures of Protection and Transparency
Under the new program, US companies must ensure that their data processing partners provide the same protections to EU data as is required by the Privacy Shield, and must provide the US Department of Commerce with the operative privacy-related provisions of its agreements with such data processors on request.
Critically, the new regime also reverses the burden of responsibility for breaches of the Privacy Shield by third-party data processors. In the new scheme, the company that receives EU personal data is liable for the actions of its downstream data processors, unless it can prove that it is not responsible. Placing this burden on the shoulders of the initial data recipient could result in higher compliance costs and greater risk of liability.
There are also additional procedural requirements built into the Privacy Shield. For example, participants in the Privacy Shield must declare their commitment to compliance with the program in their privacy policies. This step, while seemingly innocuous, ensures that the participant’s commitment to the Shield is fully enforceable under US law as a matter of contract and through Federal Trade Commission enforcement actions as a response to unfair or deceptive acts and practices that affect commerce. Participants in the Privacy Shield must also notify their customers that they have a right to access customers’ personal data, that the data may be disclosed pursuant to lawful requests by governmental authorities, and that the Privacy Shield participant is liable for transfers of personal data to third parties. Further, online privacy policies must provide a link to the US Department of Commerce’s Privacy Shield website and to the webpage of the participant’s designated independent recourse mechanism allowing for the submission of consumer complaints (more on this below).
Avenues for Relief
The Privacy Shield framework contains myriad avenues for consumers to register complaints. First, an individual may lodge a complaint directly with the Privacy Shield participant. In that case, the participant must respond within 45 days. Alternatively, consumers may submit a complaint to an independent public organization called a data protection authority (“DPA”). DPAs are responsible for monitoring the application of data protection rules within a particular territory within the EU, and will attempt to facilitate a resolution of complaints with the US Department of Commerce itself. In addition, participants in the Shield must provide their consumers with an independent mechanism to seek recourse for free. Participants may select a private alternative dispute resolution (“ADR”) provider to satisfy this requirement. However, the participant must ensure that the provider itself complies with Privacy Shield requirements. ADR providers must, for example, report violations of the Privacy Shield to the US Department of Commerce, other regulators, or to a court. As an alternative to ADR providers such as AAA or JAMS, participants may select a group of DPAs to provide the independent mechanism for recourse. Failure of a Privacy Shield participant to comply with the decision of an independent recourse mechanism could result in loss of certification under the Shield.
Further, consumers whose claims remain fully or partially unresolved after exhausting all avenues of redress from the Shield participant, independent recourse mechanism, and DPAs, may seek redress from the Privacy Shield Arbitral Panel, administered by U.S. Department of Commerce and the European Commission. Consumers who invoke this right oblige the participant to enter into binding and enforceable arbitration. It is important to note that since this form of binding arbitration can only award equitable relief in the form of access to and correction of data, the aggrieved consumer retains the option of seeking monetary damages in court.
This laundry list of avenues for recourse for alleged violations of the Privacy Shield is another element of the new system that may result in higher compliance costs than under the Safe Harbor. Organizations considering whether to apply for the Privacy Shield program may wish to take these increased costs into account.
Not only are the regulations and options for recourse under the Privacy Shield greater, so too is the number of regulators themselves. Organizations should note that compliance with the Privacy Shield is regulated by a host of governmental and private entities including the US Department of Commerce, the Federal Trade Commission, the Department of Transportation, EU DPAs, ADR service providers acting as independent recourse mechanisms, and the court systems. Participants may have to manage multiple bureaucracies and communications from many different regulators for the same alleged violations, potentially increasing the cost of compliance even further.
The EU US Privacy Shield adds to the requirements on its participants, provides for more avenues for consumer recourse, and increases the number and diversity of governmental and private overseers. Potential participants must give careful consideration to these factors, and the associated costs before committing to the Privacy Shield. However, Organizations looking to comply with EU data protection laws do have other options. Companies may lawfully transmit data across the Atlantic by having proper contractual obligations in place with data recipients. The European Commission has promulgated a series of model contract clauses for organizations to implement with their data processors. If these clauses are implemented verbatim, they are approved to assure compliance with EU standards. This may be a more desirable option than the Privacy Shield for certain companies. Organizations looking to comply with EU Privacy laws should take account of the requirements of each compliance mechanism, and tailor their internal data policies accordingly with the advice of counsel when necessary.