In 2013, Edward Snowden came to international attention after revealing thousands of classified NSA documents to the public. Snowden’s revelations provided a glimpse of the scope and magnitude of the U.S. government access to personal data. This undermined the International Safe Harbor Privacy Principles which have served as the framework enabling the flow of personal data from the EU to the US since 2000.

As part of Snowden’s revelation, it was revealed that Facebook, among other US corporations, were forced to provide US government authorities with access to their personal information, including EU user data (in what is known as the NSA’s PRISM surveillance program). In light of this revelation, Max Schrems, an Austrian privacy activist, filed a complaint against Facebook with the Irish data protection commissioner, alleging that Facebook’s transfer of his personal data from Ireland (where Facebook’s EU headquarters are located) to Facebook’s global headquarters in the United States, does not adequately safeguard his personal information, and is therefore in breach of the EU Data Protection Directive.

In order to understand the merits of Schrems’ complaint, it’s essential to comprehend that, according to the EU Data Protection Directive (Directive 95/46/EC), the transfer of the personal data of EU citizens to a country outside of the EU is permitted only if the receiving party provides an “adequate level of protection” to the personal data of EU citizens’. On a side note, it should be mentioned that the foregoing principal remains generally unchanged in the new General Data Protection Regulation (Regulation (EU) 2016/679).

The “Safe Harbor” framework is generally a set of principles that US companies must comply with and successfully implement in their procedures in order to be “self-certified”, and hence be considered as providing an “adequate level of protection” allowing them to transfer personal data from the EU to the US.

The Irish Data Protection Commissioner dismissed Schrems’ complaint without investigating its merits, on the grounds that Facebook has successfully “self-certified” pursuant to the Safe Harbor Framework and is therefore permitted to transfer personal data from the EU to the US, all the more so since the “Safe Harbor” was allowing the use of EU personal data for “national security” or “law enforcement” purposes.

Schrems was not satisfied with the dismissal of his complaint, specifically since it was rejected without even investigating its merits, so he filed a judicial review against the Commissioner’s decision with the Irish High Court. (The full text of the request for judicial review can be found here: http://europe-v-facebook.org/JR_Grounding_Documents.pdf).

The Irish High Court stayed its proceedings and decided to apply to the Court of Justice of the European Union for a preliminary ruling regarding whether national data protection authorities are permitted to conduct investigations concerning the adequacy of data protection in third countries. Or, on the other hand, are they prohibited from doing so once the European Commission determines the adequacy of data protection in a third country pertaining to the “Safe Harbor”?

On October 6, 2015, the Court of Justice of the European Union rendered its judgement, stipulating that while only the Court of Justice has jurisdiction to declare an EU act invalid, national supervisory authorities have full authority to independently examine whether a transfer of personal data to a third country was carried out in compliance with the requirements of EU legislation, including with the “Safe Harbor” scheme. More importantly, the Court of Justice declared the “Safe Harbor” invalid due to the fact that the framework enables interference with the fundamental rights of EU citizens by US public authorities, as well as compromising the essence of the fundamental right to effective judicial protection (Click for full text of the judgment.)

Post Safe Harbor and Pre Privacy Shield

The “Safe Harbor” framework was a common tool used by US companies to carry out personal data transfer from the EU to the US, so it is safe to say that the invalidation of the “Safe Harbor” framework produced a lot of confusion and ambiguity in the market. In the post “Safe Harbor” days, US companies were left to find alternative mechanisms for EU-US data transfer, such as Binding Corporate Rules and Standard Contractual Clauses, albeit these did not fit with the procedures of all companies and required extensive adaptations from some, and hence did not constitute as appropriate alternatives in all cases.

On 2 February 2015, the EU Commission and the US reached a political agreement regarding a new framework to replace the invalidated “Safe Harbor”, which was translated to a public draft published by the EU Commission on 29 February 2016. On 8 July 2016, the final version of the EU-US Privacy shield was approved by EU members’ states, and the EU Commission formally adopted it on July 12, 2016, with immediate effect.

The EU-US Data Privacy Shield

The EU-US Privacy Shield is based on a similar mechanism as the former “Safe Harbor” framework – a system of “self-certification” by which US organizations are required to commit annually that their data collection and transfer activities are carried out pursuant to a set of privacy principles.

It is worth mentioning that the Privacy Shield applied to both data controllers and processors. However, processors are required to operate pursuant to a binding contract with an EU data controller, according to which the processor must act only on instructions from the EU controller and provide any necessary assistance in responding to data subjects’ inquiries regarding their rights.

Here is a brief summary of the key privacy principles set forth in the Privacy Shield:

Notice

The requirement to notify the data subject under the Privacy Shield remained pretty similar to the Safe Harbor. Companies must present their privacy policy in a visible and accessible place, the policy must be clear and coherent and provide the data subject with full disclosure of all required information, including the data subject’s rights to request information, dispute resolution mechanisms and the company’s commitment to adhere to the Privacy Shield principles.

Choice

Companies must inform data subjects about their right to opt-out at any time. Moreover, when it comes to sensitive information, companies must attain a specific express consent from the data subject prior to the processing of such sensitive data (excluding a number of exceptions).

Accountability: Onward Data Transfer

The Privacy Shield presents strict conditions on companies participating in the scheme regarding onward data transfers to third parties. Accordingly, Companies are required to review their contracts with third parties and make the necessary adjustments in order to ensure (1) that the transferred data will only be processed for a limited and specific purpose, which must be in line with the data subject’s original consent; and (2) that such third parties provide the same level of protection as the participating company; and (3) that the third party will be required to notify the participating party if they can no longer meet the foregoing obligations.

Since these conditions impose an immense burden on participating companies, the Privacy Shield provides a perk to “early adopters”, by allowing companies who will “self-certify” with the Privacy Shield within two months from the day the Privacy Shield becomes effective, to make the necessary adjustments in their commercial relationships with third parties within a period of nine months.

Data Integrity and Purpose Limitation

Companies are obligated to put in place reasonable procedures to ensure that the processing of personal data is limited only to the extent necessary to achieve the purpose of the processing, while it is strictly forbidden to process personal data in a way that does not conform to the purpose for which it has been initially collected. In addition, there is an express obligation for data minimization, meaning organizations must delete data after it is no longer relevant for the collected purpose (with limited exceptions), and of course, that organizations that are removed from the Privacy Shield are required to return or delete all personal data they collected.

 

Access

Companies must provide data subjects with access to their personal data, including the ability to amend or delete wrong or inaccurate information. The Privacy Shield mitigates this far reaching principal by requiring companies to grant such access only when the burden or financial liability involved in granting such access is in proportion with the potential risks to the data subject’s privacy.

Recourse, Enforcement and Liability

The Privacy Shield aims to provide quick recourse to data subjects whose personal data has been processed in a non-compliant manner. Accordingly, the Privacy Shield requires that robust mechanisms will be put in place to ensure compliance and provide effective remedies where required. Such mechanisms include:

  1. Investigation mechanisms for data subjects’ complaints and disputes, that will be free and readily available to the data subject and may award damages where applicable.
  2. Follow-up procedures to ensure on-going compliance by companies.
  3. Obligation by non-complying companies to remedy any failures in their practices and procedures.

In light of the foregoing, The Shield provides several accessible dispute resolution mechanisms to data subjects who consider that their personal data has been misused and/or used in a non-compliant manner:

  1. The preferred and most cost efficient resolution concludes that complaints should be resolved by the company itself.
  2. In addition, companies must present data subjects with the right to initiate an accessible alternative dispute resolution process in order to resolve the complaint. Alternatively, the Shield provides companies with an option to satisfy the aforementioned requirements by committing to cooperate with European Union data protection authorities by submitting their self-certification with the Department of Commerce and undertaking to adhere to such respective bodies’ instructions.
  3. If the foregoing fails to satisfy data subjects, they are also given the option to file their complaint with the EU Data Protection Authorities who will channel their complaints to the Department of Commerce and/or the Federal Trade Commission to ensure that complaints by individuals are investigated and resolved.
  4. If a dispute is not resolved by any of the means mentioned above, as a last resort there will be an arbitration mechanism available to data subjects.

Access by U.S. public authorities

As described above, the excessive access of U.S public authorities to personal data of EU data subjects stored within the U.S jurisdiction was one of the main drivers in the invalidation of the Safe Harbor framework and adoption of the new Privacy Shield. Therefore, it is not surprising that the Shield pays extra attention to this issue and defines clear limitations and safeguards with respect to U.S. public authorities’ access, such as:

  1. Limitations on bulk collection of signals intelligence – supported by a letter from the General Counsel of the Office of the Director of National Intelligence, the U.S undertakes that intelligence collection shall be “as tailored as feasible”, meaning that such collection will be targeted rather than bulk, it must always relate to specific objectives and only exceptional circumstances will justify exceeding these requirements.
  2. Ombudsperson – this is supported by a letter from U.S. Secretary of State John Kerry. In order to provide a redress possibility, an Independent Ombudsperson mechanism was put in place, through which authorities in the EU will be able to submit requests on behalf of EU individuals regarding U.S. signals intelligence practices. The Ombudsperson will be independent from the U.S. intelligence community, will rely on independent bodies to investigate the complaints, and will have full authority to remedy data subjects in relevant cases.

in conclusion, while the new Privacy Shield seems like a step in the right direction, there is no doubt in my mind that sometime in the near future, it too will be challenged in court for not providing adequate protection to EU data subjects.

The undeniable fact is that there is an unbridgeable gap between globalization brought by the constant and rapid progress in technology on the one hand, and the fragmentation of different jurisdictions, each characterized by different sets of rules and protected interests on the other hand. Globalization introduces new business practices that harness the benefits of technology in facilitating cross border and global business activities and thus pushing the world to act as a single market. On the other hand, not only is the legal world divided into numerous different jurisdictions, each operating under different sets of rules and valuing different principles and interests, but the legal world is also very slow in adapting to changes, leaving it with no real chance to catch up with the ever evolving business world, while the aforementioned gap is only expanding over time.

The information contained herein is for informational purposes only, and is not legal advice or a substitute for legal counsel.