As we previously discussed, the GDPR sets forth new regulations governing the cross-border transfer of personal data. For U.S. companies that might fall within the GDPR’s scope, one particular concern regarding cross border data transfers is how the GDPR affects the applicability and enforcement of the EU–U.S. Data Privacy Shield, which is the current mechanism by which U.S. companies can comply with EU data protection regulations. While continued adherence to the Privacy Shield will permit companies to engage in cross border data transfers under the GDPR, the Privacy Shield does not exempt these companies from the GDPR’s other requirements.
The Privacy Shield
The Privacy Shield is a self-certification system adopted by the European Commission to permit U.S. companies to receive transfers of personal data from the EU in compliance with the Data Protection Directive. The Commission enacted the Privacy Shield on July 12, 2016 pursuant to Article 25(6) of the Directive, which permits the Commission to determine whether a third country receiving transfers of personal data can ensure an “adequate level of protection.” The Commission explained that the Privacy Shield’s predecessor, the International Safe Harbor Privacy Principles (also known as the Safe Harbor Framework) needed to be revisited to ensure compliance with the “adequate level of protection” standard. The Commission determined that the Privacy Shield, with its additional compliance obligations, would provide more robust protections for EU individuals and their data in the United States.
The Privacy Shield permits companies to certify with the U.S. Department of Commerce that they will adhere to a set of privacy principles (the “Principles”):
- Notice – organizations are obliged to provide 13 enumerated items of information to data subjects on a number of key elements relating to the processing of their personal data. This information must be provided in “clear and conspicuous” language to data subjects when they are first asked to provide personal information or as soon thereafter as is practicable.
- Data Integrity and Purpose – organizations are not permitted to process personal data in a way that is incompatible with the purposes for which it has been collected or authorized by the data subject. Certain enumerated purposes are considered compatible, depending on the circumstances. Organizations must also ensure that relevant personal data is reliable for its intended use, accurate, complete, and current.
- Choice – organizations must offer potential data subjects the opportunity to opt-out of the disclosure of their data to third parties or if the data is to be used for a purpose “materially different” from the original purpose for its collection or authorization. For information considered to be sensitive, organizations must also obtain “affirmative express consent,” or opt-in permission, if that information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected or authorized.
- Security – organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
- Access – organizations must permit data subjects to access and retrieve their personal data; this right can only be restricted in exceptional circumstances. Data subjects also have the right to correct, amend, or delete inaccurate personal data or if the data has been processed in violation of the Principles.
- Recourse, Enforcement and Liability – organizations must provide data subjects with robust recourse in the event of non-compliance with the Principles. These dispute-resolution mechanisms include: (i) an “independent recourse mechanism,” essentially a free-of-charge mediation service; (ii) the opportunity for data subjects to file claims directly with their relevant data protection authorities, and; (iii) binding arbitration.
- Accountability for Onward Transfer – organizations can only engage in onward transfers of personal data to a third party controller or processor (i) for limited and specified purposes; (ii) on the basis of a contract, only if that contract provides the same level of protection as the one guaranteed by the Principles.
A self-certifying organization must also agree to be subject to investigation and enforcement by the Department of Transportation and the Federal Trade Commission, which can also monitor compliance through the use of consent orders. If an organization agrees to adhere to the Principles and enumerated enforcement mechanisms, it is considered to have adequate data protection and can therefore engage in data transfers with the EU.
The Privacy Shield and GDPR
While the United States still has not been recognized by the Commission as a third country that meets the “adequate level of protection” standard, the GDPR indicates that the Privacy Shield will continue to permit organizations to meet that standard, at least for now.
The GDPR does not explicitly address the Privacy Shield. However, Article 45 of the GDPR, which regulates cross border data transfers on the basis of adequacy decisions, notes that decisions adopted by the Commission on the basis of Article 25(6) of the Directive “shall remain in force until amended, replaced, or repealed” by a later decision of the Commission. As the Commission adopted the Privacy Shield in specific consideration of Article 25(6) and has not yet altered the Privacy Shield’s applicability, its procedures remain in force. Therefore, organizations that comply with the Privacy Shield’s requirements may still obtain “adequate level of protection” status.
While the Privacy Shield remains in effect, cross border data transfers are just one of many issues regulated by the GDPR. Companies that fall under the GDPR’s scope may have additional compliance obligations, such as the appointment of a data protection officer or special requirements in the handling of specific categories of personal data. Further, the language of Article 45 makes clear that the Commission may decide at any point to revisit the Privacy Shield if it believes that it no longer affords an “adequate level of protection” to data transfers directed toward the U.S. In fact, on November 28, 2017, the Article 29 Working Party released its first annual review of the Privacy Shield and expressed its concern over “a number of important unresolved issues” with the Privacy Shield, including a “lack of guidance and clear information” on the Principles. The Working Party also recommended specific improvements to the Privacy Shield’s mechanisms, including improved cooperation between U.S. authorities involved with the Privacy Shield.
For now, the Privacy Shield remains in effect under the GDPR. Therefore, U.S. companies involved with cross border data transfers with the EU should still consider self-certification under the Privacy Shield, as it affords companies with “adequate level of protection” status. These companies however should remain mindful of recent concerns raised by the Commission regarding the Privacy Shield’s effectiveness and should stay abreast of EU regulatory developments that may potentially amend, replace, or repeal the Privacy Shield’s regulatory mechanism.