In July 2016, the European Commission adopted its highly anticipated EU-US “Privacy Shield,” setting up a new data protection framework for organisations that transfer EU citizens’ personal data to the US. More than 4,000 organisations are expected to have to adapt their privacy policies and practices accordingly, and sign up to the new statutory requirements.
Transatlantic Personal Data Processing: Complying with the new EU-US Privacy Shield
1. In July 2016, the European Commission adopted its highly anticipated EU-US “Privacy Shield,” setting up a
new data protection framework for organisations that transfer EU citizens’ personal data to the US. More
than 4,000 organisations are expected to have to adapt their privacy policies and practices accordingly, and
sign up to the new statutory requirements.
Key Elements of the Privacy-Shield
I. Enhanced Privacy Shield Principles
In compliance with the new Privacy-Shield Agreement,
organisations processing personal data from EU
countries will have to self-certify their adherence to the
following principles:
The Notice principle - Companies will have to
inform European citizens about the type of data
they are collecting, including the purpose of their
processing. Companies will also provide the links to
the relevant data protection authorities and to the
provider of an appropriate alternative dispute
settlement on their website.
The Choice principle - Individuals will have the
right to object to the disclosure of their personal
data to third parties and opt out, if desired. In the
case of more sensitive data, companies will have to
obtain express affirmative consent from individuals.
The Security principle - The processing of
personal data will have to be guaranteed under
“reasonable and appropriate” security measures.
The Purpose Limitation Principle - The
collection of data will be limited to the sole purpose
of its original intended use. The only exceptions are
archiving in the public interest, journalism, literature
and art, scientific and historical research and
statistical analysis.
The Integrity Principle - The processing of
personal data will be limited to what is relevant for
its intended use. It will have to be accurate,
complete and current.
The Access Principle - Individuals will be granted
the right to access the information collected about
them without need for justification and only against
a non-excessive fee. Individuals will have the right
to correct, amend or delete personal information
that is inaccurate or has been processed in
violation of the Privacy Shield Principles.
The Accountability for Onward Transfer
Principle - Any onward transfer of personal data
from a company to controllers or processors will
only be possible for limited and specified purposes.
The Recourse, Enforcement and Liability
Principle - Companies will have to provide robust
mechanisms to ensure compliance and effective
remedies.
II. Reinforced citizens’ rights
The US Department of Commerce will monitor and
verify that the affected companies apply policies in line
with the relevant Privacy Shield Principles. It will keep
up-to-date a list of organisations which have signed up
to the privacy shield and be responsible for removing
those organisations that have either left the
arrangement or failed to comply with the principles.
Under the new agreement, any individual who
considers that his or her data has been misused will
have the right to lodge a complaint either with:
the company itself, which will have to reply within
45 days;
its national Data Protection Authority, which will
refer the complaint to the US Department of
Commerce, who in turn will have to respond within
90 days, or;
any Alternative Dispute Resolution Mechanism,
to which US companies will have to sign up at no
cost to the individual.
The whole functioning of the Privacy Shield in the US
will also be subject to an annual joint review to be
carried out by the European Commission and the US
Department of Commerce, bringing together national
intelligence experts from the US and the European
Data Protection Authorities.
2. III. Obligations of US public authorities
The Privacy-Shield also sets a certain number of
limitations and safeguard mechanisms in the case of
US intelligence services accessing EU citizens’
personal data for national security purposes. Most
notably, these include the following:
The collection of personal data for intelligence
purposes will be authorised by statute or
Presidential approval and in accordance with the
US Constitution and Law.
Individual data collection will be prioritised over bulk
data collection – i.e. data collection affecting all
individuals.
Bulk collection will only be allowed where targeted
collection via the use of discriminants is not
possible and only in six very specific situations
(such as the fight against terrorism or opposition to
activities of foreign intelligence services which
could damage US interests).
The treatment of personal data will have to take
into consideration the fundamental principles of
dignity and respect for legitimate privacy interests.
To complement these safeguards, the US authorities
will establish a specific redress path for EU citizens via
an Ombudsperson who will be independent from
national security services. The Ombudsperson will
follow up complaints and enquiries by EU individuals
with respect to national security access, and confirm to
the individual that the relevant laws have been
complied with or, in case of non-compliance, that any
non-compliance gap has been remedied.
Suggested Actions for Businesses
The principles-based statutory framework entails an
obligation of results in terms of compliance. It reduces
the uncertainty that has surrounded data-processing
between the EU and US since the abolition by the
European Court of Justice last October 2015 of the
previous legal framework known as the EU-US “safe
harbor” agreement, but does not immunize
organisations processing personal data across the
Atlantic against possible legal actions for alleged non-
compliance, with direct repercussions on company
reputation and the exposure vis-à-vis markets,
stakeholders and public opinion in general to negative
communication campaigns.
To reduce such risk, and given the high sensitivity of
the Europeans to data privacy, organisations wishing
to begin or start processing European citizens’
personal data in the US, should consider the following
actions with a view to assessing and adapting their
privacy policies and practices throughout the whole
organisation and in the context of third-party service
providers.
Action for Business
Assess the adequacy of your current privacy
policies with the above-mentioned Privacy-Shield
Principles and adapt them accordingly.
Assess and, if necessary, review external
contractual clauses with third parties that receive
personal data collected by your organisation to
ensure that they provide the same level of
protection as stipulated by the Privacy Shield
Principles.
Review and set up the appropriate internal
governance to ensure that replies to potential
complaints from EU citizens are answered within
the time limit of 45 days, as well as inquiries and
requests by the US Department of Commerce.
Identify and register with an Alternative Dispute
Resolution Provider which will have to be made
available to European citizens at no cost.
Register your organisation to the Privacy Shield list
on the US Department of Commerce website,
providing a declaration of the organisation’s
commitment to comply with the Privacy Shield
Principles.
Publicize on your own website the link to your
Alternative Dispute Resolution Provider, together
with a link to the US Department of Commerce’s
Privacy Shield website.
Monitor implementation and renew the registration
every year.
Brussels, 20 July
For more specific advice on EU developments and on
possible actions to be taken within your organisation,
please contact
Leonardo Sforza
Managing Director and Head EU Affairs, Brussels
Leonardo.sforza@mslgroup.com
+32 (0)2 737 92 00