European law only permits personal data to be transferred out of the European Economic Area ("EEA") to a third country that provides an "adequate" level of personal data protection. The U.S. is not one of those countries. Therefore, companies that wish to export personal data out of the EEA to the U.S. must rely on a legally approved method. In the past, the most commonly used method was to join the U.S.-E.U. Safe Harbor program. However, in October 2015, the European Court of Justice invalidated the Safe Harbor program after determining that the program did not provide an adequate level of data protection for Europeans' personal data. The European Commission and the U.S. Department of Commerce have proposed a new framework to legalize EEA to U.S. data transfers: the "Privacy Shield."
Although the proposed Privacy Shield, if adopted, would impose stronger obligations on companies handling Europeans' personal data than the U.S.-E.U. Safe Harbor program did, the Article 29 Data Protection Working Party ("Working Party"), which advises the European Commission on data protection matters, has expressed concerns that the proposed Privacy Shield would not sufficiently protect Europeans' rights. The Working Party noted several concerns with the draft Privacy Shield, including that it fails to address adequately E.U. data privacy laws, the onward transfer of data from the U.S., and the U.S. Government's data surveillance practices. The Working Party also expressed concern that the proposed Privacy Shield's redress mechanisms may be overly complicated, and thus ineffective in practice. The Working Party's objections have cast doubt on whether the proposed Privacy Shield will be adopted, at least in its current form.
Given the invalidation of the Safe Harbor program and the uncertain future of the Privacy Shield, companies moving personal data from the EEA to the U.S. have had to utilize other means to legitimize such transfers including standard contractual clauses ("SCCs"). SCCs are model contractual clauses which the European Commission has approved as providing "adequate safeguards" to permit the transfer of personal data outside the EEA to a country without an "adequate" level of personal data protection. A company can use SCCs to transfer data out of the EEA by incorporating the SCCS into their contracts with their vendors verbatim. However, it is possible the SCCs will be facing re-examination in the near future as well.
Though the Privacy Shield may not be enacted, at least in its currently proposed form, it still may be helpful to understand the proposed Privacy Shield and how it would compare to the SCCs as businesses work to consider their options for data transfers in the future. Moreover, if the proposed Privacy Shield is adopted without changes (and there are no changes to the SCCs), the table below, which lists ten factors a company may wish to consider if deciding whether the proposed Privacy Shield or the SCCs would be better suited for the company, will have considerable relevance. The following is intended to be informational and is not legal advice, and, once again, is only applicable in the form below if both of the following occur: (i) the proposed Privacy Shield is enacted without changes, and (ii) there are no changes to the SCCs.
1. Initial Certification
Proposed Privacy Shield
- To join the Privacy Shield program, an organization would need to self-certify to the Department of Commerce that it meets four requirements: (1) it must fall under the ambit of a U.S. agency that can enforce compliance such as the Federal Trade Commission (the "FTC"), (2) it must publicly state its commitment to follow the Principles (as detailed below), (3) it must make its privacy policies public and (4) it must implement the Principles- The Privacy Shield Principles are (1) notice, (2) choice, (3) accountability for onward transfer/vendor agreements, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability
Current SCCs
- If using SCCs, there is generally no need for national authorization to transfer personal data out of the EEA- However, certain countries (e.g., Austria, France, Ireland, Spain) maintain a licensing system where the European national Data Protection Authority ("DPA(s)") compares the clauses contained in the contract with the SCCs to verify that no changes have been made before data transfer is permitted
2. Ongoing Compliance
Ongoing Compliance
- Companies would need to certify their compliance with the Privacy Shield annually with the Department of Commerce.- The Department of Commerce and other U.S. agencies would have the authority to monitor and police ongoing compliance with the Privacy Shield
Current SCCs
- There is no requirement to self-certify to an independent body annually- Once the SCCs have been adopted, there is no need to update them each year
3. Subcontracting
Proposed Privacy Shield
- The Privacy Shield would not require the adoption of any clauses verbatim between the parties or between the data processor (e.g., the party that is processing the personal data) and its subprocessors
Current SCCs
- If the parties incorporate the SCCs into the contract verbatim, no further approval is generally required to transfer data to processors or subprocessors- Though the parties can modify the SCCs, the parties will need to seek approval from the relevant DPA before using the modified SCCs- The SCCs must be incorporated and flow down into all relevant downstream contracts (e.g., the contract between the data processor and each of its subprocessors)
4. Enforcement
Proposed Privacy Shield
- The Privacy Shield could be enforced by numerous bodies including the Department of Commerce, the FTC, other U.S. statutory bodies, independent dispute resolution entities, the Privacy Shield Panel and, in some cases, the DPA
Current SCCs
- The SCCs can be enforced by the data subject and DPAs, but not the multitude of other organizations that would have the authority to enforce the Privacy Shield
5. Data Subjects Rights of Redress
Proposed Privacy Shield
- The Privacy Shield would place more specific obligations on companies for complaint handling and redress for data subjects than the SCCs- Self-certifying organizations to the Privacy Shield would be required to:
o Respond to a data subjects' complaints within 45 days;o Provide a response to the data subject that includes an assessment of the complaint's merits, and if the complaint has merit, information as to how the organization will rectify the problemo Designate an independent dispute resolution body in the E.U. or the U.S. to investigate and resolve individual complaints and provide recourse, free of charge to the data subjecto Respond promptly to requests for information from the Department of Commerce detailing its compliance with the Principleso Retain accurate and complete records on its privacy practices and provide such records to the FTC or an independent recourse mechanism upon requesto Cooperate with DPAs in the investigation and resolution of complaints concerning the processing of human resources data
Current SCCs
- The data subject is a third-party beneficiary of the SCCs and can enforce the SCCs against the parties- The data subject can refer any dispute to mediation or the courts of the member state in which the data controller or processor, or sub-processor is established
6. Transparency/Publicity
Proposed Privacy Shield
- Companies would need to provide a copy of the privacy provisions in their contracts to the Department of Commerce on request- The Department of Commerce would have the right to publish the names of organizations removed from the list of Privacy Shield certified organizations as well as the reasons for removal
Current SCCs
- Companies must deposit a copy of its contract with the applicable supervisory authority upon request or if required by European national law- There is no public list of non-compliant organizations
7. Stability (at least for now)
Proposed Privacy Shield
- As noted throughout this document, it is not clear whether the Privacy Shield will be enacted
Current SCCs
- Unless they are changed, the SCCs are an existing preapproved method for legally transferring personal data from the EEA to a non-adequately protective country. Data transfers legitimized via the SCCs will not be shut down before the new Privacy Shield goes into effect (if it goes into effect)
8. Implementation
Proposed Privacy Shield
- Participants in the Privacy Shield program would not need to negotiate set clauses throughout all the relevant contract relationships and, therefore, the Privacy Shield would potentially be easier to implement than the SCCs for certain companies- However, participants would still need to ensure that they are complying with the Privacy Shield's requirements
Current SCCs
- As the SCCs are already a preapproved transfer mechanism, they can be quickly implemented as long as a party does not use many subprocessors- However, the SCCs may not make sense for organizations that commonly contract with subprocessors who cannot or will not agree to comply with the SCCs
9. Protections Against U.S. Government Surveillance
Proposed Privacy Shield
- Inextricably linked to the Privacy Shield discussions are the EU's concerns about U.S. Government surveillance on European citizens. Passage of the Judicial Redress Act (which became law in the U.S. on February 24, 2016) is an important step in moving the Privacy Shield forward and may impact the final text of the Privacy Shield. The Judicial Redress Act gives non-U.S. citizens certain rights to bring civil suits against the U.S. for alleged privacy violations and also gives them certain rights that U.S. citizens have under the Privacy Act of 1974
Current SCCs
- The SCCs do not address the issue of U.S. Government surveillance of E.U. citizens
10. Flexibility
Proposed Privacy Shield
- The Privacy Shield may offer organizations more flexibility, as any changes in compliance requirements would not likely require substantial amendment to existing contracts
Current SCCs
- If revised, it may become necessary to amend existing contracts to include the revised SCCs, which may be onerous for companies with numerous subprocessors- Additionally, as the SCCs are set clauses that cannot be changed without the approval of the appropriate DPAs, it is difficult for the parties to tailor them for the specifics of the applicable transaction
If the proposed Privacy Shield is enacted without changes and there are no changes to the SCCs, whether a company should choose to use the SCCs or the Privacy Shield would depend heavily on the facts and circumstances relevant to its specific situation. Also, please note that there are other means of legally transferring personal data from the EEA to the U.S., including binding corporate rules, which are not covered in this Top Ten List. As a result, before choosing a compliance regime, it is important to seek counsel in light of the specifics of your situation and to stay abreast of the rapidly changing data privacy landscape in Europe.
This list was prepared by Arent Fox. For more information on Arent Fox, go to www.arentfox.com. If you have any questions, please contact:
Alan Fishel
Partner
Arent Fox LLP
202.857.6450
or
Eva Pulliam
Associate
Arent Fox LLP
202.857.6323
or
Charlyn Ho
Associate
Arent Fox LLP
202.350.3614
or
Nicholas Lawson
Associate
Arent Fox LLP
202.350.3706
Region:
European Union, United States, Global
The information in any resource collected in this virtual library should
not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.