IF Brexit AND Privacy Shield THEN (amend privacy notice).

If you use the EU U.S. Privacy Shield mechanism to transfer Personal Data from the UK to the U.S., you will need to amend your privacy disclosure to state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield – say new FAQs on the Privacy Shield website.

In case of a “no-deal Brexit,” you will need to make the amendments by March 29, 2019.

In case of a “soft Brexit,” you will need to make the amendments by December 31, 2020 (the end of the “transition period”).

Sample language provided on the site is: “(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield… ”

Details from Privacy Shield.

The European General Data Protection Regulation (GDPR) comes into force on May 25, 2018.  This gives companies only two months to prepare for and comply with the GDPR. Companies should be conducting data mapping to identify all cross-border transfers of personal data so that they can determine the best way to comply with the GDPR requirements.

Illustration of binary code rippling out from the European Union flag, in relation to GDPRThe GDPR has been, perhaps, the most widely talked about privacy regulation for the past year and a half after it was approved by the EU Parliament on April 14, 2016 because of the sweeping changes it will bring to how the global digital economy operates with regard to processing personal data. GDPR will apply to all EU-based companies, irrespective of whether personal data is processed inside or outside of the EU. The GDPR will also apply to companies outside the EU that offer goods or services to individuals in the EU and/or that monitor or track the online behavior or activities of individuals in the EU.

Any transfer of personal data to a third country can take place only if certain conditions are met by the data exporter and the data importer. If a company is transferring EU personal data outside of the EU, that company must identify a valid transfer mechanism to legally transfer that personal data.  The most widely used transfer mechanisms are: (1) transfers within the EU and adequacy rulings; (2) appropriate safeguards; and (3) derogations.

Transfers Within the EU and Adequacy Rulings

Under GDPR, personal data can be moved between EU member states (and Norway, Liechtenstein, and Iceland) without restriction.

Cross-border transfers may also take place without a need to obtain further authorization if the European Commission determines that the third country’s body of national law ensures an adequate level of protection for personal data. The European Commission considers several factors when determining if the country has an adequate level of protection, including the specific processing activities, access to justice, international human rights norms, the general and sectoral law of the country, legislation concerning public security, defense and national security, public order and criminal law.

Appropriate Safeguards

In the absence of an adequacy determination, cross border personal data transfers are permitted if the controller and processor use EU-approved safeguards. The most widely used transfer mechanisms are binding corporate rules, model contractual clauses, and certification mechanisms (e.g. Privacy Shield).

Binding corporate rules (BCRs) are internal codes of conduct adopted by multinational companies to allow transfers between different branches of the organization. BCRs are a favored mechanism because of their flexibility, ability for tailored customization, and a lower administrative burden once implemented.

Model contractual clauses are legal terms contained in a template data processing agreement drafted and ratified by the EU. Model contractual clauses can be burdensome because companies are required to enter new model contractual clauses to cover each new third party and each new purpose for processing or transfer.

Because the European Commission does not recognize the U.S. as an adequate third country, U.S. companies can comply by certifying under the EU-U.S. Privacy Shield that they meet the high data protection standards set out in the Privacy Shield.  The Privacy Shield remains subject to the same criticism that ultimately resulted in the downfall of its predecessor (Safe Harbor), that it does not fully protect the fundamental rights of individuals provided under EU privacy laws.

Derogations

In the absence of either an adequacy decision or the implementation of an appropriate safeguard, a cross-border transfer can still take place in limited circumstances, where an exception applies. These circumstances include situations where the individual explicitly consents after having been informed of the risks of data transfer in the absence of an adequacy decision and appropriate safeguards, the transfer is necessary for the performance of a contract between the parties, or if the transfer is necessary for important reasons of public interest. The permitted derogations are fact-specific and are generally not intended to be relied upon as a company’s primary transfer mechanism.

Guidance for GDPR Compliance

Transferring personal data out of the EU without a valid transfer mechanism can result in significant fines and increased regulatory oversight.  Beginning on May 26, 2018, compliance with the GDPR will be essential for companies engaging in cross-border transfers of personal data.

To comply with the GDPR, companies should first identify and map all cross-border data flows.  Companies should then examine and assess for each of these flows whether the receiving country is in the EU (and Norway, Liechtenstein and Iceland) or is otherwise deemed adequate.  If not, the company should consider whether any appropriate safeguards have been put in place, and/or whether any specific derogations apply.

EU and U.S. officials finally unveiled the full text of the proposed EU-U.S. Privacy Shield framework earlier this week. The agreement is the culmination of a five-month negotiation to address European concerns regarding mass surveillance and personal data protection issues surrounding transatlantic data transfers. The European Commission’s Article 29 Working Party must now review and approve it.

Pixelated shield icon on digital background,, illustrating EU-U.S. Privacy Shield conceptPrivacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October. That decision impacted nearly 4,000 United States companies that transfer data from the EU to the United States under Safe Harbor.

Under the provisions of Privacy Shield:

  • Companies must self-certify annually that they meet its requirements
  • The U.S. Department of Commerce will monitor all registered companies to ensure that their publicly facing privacy notices reflect Privacy Shield principles
  • Companies that leave the program will still be required to follow its principles for as long as they use, maintain and store the personal data they received while they were participants
  • There will be a 45-day response period for EU consumer complaints related to mishandling personal information
  • In addition to directly contacting the company, EU consumers can submit their complaint to their data protection authority, which will coordinate with the U.S. Department of Commerce or the Federal Trade Commission to achieve a response within 90 days.
  • Companies must offer an alternative dispute resolution process for consumers and provide details on said process in its privacy notice
  • Participating companies that do not comply with the Privacy Shield framework will face sanctions, which can include fines and exclusion from the program.

The Story So Far

The origins of the Safe Harbor framework, agreed upon in July 2000, lie in the 1995 EU Data Protection Directive, which laid out seven data protection principles. Safe Harbor allowed companies to transfer data out of the EU if they annually self-certified their adherence to those seven principles. About 4,000 U.S. companies took advantage of the program as an alternative to binding corporate rules or model contractual clauses.

In October 2015, the European Court of Justice (ECJ) found that Facebook’s transfer of data from the EU back to the U.S. violated EU citizens’ privacy rights under the EU Data Protection Directive. and invalidated Safe Harbor in the process. The case arose in response to Edward Snowden’s revelations about the NSA’s PRISM program.

Shortly thereafter, EU authorities announced they would suspend enforcement campaigns against Safe Harbor-certified U.S. companies until February 2016, but reserved their rights to enforce the Data Protection Directive in the event that a replacement was not implemented before that deadline.

Enter the Judicial Redress Act, Stage Left

Meanwhile, the U.S. Senate began negotiating the terms of the Judicial Redress Act – a bill that would allow EU citizens to pursue a private right of action for misuse of their personal data that occurs in the U.S. While the Act falls short of providing the same level of protections EU citizens enjoy in their own countries, it does more closely align those protections, allowing some level of comfort for EU officials.

The U.S. House of Representatives passed its Judicial Redress bill in October 2015, shortly after the ECJ’s decision. The bill was expected to pass the Senate in early 2016, but an 11th hour amendment limited the right to sue to citizens of countries that permit data transfers for commercial purposes to the U.S. and do not impose personal data transfer protections that impede U.S. national security interests. That amendment stalled discussions between the U.S. and the EU days before the February deadline. Fortunately, the parties reached an agreement before Congress finalized the privacy legislation – the interested parties had to wait to see if the U.S. would follow through on its promise to provide privacy protections to EU citizens.

The Senate voted on, and passed, the amended version of the Judicial Redress Act, which allowed both houses to consolidate and pass it. The finalized bill was sent to President Obama’s desk in mid-February and he signed it into law on February 24.

What’s Next?

The European Commission submitted the Privacy Shield text to the EU data protection authorities. The DPAs will convene in April to review and announce their position. While their positions will not be legally binding, they will be highly impactful and could set the stage for the ECJ’s inevitable review of the framework. If the ECJ finds that the agrement fails to adequately protect EU citizens and their right to privacy, then the court will likely send it back to the committee for a rewrite.  The associated uncertainty prior to any review may lead to greater demand for U.S. companies to implement binding corporate rules or model contractual clauses to transfer personal data out of the EU. Additionally, many U.S. companies have already been exploring projects to create local data infrastructure in the EU, which may become necessary if Privacy Shield is never ratified.