The much-awaited Department of Commerce (DOC) self-certification process for Privacy Shield, the replacement to the Safe Harbor Framework, opened on August 1st. The European Union approved the EU-U.S. Privacy Shield last month, which provides a streamlined method for the lawful transfer of EU citizens’ personal data to the US. The Privacy Shield was necessary after the EU’s ruling in the Schrems v. Data Protection Commissioner (Case C-362/14) case invalidating the previous Safe Harbor provisions. For parties involved in US-based litigation with potentially relevant data stored in Europe, filing for self-certification is essential in order to legally transfer data to the US.
There are several points law firms and corporations should know about the Privacy Shield. It provides for a tighter, more transparent process for trans-Atlantic data transfers in 3 areas:
1. Businesses in the commercial sector. The US DOC will conduct periodic reviews of data privacy practices of organizations who self-certify. Organizations who fail to comply with Privacy Shield mandates are subject to sanctions, including fines and exclusion from the Privacy Shield program entirely. Going forward, more robust rules apply to data transfers, including the following:
- Companies are required to reply to individual complaints within 45 days
- The EU Data Protection Authorities and the US DOC and FTC must work together to ensure resolution of open complaints
- A free arbitration mechanism has been created to ensure enforceable decisions on individual complaints.
2. Monitoring of the government sector. There are restrictions on surveillance by the US government enforceable by written commitments, including a provision that there will be no blanket or mass surveillance. A company can report the number of government access requests it receives (called a transparency report). In addition, the Privacy Shield provides for appointment of an independent ombudsperson for complaint resolution.
3. Annual Joint EU-US Review Protocol. The EU and US will monitor the effectiveness of the Privacy Shield, including as it relates to data access for national security and law enforcement purposes. In addition, both parties will conduct an annual privacy summit with EU non-government organizations and other stakeholders on developments in US privacy law as it impacts Europeans.
4. The Privacy Shield provides a simplified means for self-certified organizations to legally receive personal data from other Privacy Shield participants. It is preferable to other lawful methods of data transfer, which include using Standard Contractual Clauses approved by the European Commission and Binding Corporate Rules developed by the EU Article 29 Working Party.
Nonetheless, there are potential burdens for US businesses. Each EU member state has to implement the Privacy Shield, which could result in stricter, inconsistent data protection rules across EU member states. In addition, the Privacy Shield is still subject to challenge in the European Court of Justice (ECJ), which could lead to a ruling of invalidity, just like the Safe Harbor Framework was invalidated in the Schrems case. That matter involved personal data stored on Facebook’s Ireland-based server and subsequent transfers of that data to the National Security Agency, as revealed by Edward Snowden. The case resulted in a perception in the EU that the US intelligence community has no regard for privacy rights of EU citizens. The Privacy Shield by itself may not change that opinion; however, the recent Microsoft decision could help matters.
On July 14, 2016, just two days after the European Commission approved the Privacy Shield, Microsoft won an appeal to the US Court of Appeals for the 2nd Circuit. In this case, Microsoft resisted a government warrant issued under the Stored Communications Act for a customer’s email stored on one of its servers in Ireland. The Court ruled that the Stored Communications Act does not authorize US courts to issue and enforce warrants against US‐based service providers for the seizure of customer data that is stored exclusively on foreign servers. This decision–and its close proximity in time to the EU’s approval of Privacy Shield–should serve to underscore the US’ Privacy Shield commitment to respecting the privacy of EU citizens and will hopefully aid in withstanding challenge in the ECJ.
All parties involved in US-based litigation with potentially relevant data stored in Europe should self-certify as of August 1st in order to lawfully transfer and share data with all Privacy Shield participants. This includes all entities handling data transfers.
If you are involved in litigation that will require trans-Atlantic data transfers, contact us for a litigation support consultation.