European Union: A Fragile Shield? Managing The Risks Of EU-U.S. Data Transfer

Co-authored by Andrew Kimble, Bond Dickinson

On July 12, 2016, the European Commission formally adopted "Privacy Shield" to govern EU-U.S. personal data transfers and to provide EU data subjects with meaningful recourse should they have grounds to complain about the handling of their data.

Privacy Shield was negotiated as an urgent replacement for the Safe Harbor regime, which was struck down by the European Court of Justice (ECJ) in October 2015 following a challenge by privacy campaigner Max Schrems. Although formally adopted, Privacy Shield is itself likely to face challenge from Schrems and others who consider it an inadequate response to the ECJ's objections. Meanwhile, EU Standard Contractual Clauses (the "Model Clauses") – which are another mechanism by which personal data can be lawfully exported outside the EU – are also on their way to the ECJ following a referral decision by the Irish data protection regulator. This combined uncertainty means that organizations must consider contingency plans and fall-back positions to ensure that personal data transfers from the EU to the U.S. remain lawful and uninterrupted.

On both sides of the Atlantic, ensuring that personal data can lawfully flow as part of business-critical processes requires close monitoring and well-advised responses to a rapidly evolving situation. Our Privacy and Data Protection Team experts have been discussing the issues with their counterparts in our UK strategic partner firm Bond Dickinson to highlight areas where specific advice and collaborative thinking will be needed. Here are their thoughts.

What Are the Key Practical Issues?

  • Should U.S. organizations self-certify for Privacy Shield?
  • If so, when?
  • Should self-certification for Privacy Shield replace or be an additional measure to the use of Model Clauses?
  • What steps should EU organizations take to protect themselves against a successful challenge, whether to Privacy Shield or the Model Clauses?
  • What can we say, at this stage, about the "Brexit effect"?

Is Privacy Shield Vulnerable to Challenge?

Privacy Shield is likely to be challenged. The European Commission's decision addressed a number of points raised in the ECJ's Schrems judgment, including intelligence safeguards regarding bulk collection of data and the creation of a new U.S. Government Ombudsperson with whom data subjects can file complaints about data accessed or used for national security purposes. However, Max Schrems and other EU privacy campaigners remain unconvinced that Privacy Shield adequately protects the privacy of personal data transferred from the EU to the U.S.

There are other potential issues with the Privacy Shield. The Privacy Shield is founded on commitments given by the current U.S. administration; it remains to be seen whether a change in administration in January 2017 would have any impact on those commitments, although the Privacy Shield, and the greater certainty it may bring to businesses for personal data transfers, has enjoyed broad support within the U.S. business community, including the U.S. Chamber of Commerce and other business groups. The Privacy Shield will also need review prior to the application of the new European General Data Protection Regulation in May 2018 and amendments or further challenges may arise as a result.

The real risk of renewed legal challenge is undoubtedly a factor when considering whether, or when, to incur the compliance costs related to Privacy Shield. Self-certification is due to open on August 1, 2016, but in our view it would be prudent (at least for the time being) to keep Model Clauses in place even if self-certifying because of the foreseeable risk of a challenge to Privacy Shield. There are still advantages to self-certifying (even if an organization maintains its Model Clauses). For instance, being a member of Privacy Shield makes it easier to receive personal data from another Privacy Shield member and the Privacy Shield certification will undoubtedly signal an organization's commitment to privacy (even if the scheme itself is challenged).

For U.S. organizations, there may be an incentive to self-certify early where personal data is likely to be transferred to third parties, including sub-processors. Organizations that self-certify within two months after August 1, 2016 will have the benefit of a nine month grace period to bring their pre-existing third party commercial relationships into compliance with the Onward Transfer Principle. Whether that grace period is a sufficient incentive for early registration depends, in part, on the balance between:

  • The financial and time costs of self-certification,
  • The commercial benefits of early certification, and
  • The possibility that Privacy Shield will prove to be as vulnerable as Safe Harbor to a legal challenge in the EU.

As a practical matter, U.S. organizations might reasonably conclude that self-certification under the Privacy Shield makes sense as an addition to, but not as a complete and immediate replacement for, the use of Model Clauses. The outcome of the Model Clauses referral to the ECJ is unlikely to be known for another 18-24 months, and in the interim their continued use might at least temporarily be a more straightforward and a cost-effective basis for EU-U.S. personal data transfers than rushing to self-certification. However, should the Model Clauses be struck down, then it would be strongly in the interests of U.S. organizations already to have gone through, or to be sufficiently advanced in the process of self-certification, to minimize the risk of business interruption.

For EU organizations with no control over the outcome of the ECJ challenges there are practical measures that can be taken. Organizations could choose to avoid transferring personal data to the U.S. (although in some circumstances this may not be feasible). Alternatively, EU organizations can protect themselves by ensuring that they have in place contractual provisions allowing them to:

  • Review, and if necessary amend, the terms of the transfer of personal data should challenges to either the Privacy Shield or the Model Clauses succeed, or
  • Terminate data transfer arrangements relying on those transfer mechanisms if successfully challenged, and seek a viable replacement.

However, it may be difficult in practice to obtain those contractual commitments (for example, when dealing with large public cloud providers).

Assessing the Cost: What are the Key Differences Between Safe Harbor and Privacy Shield?

Any organization considering self-certification under Privacy Shield must be fully aware of the points at which Privacy Shield follows or differs from Safe Harbor.

Like Safe Harbor, Privacy Shield is based on self-certification by U.S. organizations. Self-certification carries a commitment to comply with the Privacy Shield Principles, but Privacy Shield has significantly strengthened the Safe Harbor principles. For example:

  • Notice: privacy policies must be made public, and must (if online) contain hyperlinks to the Department of Commerce's website and Privacy Shield list of self-certified companies, along with details of the recourse mechanisms available for data subjects.
  • Security and Onward Transfer: U.S. organizations must have a written contract with onward recipients of personal data guaranteeing the same level of protection as provided by the Principles and must take steps to ensure its proper implementation.
  • Recourse Mechanisms: The U.S. organization must put in place an effective recourse mechanism to deal with a complaint received from an EU data subject. Data subjects can now bring a complaint of non-compliance:

    • Directly to the U.S. organization concerned;
    • To an independent dispute resolution body designated by the U.S. organization to resolve such complaints; or
    • To a national data protection authority, the U.S. Department of Commerce, or the U.S. Federal Trade Commission (FTC).

There is also a final recourse available to data subjects of binding arbitration by a "Privacy Shield Panel".

Further key new requirements under the Privacy Shield are discussed in our July 12, 2016 Client Alert about the Privacy Shield..

Assessing the Cost: What is the Process for Self-Certifying Under Privacy Shield?

To join Privacy Shield, a U.S. organization must:

  • Self-certify annually its agreement to the Privacy Shield Principles. This self-certification is enforceable under U.S. law by either the FTC or the U.S. Department of Transportation (DOT). Any organization subject to either FTC or DOT jurisdiction is eligible to self-certify.
  • Identify the independent recourse mechanism it will make available to EU data subjects.
  • Develop a Privacy Shield-compliant Privacy Policy Statement that is publicly available and effective before self-certification.
  • Create a program to verify compliance, either by self-assessment tools or by third party assessment.
  • Designate an organizational Privacy Shield contact person, whether the corporate officer certifying compliance or another representative, such as the Chief Privacy Officer.

Clearly, taking those steps requires considerable commitment of time and employee resources, and also requires board or senior-level engagement to ensure that policies and procedures are both formally adopted and have sufficient buy-in and management backing to ensure consistent and successful implementation in practice. In particular, U.S. organizations must decide whether to design and implement an internal verification program or to outsource that function to third party consultants.

Organizations electing to design their own program will have to factor in the opportunity cost in terms of management and other key personnel time/resource to ensure that the program is designed and implemented as efficiently as possible. For organizations that opt for third party verification, there is likely to be something of a race, and could perhaps be a bit of a price war, as suitably qualified and experienced experts are snapped up by eager corporate clients.

The Brexit Effect?

Of course, the impact of Brexit must also be considered. On June 23, 2016, the UK voted to leave the European Union. The precise terms and timing of that withdrawal will determine what steps, if any, need to be taken to replace or replicate Privacy Shield.

It is possible that UK withdrawal from the EU might involve signing up to an alternative basis for access to the single market – for example, joining the European Economic Area (EEA). As a condition of EEA membership, the UK might be required to accept obligations (such as free movement of labor, capital and goods), but as a result might be entitled to benefit from the EU's international agreements, including Privacy Shield.

UK withdrawal from the EU could, alternatively, be far more substantial and complete. The mechanism for UK withdrawal would be implementation of Article 50 of the Lisbon Treaty. Once triggered, Article 50 begins a two year process within which the EU and the departing State might negotiate terms to moderate the impact of withdrawal. However, if no agreement is in place before the final withdrawal date then EU Treaties and laws cease to apply to, or to benefit, the departing State. In that case, the UK would have to consider how best to preserve the benefit of mechanisms such as Privacy Shield.

At its simplest, the UK response might be to recognize Privacy Shield as a mechanism providing adequate protection to data subjects, on the basis that if it is good enough for EU data subjects then it must also be good enough for those in the UK. However, there may be a need for an additional layer of direct agreement between the UK and U.S. to ensure that the recourse and enforcement mechanisms provided under Privacy Shield are equally available to UK data subjects; Privacy Shield would need to be amended as by its terms, it only covers transfers of personal data from the EU and the current EEA member states (Iceland, Liechtenstein and Norway).

Brexit is already proving to be an extremely complex, and probably a protracted, process. Given the business-critical importance of lawful and uninterrupted data flows between the UK and U.S., it will be an issue requiring close attention and ongoing discussion between our data law experts.

Please click on the following links to access the full version of the adequacy decision along with the corresponding annexes.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions