On July 12, 2016, the European Commission formally issued its adequacy decision endorsing the EU-US Privacy Shield, following the approval of the deal by the Article 31 Committee on July 8. Although the European adequacy decision has immediate effect, U.S. organizations will not be able to take advantage of the Privacy Shield until the U.S. Department of Commerce begins accepting self-certifications, on August 1.
The Department of Commerce has issued guidance to companies wishing to self-certify under the Privacy Shield. Only U.S. organizations subject to the jurisdiction of either the Federal Trade Commission or the Department of Transportation will be eligible for self-certification. This will exclude some organizations, such as banks and telecommunications companies, which are outside the jurisdictions of those agencies.
Eligible organizations that wish to self-certify should carefully review the guidance as well as the seven framework principles and the sixteen supporting principles (the “Principles”) that they must commit to adhere to. Although participation in the program is voluntary, once made, the commitment to adhere the Principles will be enforceable under U.S. law.
Many of the Principles will be familiar to U.S. organizations that have previously participated in the former Safe Harbour regime, although they have now been elaborated in more detail, creating new compliance obligations. There are some significant practical differences in the new model, including an obligation for organizations to provide access, at no cost to the individual, to an independent recourse mechanism, stricter limitations on onward transfers to third parties (including service providers)
Organizations should be cautious about any representations that suggest compliance with Privacy Shield if the organization has not formally self-certified. The FTC has recently issued a number of warning letters to organizations it alleges are claiming compliance with the APEC Cross-Border Privacy Rules system without actually meeting the certification requirements. Moreover, the U.S. government has formally stated in a letter to the European Commission that it intends to actively police false claims of participation in the Privacy Shield program.
Legal Challenges Likely
Legal challenges to the Privacy Shield framework are probably inevitable. For example, Max Schrems, the Austrian whose successful challenge invalidated the previous Safe Harbour regime (see our previous articles, here, here, and here) apparently intends to challenge the Privacy Shield as well.
The Article 29 Working Party had expressed some skepticism of a previous draft of the Privacy Shield. The deal was then strengthened at the negotiating table address concerns relating to bulk data collection, the independence of the Privacy Shield Ombudsperson mechanism for review of complaints about state access to personal information, and data retention.
Even after these enhancements, it is perhaps unclear whether the proposed Ombuds mechanism would qualify as a means of “redress”, as that concept has been described by the CJEU. The terms of reference provide only that the Ombudsperson will “respond” to the complaint, in one of two ways: either to confirm either that relevant safeguards provided by U.S. law were complied with or, if that is not the case, that the non-conformance has been remedied. The Privacy Shield Ombudsperson will expressly not be permitted to report on any remedial action taken. Nor will the mechanism involve any possibility of access to, rectification of, or erasure of, any personal data in the hands of any state actors. As the Commission noted in the adequacy decision, these were explicit requirements set out by the CJEU in the Schrems decision.
In response, the new adequacy decision simply states that “The Commission’s assessment has confirmed that such legal remedies are provided for in the United States, including through the introduction of the Ombudsperson mechanism.” [See para. 124.]
It remains to be seen whether the CJEU agrees with this assessment. Until such a decision has been rendered, the Privacy Shield mechanism may offer less stability than most organizations would prefer. Moreover, the mechanism will be subject to annual reviews and the obligations it imposes may be subject to further elaboration over time.
Alternatives to Privacy Shield
U.S. organizations which do not wish to, or are not eligible to, participate in the Privacy Shield self-certification program can instead continue to rely on other mechanisms recognized by European law, including Standard Contractual Clauses (although these are themselves currently subject to a challenge and reference to the CJEU) or Binding Corporate Rules.
GDPR on the Horizon
All of this must also be assessed in light of the new General Data Protection Regulation (GDPR), set to come into force in the EU in 2018. The GDPR will impose significant new obligations on data processors (including some data processors located outside of the EU) including record keeping, data security, and breach notification obligations. Non-European data processors who offer goods and services to individuals in the EU, or who monitor the behavior of individuals in the EU, may be directly liable for fines up to € 20 M or 4% of annual global revenues.
Organizations will have to consider how they will respond to the new GDPR obligations whether or not they self-certify under the Privacy Shield. Furthermore, the GDRP also tightens the rules by which the “adequacy” of foreign laws respecting the protection of personal information must be assessed. This raises the spectre of further challenges to (or evolutions of) the Privacy Shield itself in the future.
Implications for Canadian Organizations
Canada’s privacy laws have been endorsed in 2001 as adequate in a separate decision of the EC. This decision was not directly affected by the Schrems decision and it remains in effect.
However, there has been some speculation that the Privacy Shield has effectively raised the bar and that Canada’s laws may be subject to new scrutiny. The Canadian adequacy decision is scheduled to be reviewed as part of a larger review, which is not due until 2020, but a review could be triggered at any time by a direct challenge.
To date, there have been no suggestions of any particular changes to Canadian privacy legislation that might be considered to strengthen the case for a renewed adequacy decision.
However, Canadian organizations which store or process personal information about EU citizens may wish to consider how their practices might be assessed against the Principles articulated in the Privacy Shield agreement.
In any event, they will have to consider how the GDPR may apply to them and what changes that may require, particularly in light of the significant penalties that can be assessed under the new regulation.
As a result, Canadian organizations that deal with European data will need to pay close attention to the changing global compliance landscape and should expect that they will face new compliance challenges over the next 18-24 months.
© McCarthy Tétrault LLP
Keith D. Rose is an associate in McCarthy Tétrault’s Business and Technology Law Groups in Toronto.