A New Privacy Shield will be in place to protect EU/US data flows starting 1 August 2016
By Kim Smouter
A MAJOR RELIEF?
Europe and the United States have announced that they have come to an agreement on the replacement mechanism to the EU/US Safe Harbour. The Safe Harbour Scheme had been struck down by the European Court of Justice last year forcing European and American authorities to scramble and setup a replacement mechanism allowing the free flow of data between the world’s two largest data markets.
In February, authorities had announced the Privacy Shield which sought to address the European Court of Justice’s opposition to indiscriminate mass surveillance on Europeans and also the inequivalent level of redress afforded to Europeans. But following negative feedback from European politicians, and European and national data protection authorities about the new scheme, it was uncertain the Privacy Shield would ever see the light of day.
Companies wishing to sign up to the new Privacy Shield will be invited to do so starting 1 August 2016, noting that at the moment data transfers using the old Safe Harbor are illegal and subject to enforcement actions. German Data Protection Authorities have already begun issuing fines for companies who are still transferring data using the old scheme.
THE PRIVACY SHIELD SURVIVES SCRUTINY AND POLITICAL OPPOSITION
So, despite political opposition to the new Shield, representatives of EU Member States and the European Commission gave their final nod of approval to the proposed scheme. A new version of the text was prepared to address the negative reviews of the national data protection authorities and the European Data Protection Supervisor who will eventually have enforcement responsibility over the scheme.
The Privacy Shield is a slightly different animal from its predecessor, but for those involved in the previous scheme it should be seen as an evolution of the pre-existing requirements.
Nonetheless, there are a number of changes to highlight from the perspective of a company including:
STRICTER NOTIFICATION REQUIREMENTS
- The Privacy Shield requires additional information be provided to individuals in the Notice Principle, including a declaration of the organization’s participation in the Privacy Shield, a statement of the individual’s right to access personal data, and the identification of the relevant independent dispute resolution body;
STRICTER CONTRACTUAL REQUIREMENTS
- The Privacy Shield strengthens protection of personal data that is transferred from a Privacy Shield organization to a third party controller by requiring contracts that provides that personal data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles;
GREATER EMPHASIS ON DATA CHAIN RESPONSIBILITIES
- The Privacy Shield strengthens protection of personal data that is transferred from a Privacy Shield organization to a third party agent, requiring a Privacy Shield organization to:
- take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request;
CLARIFICATION OF LIABILITIES
- The Privacy Shield organization (the data importer) is responsible for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf.
- The Privacy Shield organization remains liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage;
- The Privacy Shield also clarifies that Privacy Shield organizations must limit personal information to the information that is relevant for the purposes of processing;
ANNUAL CERTIFICATION REQUIREMENTS
- The Privacy Shield requires an organization to annually certify with the US Department of Commerce its commitment to apply the Principles to information it received while it participated in the Privacy Shield if it leaves the Privacy Shield and chooses to keep such data;
- It also requires that an independent recourse mechanism be provided at no cost to the individual;
STRONG EXPECTATIONS TO RESPOND PROMPTLY TO REQUESTS
- The Privacy Shield requires organizations and their selected independent recourse mechanisms to respond promptly to inquiries and requests by the Department for information relating to the Privacy Shield;
- The Privacy Shield also requires organizations to respond expeditiously to complaints regarding compliance with the Principles referred by EU Member State authorities through the Department;
- It further requires a Privacy Shield organization to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if it becomes subject to an FTC or court order based on non-compliance.
MORE FLEXIBLE RETENTION PERIODS FOR RESEARCH AND STATISTICAL ANALYSIS
- The Privacy Shield hasn’t forgotten about offering a differentiated regime for research, as organizations may retain personal information for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis.
THAT’S GREAT, BUT WHAT’S THE ADVICE FOR MARKET RESEARCHERS?
Clearly the adoption of a new Privacy Shield offers a much more “user-friendly” mechanism to re-enable data transfers between the EU and the US in the same way that before the Safe Harbour scheme allowed more than 4000 companies to transfer data easily between the two data markets. Market, opinion, and social researchers also benefited from this scheme as leading agencies were using it but also many suppliers into the industry.
The alternatives, like binding corporate rules and standard contractual model clauses provided by the Commission can be cumbersome or worse and sometimes simply cannot be applied to the use-case. So having this scheme can be a relief.
There is, nonetheless, a word of caution to be placed on rushing to adopt the Privacy Shield. As highlighted by the European Parliament’s rapporteur on the General Data Protection Regulation, Jan Albrecht, there are many who think the new Privacy Shield will not pass muster in front of the courts and Privacy Advocates will be rushing to challenge the new decision.
There is therefore a real risk that in the not too distant future, the Privacy Shield may be struck down like its predecessor by the Court of Justice. Companies should think carefully about whether they wish to invest the time and resources to certify under the new scheme in light of this uncertainty.
In light of the new developments, our advice to our members can be summarised as follows and is consistent with the advice we have been providing since the Court of Justice decision namely:
- Conducting an audit of any data transfers susceptible to journey via the US is crucial to determine your exposure to the Court of Justice ruling that personal data transfers to the US under the Safe Harbor scheme is illegal.
- Updating your privacy policies to highlight the existence of these data transfers, if you haven’t already, is a crucial step. The aim should be to notify as clearly as possible what data is transferred to the US, to underline the conditions under which that data is travelling, and the risks involved. It’s important that this is understood to be an indication of goodwill and shouldn’t be mistaken as a compliance measure by the organisation.
- Seeking alternatives to transfers to the US remains a useful step to consider as all transfer schemes currently in existence have proven subject to potential legal challenges.
- Where possible, partner with European-based services to execute your data processing tasks involving Europeans’ personal data as this will reduce exposure to legal problems stemming from inequivalent levels of protections that you may encounter resulting from the use of a non-EU partner. Anonymised data is not subject to restrictions and therefore it may be wise to process the data in Europe, and then send it to US entities as anonymised data sets.
- If this is not possible or practical, then the alternative mechanisms like binding corporate rules, standard model contractual clauses, and the Privacy Shield (Starting 1 August 2016) must be in place before personal data transfers from the EU to the US can take place. If you’ve already adopted one of the other alternative mechanisms it makes no sense to return to the Privacy Shield.
- If you intend to use the Privacy Shield, we recommend that partners you use for data processing be subject to an annual audit of their Privacy Shield certification along with meeting the requirements referenced above.
- It may also be useful to consider adding a safeguard clause into your contracts which allows you to require your partner to work with you to find alternatives should the Privacy Shield be subject to a new legal challenge, and should an alternative not exist, allow the termination of the partnership without any additional fees.
WE’RE HERE TO HELP YOU!
ESOMAR members may feel the need to reach out to determine whether the Privacy Shield is the right mechanism for them. The document itself can be quite daunting! That’s why ESOMAR’s Professional Standards service operates a free queries service for members which can help assist members in their reflections. Members can get in touch with our services at professional.standards@esomar.org. So if you have any questions don’t hesitate to get in touch.
Kim Leonard Smouter is Head of Public Affairs & Professional Standards at ESOMAR.