EU-U.S. Privacy Shield: First Lessons Learned
As reported, the National Telecommunications & Information Administration (NTIA) launched its self-certification system of the Privacy Shield (PS) on 1 August. The NTIA’s website provides a host of information for U.S. and European businesses. Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union to the United States under the EU Data Protection Directive. But whoever expected long lines of registrants in front of the NTIA building may be disappointed. Despite the publicity and huge expectations, in Europe in particular, the enthusiasm among U.S. companies has been lackluster, and all filings must be submitted online, not in person.
After the first two weeks following the launch, the NTIA posted less than 40 company listings. The agency stated to the Wall Street Journal that it continues to process more than 200 applications. This is far below the 4,000 companies certified under the former Safe Harbor agreement for transatlantic data transfers. Many Europeans had rebuked the EU-U.S. negotiating team for failing to include sufficient safeguards for the privacy of EU personal data in the hands of U.S. organizations (in particular, the access of U.S. law enforcement and other agencies to access them). In the end, European Commissioners Ansip and Jourova declared that the PS is “fundamentally different from the old Safe Harbor; it imposes clear and strong obligations on companies handling the data and makes sure that these rules are followed and enforced in practice.” Now that the PS is actually open for business, the salient question is: Will U.S. companies file under the PS or shun it?
To join or not to join, that is the question
PS applicants who thought that they could simply re-submit their filings under the old Safe Harbor will be disappointed. A self-certification under the PS is much more work. The PS Principles apply immediately upon certification. To be fair, the PS registration process with the NTIA is new for everyone. All eyes are probably on the companies that are already on the list. The registration process requires only a limited amount of paperwork, such as a self-certification form and PS statement for different data sets. The annual fees are moderate: $250 to $3,500 per year depending on the size of the company plus an annual assessment for the new U.S. arbitral panel under the PS which is still to be established. A fee for outside dispute resolutions comes on top of it. There is also enthusiasm of the administrators at the NTIA to register complete applications. But no one likes to be the frontrunner. Many potential applicants prefer a wait-and-see approach. There are many reasons for U.S. companies to be cautious before embracing the PS, including:
- the uncertainty as to whether the PS will be challenged in European courts, similar to the Safe Harbor Principles that the European Court of Justice invalidated last October;
- a reluctance to jump ahead of a competitor and go on the public PS list;
- the efforts it takes for a US company to ensure compliance with the PS requirements,
- lack of guidance by the NTIA and the Federal Trade Commission (FTC) on various details and consequences of a participation;
- the reluctance to submit a self-certification that is thereafter scrutinized not only by the European Data Protection Agencies and EU data protection activists, but also in the United States by the FTC or the Department of Transportation;
- uncertainty to what extent individuals from the EU and EU regulators will actually demand access to the relevant EU personal data under the PS and ultimately file complaints and how much effort a response may take, and
- uncertainty about who is eligible to participate and who is excluded from the PS (e.g. telecoms carriers).
In addition to these general considerations, U.S. companies struggle with joining due to misperceptions associated with the PS.
U.S. companies processing EU personal data frequently misunderstand what they can achieve by a self-certification under the PS. Their self-certification does not replace their company’s full compliance with the local data protection laws in the EU. All the PS can achieve is to put the data importer (the U.S. company) legally on equal footing with the data exporter in Europe. For example, if a U.S. health care provider imports “e-health” data (patient records, etc.) from Germany, both companies must abide by applicable law for such data sets in Germany (e.g. the rules for obtaining informed consent from the individual patients). In other words, the PS Principles neither excuse the data importers from abiding by applicable data protection rules, nor do they override the national data protection requirements. It functions more like a bridge to bring personal data that have been legally collected from Europe into the United States.
In addition, many U.S. companies struggle with “Principle 4” of the PS (“Data Integrity and Purpose limitation”) in the PS Principles and how to put it into practice. This Principle has three components:
- The company must only collect the personal data relevant for the purposes of processing.
- It may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.
- To the extent necessary for those purposes, the company must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.
For every European data protection officer, this is data protection 101, while U.S. companies may not be familiar with this concept. The U.S. companies frequently rely on the principle of “reasonable expectation of privacy” of the individual which gives the companies more freedom to determine what to do with the data. For instance, under the European purpose limitation principle, an organization is expected to retain personal data of an individual only for as long as it is needed to serve the purpose for which it was collected. The individual’s “reasonable expectation of privacy” does not matter in this context. If there is a new purpose for which these data are used, the company needs to notify the data subject about the new purpose, and seek appropriate consent. This also means – to give just one example- that data exporters and data importers will need to confirm in their policies to the regulators, and individuals demanding data access that their data retention policies are properly implemented. They must ensure that they are not keeping personal data longer than needed for these purposes.
Finally, the PS’s Onward Transfer Principle (Principle 5) triggers a lot of due diligence for the U.S. companies contemplating PS compliance. It states that a data importer (the U.S. company receiving the personal data) must enter into a specific contract with the third-party (e.g. a service provider) that has access to the data from Europe. That contract must stipulate that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual. It must also contain a clause that the third party will provide the same level of protection as the PS Principles. The third party must also notify the data importer if it can no longer meet this obligation. Specific contractual stipulations must address what occurs if the third party ceases processing of the data. The regulators can demand copies of these agreements so this obligation must be taken seriously. This Principle gives rise to a lot of complicated legal questions. Moreover, there is a grace period of 9 months for the data importer to bring their contracts with its vendors and other third parties in line with the PS Onward Transfer requirements. Only companies that submit their filing to the NTIA by September 30 can take advantage of this grace period.
Filing done – more work to begin
U.S. data importers must have an internal compliance system in place when they file. This is not a task that can be postponed. Individuals, for instance, who want to know what the data importer has stored about them, must be able to launch inquiries from day one. An inquiry triggers a dispute resolution process with a response becoming due within 45 days. The PS prohibits companies to charge a fee to these individuals demanding access. The companies’ PS statement(s) must be posted and internally communicated. Staff training and creating internal awareness for the PS may be necessary. Specific rules in the PS Principles govern employee (HR) data where the company must cooperate with the European Data Protection Agency, e.g. when disputes with the employee arise. Companies must implement them timely and diligently and inform the affected employees about their rights under the PS, potentially in several languages.
Compared to the Safe Harbor principles, the PS follows a much more structured approach. It provides for various mechanisms individuals can use to lodge complaints against a data importer in the United States. If the company does not resolve the issues, then there is an arbitral panel proceeding that these individuals can turn to. They can also raise complaints directly with their national Data Protection Agencies. The overarching idea is that companies and authorities will be expected to take data subjects’ complaints seriously, and respond to them promptly. It will be interesting to see how this plays out in practice. The PS policies and statements posted so far vary widely. There is not much room for trial and error. If a company joins the PS, and later decides to leave it, the company still must adhere to the PS Principles with respect to the personal data the company has collected while PS-certified. Moreover, if a company is deleted from the PS list for failing to comply, or if it is found to be persistently violating the PS Principles, it has to purge all the EU personal data it obtained through the PS. That could create a major compliance burden down the road, especially when third parties had access to the personal data.