Expert Q&A: EU-US Personal Information Data Transfers

Practical Law Article w-000-8901 (Approx. 10 pages)

Expert Q&A: EU-US Personal Information Data Transfers

by Practical Law Data Privacy & Cybersecurity

What types of data does the EU consider “personal” and subject to cross-border transfer restrictions?

The EU Data Protection Directive (Directive) defines personal information as any information relating to an identified or identifiable natural person. Personal information can identify the individual directly or indirectly and includes items such as identification numbers or factors specific to the person's physical, physiological, mental, economic, cultural, or social identity.

Privacy rules in Europe restrict the transfer of all personal information from organizations operating within the European Economic Area (EEA) and Switzerland to organizations in countries outside the EEA that do not provide sufficient privacy protection. As of March 2016, the European Commission (EC) only recognizes ten countries as providing adequate data protection. Countries currently considered inadequate by the EU include the US, India, Australia, Japan, Korea, Hong Kong, Singapore, and the Philippines.

To transfer personal information, such as information relating to customers, vendors, and employees, from the EEA and Switzerland to affiliates or service providers in inadequate countries, organizations must either:

Put a European-approved transfer mechanism in place.
Qualify for a statutory exception.

Until last October, accepted transfer mechanisms for US organizations included US-EU Safe Harbor certification, EU-approved Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).

In October 2015, the European Court of Justice (ECJ) issued a decision in Maximillian Schrems v. Data Protection Commissioner invalidating the US-EU Safe Harbor Framework. What was the Safe Harbor program and how did the Schrems decision affect US organizations conducting business in the EU?

The US-EU Safe Harbor Framework enabled EEA-based organizations to comply with their privacy laws when sending personal information to US organizations. Switzerland and the US established a similar framework.

US organizations that certified to the Safe Harbor Framework agreed to handle personal information transferred from the EEA and Switzerland under seven Safe Harbor principles and fifteen frequently asked questions and answers. The Safe Harbor principles required participating organizations to:

Notify individuals about:
- the organizations' purpose for collecting and using their personal information;
- how to contact the organization with any inquiries or complaints;
- the types of third parties receiving or accessing their personal information; and
- the choices and means offered for limiting the use and disclosure of their personal information.
Give individuals the opportunity to:
- choose whether the organization may disclose their personal information to a new third party or use it for a different or incompatible purpose; and
- access their personal information held by the organization and correct, amend, or delete inaccurate information.
Protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction using reasonable precautions.
Take reasonable steps to ensure that the personal information is reliable for its intended use, accurate, complete and current.
Provide readily available and affordable independent recourse mechanisms to investigate and resolve individual complaints and award damages where provided by law or private sector initiatives.
Establish follow up procedures to verify that declared privacy policies are true and implemented as presented.

On October 6, 2015, the ECJ issued its decision in Schrems v. Data Protection Commissioner, invalidating the EC’s adequacy decision for the EU-US Safe Harbor Framework. The decision affected tens of thousands of European organizations that share data with US Safe Harbor-certified organizations. The ECJ's concern about unfettered access to transferred EU data by US law enforcement and national security authorities and EU citizens' inability to seek judicial redress against these actions primarily drove the invalidity decision.

The ECJ further held that EU national data protection authorities (DPAs) cannot invalidate an EC's adequacy decision. They can, however, suspend or prohibit individual data transfers on a case by case basis if, for example, they find that the receiving organization's domestic laws interfere with EU data protection rights in a way that goes beyond "what is necessary in a democratic society." This conclusion raised concerns that individual DPAs could effectively suspend all transatlantic transfers if they determined that the Schrems decision applied to alternative cross-border transfer methods, such as SCCs or BCRs.

Following the ECJ decision, Working Party 29 (WP29), the DPAs' coordinating group, encouraged US and EU authorities to complete ongoing negotiations and develop a revised and improved Safe Harbor Framework to satisfy EU privacy rules. It warned that failure to reach an appropriate solution by late January 2016 could lead individual DPAs to step in and protect individuals by exercising their authority to conduct coordinated enforcement actions and suspending individual transfers. The WP29 also urged current Safe Harbor organizations to implement temporary measures, such as SCCs or BCRs, ensuring continued compliance with EU data transfer rules.

The Swiss DPA followed suit, declaring that the US-Swiss Safe Harbor Framework also no longer supported personal information transfers to the US and asking affected organizations to modify their contracts or adopt another transfer method before the end of January 2016. It also recommended that organizations enable individuals to exercise their rights by clearly informing them that government authorities may access data transmitted to the US. Data transfer contracts should also commit the parties to provide affected individuals with effective legal protection tools, and to actually perform the relevant procedures and accept resulting decisions.

Practically speaking, thousands of organizations had to scramble to put SCCs or other transfer mechanisms into place with their service providers and affiliated organizations. At the same time, the Safe Harbor's uncertain future caused organizations, particularly those scheduled for renewal, to decide whether to renew, balancing the associated financial and administrative costs with the costs of other solutions.

EU and US regulators have agreed in principle to a new "Privacy Shield" Framework to replace the Safe Harbor. Have the US and EU finalized the Privacy Shield Framework yet? If not, what must occur before the Privacy Shield Framework becomes effective and what is the expected timeframe?

The Privacy Shield Framework has not been finalized yet. The Article 31 Committee of EU Member States' representatives must within three months review the EC's draft adequacy decision and issue an opinion. The WP29 also announced that it intends to issue an opinion on the draft at its April 12-13, 2016 plenary meeting and expects its opinion to also effect other transfer mechanisms. The European Data Protection Supervisor (EDPS) announced that it will issue its own opinion after the WP29 has made its opinion public.

On March 17, the EU Parliament’s Committee on Civil Liberties, Justice, and Home Affairs held hearings regarding the proposed EU-U.S. Privacy Shield. Representatives from the EC, the DoC, the WP29, the EDPS, and several private sector stakeholders participated. The hearing discussed significant questions raised about the Privacy Shield including the US Government's continued collect of personal information and concerns that it does not address all of the General Data Protection Regulation (GDPR) obligations, such as the right to data portability. Given the initial concerns raised, it is quite possible that the Privacy Shield Framework may require a further round of negotiations before adoption. The Privacy Shield is not expected to be adopted before May 2016.

What does the new Privacy Shield Framework require of organizations before they can use it as a legal basis to transfer personal information and how does it differ from the Safe Harbor program?

To join the Privacy Shield, an organization must meet four conditions:

Fall within the Federal Trade Commission (FTC), the Department of Transportation (DoT), or another US agency's enforcement authority to ensure compliance with the Principles.
Publicly declare its commitment to apply the Principles to all personal information received from the EU under the Privacy Shield program.
Publicly disclose privacy policies that comply with the Principles.
Fully implement the Privacy Shield commitments.

Privacy Shield benefits begin after the Department of Commerce ("DoC") reviews the organization's self-certification submission and qualifies it for placement on the public Privacy Shield List.

At first glance, the Privacy Shield bears a strong resemblance to Safe Harbor, with similar program entry conditions and similar core Principles, such as notice, choice, security, data integrity, access, and enforcement. However, the Privacy Shield introduces substantial changes, including:

Increased notice requirements (see Notice).
New and stricter onward transfer requirements (see Disclosures and Onward Transfers).
Increased redress rights for EU individuals (see Redress).
Expanded government enforcement and oversight of Privacy Shield participants (see Government Enforcement and Oversight).
Annual reporting obligations that continue even after an organization withdraws from the program (see Program Withdrawal).

Notice

The Privacy Shield Notice Principle prescribes a long list of new items that organizations must include in their privacy notices. Privacy Shield organizations must continue to provide information on:

Purposes of personal information collection and use.
Organization contact instructions for inquiries and complaints.
Choice mechanisms and instructions for exercising those choices.
Links to the DoC's certified organizations list.

They must now also include statements identifying the organization's:

Designated independent dispute resolution provider, including the provider's:
- name and location;
- website or complaint submission form links and instructions;
- ability to address complaints and provide recourse, free of charge; and
- ability for the individual to invoke binding arbitration under certain circumstances.
US statutory authority authorized to investigate and enforce program compliance.
Potential requirements to disclose personal information in response to a public authority's lawful request, including meeting national security or law enforcement requirements.
Continued responsibility and liability for the personal information provided to third-party service providers.

Disclosures and Onward Transfers

In addition to downstreaming data protection obligations to agents or other providers hired by the organization to perform services involving personal information on its behalf, the Privacy Shield requires organizations to:

Transfer personal information to service providers for a limited and specified purpose.
Perform due diligence on the service provider to ensure it can appropriately protect the transferred personal information.
Audit the service provider to confirm it in fact protects the transferred personal information.
Take steps when appropriate to stop the service provider's processing.

The organization must also assume liability for its service providers' actions that violate the Principles, unless it can prove it is not responsible for the event causing the damage. This Privacy Shield liability threshold is much higher than under the Safe Harbor, which only imposed liability for failure to use appropriate contracts or take reasonable steps to prevent or stop Safe Harbor violations. The Privacy Shield also requires organizations to provide the DoC with a summary or representative copy of its service provider contract privacy provisions on request.

Personal information transfers to other third parties, such as non-agents or data controllers, require contracts, even if that third party participates in the Privacy Shield program. Affiliated organizations leveraging other transfer instruments, such as BCRs or compliance and control programs do not require contracts.

Redress

The Privacy Shield Framework provides individuals with many ways to lodge complaints. Complaints may be filed with the:

Organization directly, using its in-house complaint resolution procedure.
Individual's local DPA, which may contact the organization or the DoC to resolve the dispute.
Organization’s designated independent dispute resolution provider.
The Privacy Shield Panel, consisting of one or three arbitrators selected from a list of arbitrators designated by DoC and the EC, in connection with binding arbitration requests for residual claims where alleged violations remain fully or partially un-remedied.

Instead of appointing an independent dispute resolution provider, organizations may also appoint a panel of European DPAs to resolve its disputes. As under the Safe Harbor, appointing the DPA panel is mandatory for resolution of any human resources (HR) related disputes. DPA panel dispute resolution, coupled with the organization's agreement to follow the panel's determination, replaces the individual's right to invoke binding arbitration.

The Privacy Shield also creates a new mechanism for resolving U.S. intelligence practice complaints and inquiries. EU individuals, working through their appropriate Member State authority, can now submit complaints to a State Department Ombudsman responsible for complaint resolution.

Government Enforcement and Oversight

The Privacy Shield's enforcement principles are not materially different from the Safe Harbor's requirements. However, the written commitments of the DoC, FTC, and DoT to expand their program oversight and enforcement suggest that organizations should expect significant enforcement changes. For example, the:

DoC, on its own initiative, plans to carry out compliance reviews of existing participants to identify issues that may warrant further follow-up action.
FTC plans to create a standard referral process and provide DPAs with guidance on the type of information that best assists FTC investigations.
New reporting and disclosure requirements mean organizations must:
- respond promptly to DoC inquiries and requests;
- publicly disclose any Privacy Shield compliance reports submitted to the FTC; and
- maintain Privacy Shield program implementation records and provide them to regulators and independent dispute resolution providers on request.

Program Withdrawal

Organizations withdrawing from the Privacy Shield program but retaining the personal information received during their certification period must continue to apply the Principles to those data. The Safe Harbor imposed the same requirement. However, the Privacy Shield imposes the additional obligation to either:

Annually affirm in writing to the DoC that it commits to apply the Principles or provide adequate protection by another authorized means (e.g., SCCs).
Return or delete the personal information.

The Privacy Shield also contains explicit requirements to remove any references or statements from relevant privacy policies or other documents implying that the withdrawn organization actively participates in the Privacy Shield program and is currently entitled to its benefits. These rules also apply in the event of a merger or takeover. The Privacy Shield certification mark, if used, must be removed.

Does the Privacy Shield Framework contain any special requirements for human resources (HR) data, sensitive information, or other specific data types?

Under both the Safe Harbor and the Privacy Shield, special rules apply to human resources data, sensitive information, travel information, and pharmaceutical and medical products data. The additional obligations and exceptions for those data categories remain largely unchanged under the Privacy Shield.

What enforcement mechanisms does the Privacy Shield establish and which parties enforce its requirements?

Like the Safe Harbor, a Privacy Shield organization's required public commitments provide the FTC or other regulators with jurisdiction to enforce compliance failures under Section 5 of the FTC Act or similar statutes that protect against unfair and deceptive practices. Privacy Shield program participation is only open to organizations regulated by the FTC, DoT, or another government entity the EU recognizes as capable of effectively ensuring compliance with the Principles.

The DoC, FTC, and DoT have agreed to expand their program oversight and increase reporting and disclosure obligations for both organizations and their independent dispute resolution providers. The potential sanctions remain the same under the Privacy Shield. Both programs require sanctions rigorous enough to ensure the organization's compliance with the Principles. Potential sanctions include:

Publication of non-compliance findings.
Data deletion.
Program suspension and seal removal.
Monetary compensation to individuals for losses incurred as a result of non-compliance.
Injunctive orders.

Independent dispute resolution bodies must also report a Privacy Shield organization's failure to comply with their rulings to the organization's regulator or the courts, as appropriate, and the DoC.

The DoC must remove organizations that persistently fail to comply with the Principles from the Privacy Shield program. Persistent failure to comply occurs when a registered Privacy Shield organization refuses to comply with a self-regulatory or government body's final determination regarding its practices or that regulator determines the organization's frequent compliance failures render its self-reported compliance claims unreliable. If this occurs, the organization must promptly notify the DoC or face potential liability under the False Statements Act (18 U.S.C. § 1001).

Under the Privacy Shield program, the DoC expects to maintain two separate lists identifying organizations with:

Active or current Privacy Shield certifications.
Cancelled or lapsed certifications, identifying the removal reason, such as voluntarily withdrawal, non-completion of the annual re-certification, or persistent failure to comply.

If a US organization was Safe Harbor self-certified, what steps must it take to meet the new Privacy Shield Framework requirements?

Safe Harbor-certified organizations must make several important changes before relying on the Privacy Shield Framework, including:

Revising their privacy notices or privacy policy to include all of the newly required information.
Implementing new due diligence and supervision procedures for agents, such as service providers, and ensuring that the additional contractual provisions are in place.
Establishing contracts with all third parties handling personal information not acting as agents or service providers, with limited exceptions.
Revising internal complaint handling procedures to cover any new DoC requests.
Developing and maintaining records regarding the organization's Privacy Shield program implementation.

An organization's personal information transfer practices should comply with the new Privacy Shield requirements as soon as possible once they go into effect, preferably within the first two months, but in any case no later than nine months after Privacy Shield Framework certification. During the interim period, organizations must comply by adhering to the Notice and Choice Principles and confirming that any agent receiving transferred personal information must provide at least the same level of protection that the Principles require.

What other options may US organizations have to provide a legitimate basis for transferring EU data subjects' personal information to the US? Are there any risks associated with implementing those options?

The Directive recognizes several alternative ways to transfer personal information to the US using tools, such as:

SCCs or BCRs.
Statutory exceptions, including:
- valid consent;
- contractual necessity;
- defense of legal claims;
- important public interest grounds; or
- protection of the individual's vital interests.

Importantly, many DPAs often do not consider employee consent valid because of the employment relationship's unequal nature. As a result, organizations should not assume an employee's consent authorizes the transfer of their personal information.

Some EU DPA statements made after the Schrems decision generated concern that they may decide to suspend US transfers using SCCs or BCRs for the same reasons relating to mass surveillance and US government access that the ECJ used to invalidate the Safe Harbor Framework. To address these concerns, the WP29 announced that it plans to evaluate the Schrems decision's impact on these alternative data transfer mechanisms at its April 12-13, 2016 plenary meeting.

However, while the ECJ held that national DPAs hearing a claim may examine whether a specific data transfer under SCCs or BCRs complies with the Directive's requirements, the Schrems decision confirmed that only the ECJ – not national DPAs or courts – can strike down the EC's general adequacy decisions. Unless and until this occurs, EC decisions still bind national courts and DPAs. The EC reiterated this position by stating that national DPAs are, in principle, under the obligation to accept the SCCs and "may not refuse the transfer of data to a third country on the sole basis that these SCCs do not offer sufficient safeguards."

The US government directly addressed this concern in its February 29, 2016 Privacy Shield documents. The US statements extended the Privacy Shield surveillance commitments to all EU personal information transfers, regardless of the mechanism used. Similarly, the EC's draft adequacy decision clarified it reviewed US legal protections that applied generally, not just to Privacy Shield data transfers. The EC's draft adequacy decision explicitly states that those safeguards apply to all EU personal information transferred to the US for commercial purposes. This development should make it harder for EU regulators or potential plaintiffs to argue that SCCs and BCRs allegedly fail to meet the ECJ's Schrems adequacy test.

The Privacy Shield Framework also contains additional requirements unrelated to government access that exceed current SCC or BCR requirements in several respects. The EC may view those obligations as essential and require future SCCs or BCRs to follow them. It remains possible that the EC may also restrict transfers to other significant trading partners, such as India, Brazil, and Japan, unless they provide similar government access and surveillance assurances.

There seems to be a lot of uncertainty around EU-US personal information transfers. Can US organizations avoid EU data transfer restrictions by storing EU personal information in EU data centers? What issues would that solution raise?

Storing personal information in an EU data center does not change the analysis if someone from the US or another country outside of the EEA can access that personal information. Remote access to the personal information equates to a transfer. As a result, if one IT person or one HR person from the US views or uses personal information stored in an EU data center, then a cross-border data transfer requiring a cross-border transfer mechanism occurs.

Are there any other significant data protection law developments on the horizon in the EU and how may they affect U.S. organizations' ability to transfer personal information from the EU?

In December 2015, the European Parliament (EP) and the Council of the European Union reached an informal agreement on a new General Data Protection Regulation (GDPR) that will update and replace the current EU Privacy Directive. The EP expects the GDPR's formal adoption to occur in 2016, with its provisions becoming effective two years after adoption, in 2018.

The GDPR contains several important changes affecting cross-border transfers. For example, the current EU Privacy Directive does not directly establish BCR requirements. Rather, national DPAs authorize them using the WP29's 2003 BCR Working Documents series to provide guidance on expected requirements and adequacy assessment criteria. The GDPR now explicitly includes BCRs as a data transfer tool and codifies the WP29's criteria, which should streamline the authorization procedure.

To provide organizations with more flexibility, the GDPR also adds several new data transfer options, including:

Approved codes of conduct and certification mechanisms that provide appropriate safeguards.
Standard data protection clauses adopted by a DPA that the EC declares generally valid.

The GDRP maintained the current Directive's cross-border transfer exceptions, including consent and contractual necessity, demonstrating their continued relevance and validity. The GDPR also provides that a data controller's or processor's legitimate interest may, under limited circumstances, justify a data transfer.

Importantly for US businesses, the new GDPR expands the EU's data protection jurisdictional scope. US organizations must comply with the GDPR's requirements, even if they have no physical EU presence, if they:

Target EU residents with their products or services.
Monitor EU residents' behavior in the EU.

Those US organizations must also appoint a representative in the EU and follow EU data transfer rules.

Expert Q&A: EU-US Personal Information Data Transfers | Practical Law