New obligations on dispute resolution are among the main changes proposed under the new EU-US Privacy Shield, which has been drafted as a replacement for the EU-US safe harbour agreement that was invalidated by the EU's highest court last year.
In a draft 'adequacy decision' (34-page / 371KB PDF) that it has been newly published, the European Commission set out its view that data transfers made under the EU-US Privacy Shield will correspond to EU data protection law requirements.
Many of the principles that are set out under the Privacy Shield are similar to those that applied under the safe harbour framework. Privacy Shield companies will have obligations in relation to disclosure and data security, for example, and must also provide EU citizens with a qualified right to access the data that has been transferred to them. The principles framework is one of a number of new documents that the Commission has published that provide more details about the EU-US Privacy Shield it announced in early February.
Among the main changes is a new requirement that Privacy Shield companies will have to respond to complaints from EU citizens about their handling of personal data within 45 days.
Privacy Shield companies will also be required to "designate an independent dispute resolution body (either in the United States or in the Union) to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropriate recourse free of charge to the individual", or alternatively opt in to "effective enforcement mechanisms" provided under self-regulatory privacy programs run by industry bodies.
The newly released documents on the Privacy Shield also provide more information about how a new Privacy Shield Ombudsperson will handle complaints that relate to the accessing of EU citizens' personal data by US intelligence agencies.
The Ombudsperson "will guarantee that individual complaints are investigated and individuals receive independent confirmation that US laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied", according to the draft adequacy decision.
Businesses will be able to self-certify their compliance with the Privacy Shield principles, in much the same way that they were able to under the safe harbour framework. A system of annual re-certification will apply. The US Department of Commerce (DoC) will be responsible for maintaining a 'Privacy Shield List' that will contain the details of the businesses that have signed up to the framework.
However, tighter enforcement by US regulators and greater oversight by EU data protection authorities is provided for under the Privacy Shield framework. In some cases EU data protection authorities could compel Privacy Shield companies to implement "remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the principles". The Commission's decision on the adequacy of the Privacy Shield will also be the subject of an annual joint review, which will be the subject of a public report to both the European Parliament and Council of Ministers.
Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said that it was welcome that the principles for the Privacy Shield make it clear that EU-based organisations may transfer personal data to US Privacy Shield companies which are data processors, if a processor contract is agreed to govern the processing activities. There had been some confusion about this among the business and legal community. In practice, for transfers to US processors under the Privacy Shield, the processors will need to both sign an appropriate processor contract and self-certify under the Privacy Shield.
The Privacy Shield also addresses circumstances where Privacy Shield companies pass on personal data to another company (onward transfers), including a company acting as its agent. According to the Privacy Shield principles, the Privacy Shield company would generally be liable for processing its agent carries out that is "inconsistent" with the privacy principles. However, if Privacy Shield companies can prove they are "not responsible for the event giving rise to the damage" they will avoid liability for that activity.
Hon said that those provisions reflect wording that is likely to be contained in the EU's General Data Protection Regulation. However, she said that, where an agent of a Privacy Shield company, but not the company itself, is "responsible" for the event giving rise to the damage, the new liability provisions arguably could provide for weaker protection for data subjects than under the old Safe Harbour regime.
Under the Safe Harbour framework an organisation signed up to the scheme was responsible for processing carried out by a third party which was carried out "in a way contrary to any restrictions or representations" if it knew or should have known the third party would process personal data in such a way and it had not taken reasonable steps to prevent or stop such processing.
For transfers to another company acting as a controller, a new requirement is that a contract with the other company requiring the same level of protection as the Privacy Shield principles must be entered into, with exceptions such as for certain occasional employment-related operational transfers. Contracts will also not necessarily need to be agreed for intra-group EU-US transfers of personal data between controllers under the Privacy Shield regime, according to the new principles.
The Commission's draft adequacy decision on the Privacy Shield has still to be formally adopted by the EU's College of Commissioners. The Article 29 Working Party, a body of EU data protection authorities, has still to issue its opinion, expected in April or May, on whether the proposed framework provides sufficient privacy protections and guarantees considered essential by the Working Party for intelligence activities.