Earlier this month, the European Commission (EC) voted to adopt the final version of the new EU/US data protection scheme, the Privacy Shield, which provides a mechanism for the valid transfer of personal data from the EU to the US. The scheme was approved simultaneously by the US Department of Commerce (DoC). The Privacy Shield is a replacement for the previous EU/US data transfer scheme, the Safe Harbour Agreement, which was declared invalid by the European Court of Justice in Autumn 2015. Click here and here for previous Be Aware posts on Safe Harbour and here for our GENIE post on the impact on employee data.
New improved scheme?
The purpose of the Privacy Shield scheme is to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US. The EC considers that the Privacy Shield arrangements satisfy the requirements identified by the ECJ when it declared the Safe Harbour scheme invalid. The DoC believes that it “provides a set of robust and enforceable protections for the personal data of EU individuals”. The scheme is intended to give EU nationals more transparency about transfers of their personal data to the US; stronger protection of their personal data; and easier and cheaper options for making a complaint which can be made directly or with the assistance of their local Data Protection Authority.
Businesses in both the EU and US will have to understand the details of the new scheme; US corporations will have to take steps to comply, while businesses in the UK and elsewhere across the EU transferring data to the US will need to verify that the recipient in the US is compliant. To join the Privacy Shield framework, US corporations must –
- Self-certify annually to the DoC that they meet the requirements of the scheme and agree to adhere to the Privacy Shield Principles which cover notice, choice, access, accountability for onward transfer, security, data integrity and purpose limitation, recourse/enforcement and liability.
- Publicly commit to comply with the framework’s requirements. This commitment will be enforceable under US law.
- Publish a Privacy Shield Privacy Policy on their website.
- Reply promptly to any complaints and provide an independent recourse mechanism. Further redress will also be available through data protection authorities (DPAs) and the Privacy Shield Panel.
- Ensure accountability for data transferred to third parties.
Specific rules for HR data
For companies that transfer or receive human resources data for the purposes of employment relationships, there are certain specific Privacy Shield rules which apply. In particular:
- Where an EU employee complains about a breach of data protection rights, their ultimate recourse will lie with the national DPA in the jurisdiction in which they work. This is because primary responsibility for their data remains with the EU employer organisation. As such, the framework makes clear that US organisations using EU human resources data must commit to cooperate and comply with requirements of the competent EU authority.
- Organisations that are required to utilise EU DPAs in this way must pay an annual fee to cover the operating cost of the EU DPA panel. The fee is not to exceed USD 500.
- Where an organisation’s self-certification relates to human resources data, the privacy policy covering that data must made available to the organisation’s employees whose data will be transferred to the US, but need not be made publically available.
Action points
The US DoC has indicated that it will begin accepting self-certifications to the Privacy Shield on 1 August 2016. Steps that organisations will need to take prior to self-certification include –
- Checking eligibility to participate in the Privacy Shield – organisations that are subject to the jurisdiction of the US Federal Trade Commission or the Department of Transportation may participate.
- Identifying and putting in place an independent recourse mechanism.
- Developing a Privacy Shield compliant privacy policy which must –
- Conform to Privacy Shield Principles.
- Specifically refer to Privacy Shield compliance.
- Identify the organisation’s independent recourse mechanism.
- Be made publically available.
- Ensuring that the organisation has procedures in place to verify compliance with the Privacy Shield. This can be either an internal self-assessment procedure or an external assessment program.
- Designating a Privacy Shield contact within the organisation who will be responsible for handling questions, complaints, access requests and other issues arising under the Privacy Shield.
Sign up or wait and see?
The Privacy Shield framework has been a long time in the making but, now it is finalised, perhaps the biggest question for companies is whether or not to use it as a means of protecting their EU/US data transfers. Despite the strongly expressed views of both the EC and the DoC that the framework satisfies EU requirements, there is nonetheless some doubt about its long term validity. Certain EU DPAs are believed to be critical of the scheme; it is not clear that its terms are sufficient to satisfy the more stringent requirements of the EU General Data Protection Regulation which will come into force in 2018; and given the continued mass surveillance by the US Government, litigation challenging the new scheme is fully expected. In view of this uncertainty, rather than immediately signing up to the Privacy Shield, some organisations may choose to adopt a wait and see approach, preferring, for example, to execute or continue to use other mechanisms available for international data transfers such as standard contractual clauses or binding corporate rules. All organisations are recommended, however, to use the implementation of the Privacy Shield as the impetus for reviewing their data protection and international transfer arrangements and verifying that they are using the method best suited to their organisation.