The European Union’s General Data Protection Regulation and the Privacy Shield Principles

In April 2016, the European Union (“EU”) passed a new law, the General Data Protection Regulation (“GDPR”) that becomes effective on May 25, 2018 (this week!).  Many articles are explaining  the EU GDPR and the impact it will have on United States businesses that wish to exchange date with members of the EU and their citizens.  However, little attention has been given to the additional layer of compliance that is required for United States companies because the UShas not been found to be adequate or equivalent to the EU in the area of privacy. This article discusses GDPR briefly and then addresses the framework US companies must follow to exchange data with EU citizens.

GDPR and EU views on privacy

 Unlike in the US, the EU considers personal privacy an essential right and is incorporated as a protection in many of the EU constitutions.  In addition, in 1980, the Organization for Economic Co-operation and Development (“OECD”) developed seven principles for protection of private data, long before the Internet and explosion of exchange of data.  The seven principles have been the basis of the subsequent privacy frameworks developed by the EU.

In 1995, the EU issued Directive 95/46/EC on the protection of individuals with regards to the processing of personal data and on the free movement of such data (the “EU Data Protection Directive”) that each EU country adopted in its own language (much the way that model laws are adopted in the United States).  The EU Data Protection Directive has been in effect since 1998 and contained an adequacy/equivalency measure.  The EU Data Protection Directive provided a wide arm of applicability given written before the real explosion of the Internet and included the OECD seven principles.  The EU Data Protection Directive applies to all “personal data” as broadly defined and permitted the transfer of EU data to third countries only if the third country had adqueate protections or equivalency.  A limited number of countries were found to be adequate or equivalent, including Canada.  However, the United States was not found to be adequate and likely never will be.

As noted, the EU passed the GDPR in 2016 that replaces the EU Data Protection Directive.  GDPR expands the EU Data Protection Directive in a number of ways, including defining personal data as “any information relating to an individual” and mandating that there be only GDPR with no variations among the countries. In addition, GDPR requires enhanced notice requirements and changes the method of consent.  GDPR also includes a right to be forgotten.

Safe Harbor Privacy Principles

Because the US was found to not be adequate and as a result not covered by the EU Data Protection  Directive, absent some workaround, US companies would be unable to transfer data from the EU to the US.  The US developed a set of principles.  Between 1998 and 2000, the Safe Harbor Privacy Principles (the “Safe Harbor Principles”) were developed in order to prevent accidental disclosure of private information from companies in the European Union or the United States.  On July 26, 2000, the EU issued European Commission’s Decision 2000/520/EC, which related to “the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the U.S. Department of Commerce” (the “U.S. Safe Harbor”).  This decision permitted U.S. companies that complied with the Safe Harbor Principles and appropriately answered a series of questions could self-certify compliance and be thereby eligible for the U.S. Safe Harbor and safely transfer EU data to the U.S.

On October 6, 2015, the Court of Justice of the EU declared the U.S. Safe Harbor framework invalid, citing the “massive and indiscriminate surveillance” conducted by the U.S. government.  On February 29, 2016, the European Commission published documents detailing what is being referred to as the EU-U.S. Privacy Shield (the “Privacy Shield”), which were approved by the EU later in 2016. 

The Safe Harbor Principles required U.S. companies to comply with each ofthese seven requirements in order to lawfully transfer data out of the EU to the U.S.:

1. Notice- Individuals must be provided information about their data and how it is collected and used.
2. Choice- Individuals must have the ability to opt out of the collection and transfer of data to third parties.
3. Onward Transfer- Transferring data to third parties may only occur if the third party also adheres to the Safe Harbor Principles.
4. Security- Reasonable efforts must be made by the recipient of private information to protect it against loss.
5. Data Integrity- Data must have integrity- be relevant and reliable for the purpose for which it was collected.
6. Access- Individuals must have the ability to access information about themselves and correct or delete it.
7. Enforcement- There must be effective means of enforcing the Safe Harbor Principles.

The Privacy Shield

The Privacy Shield follows the same seven requirements as the Safe Harbor Principles, but there are significant differences between the U.S. Safe Harbor framework and the new Privacy Shield Framework.  The major differences are outlined below.

Enhanced Notice Obligations

Notice under the Principles is substantially enhanced. U.S. companies wishing to avail themselves of the Privacy Shield have to inform individuals about thirteen aspects of the company’s privacy practices, including:  1) participation in the Privacy Shield, with a link to the listing of all U.S. companies who have self-certified compliance with the Principles (the “Privacy Shield List”); 2) what types of data the company collects and what subsidiaries or affiliates of the company also adhere to the Principles; 3) commitment to strictly adhere to the Principles for all EU data collected; 4) purposes for which the company collects and uses the data; and, 5) the independent dispute resolution body to which complaints and disputes will be submitted for resolution.  These Principles are substantially more detailed and onerous than the notice requirements provided for in the Safe Harbor Principles.

Choice

Individuals are given the ability to prevent their personal information from being disclosed to third parties or used for purposes substantially different from the purpose for which it was originally collected.  For sensitive information (defined as “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual”), the individual must affirmatively permit either the disclosure of sensitive information to a third party or the use of this information for purposes substantially different from the original collection purpose. 

The broad definition of sensitive information, as well as the obligations on a U.S. company participating in the Privacy Shield, make compliance with these obligations more burdensome than compliance with the Safe Harbor Principles.

Accountability for Onward Transfer

If a U.S. company wants to transfer data to a third party controller, the U.S. company must enter into a contract with that third party specifying the limited use of the transferred data and requiring the third party controller to protect that data as required by the Principles. 

Security and Data Integrity and Access

The newly published Principles did not make major changes to these three areas from the original Safe Harbor Principles.  U.S. companies availing themselves of the Privacy Shield need to take reasonable and appropriate steps to protect data from loss, misuse, and unauthorized access, and individuals must have access to the data to correct, amend or delete data that is inaccurate or processed in violation of the Principles.

Enhanced Enforcement and Redress

The Principles contain detailed procedures and steps for an EU citizen to seek redress.  The EU citizen can complain directly to the U.S. organization, which then has 45 days to investigate the complaint at no cost to the individual.  U.S. organizations must also provide a fair alternative dispute resolution mechanism procedure to resolve complaints.  The arbitration procedures are detailed in Annex I to the Principles.  If an EU citizen wishes, she can go directly to the Data Protection Authority in her country, which will work with the Department of Commerce and Federal Trade Commission (the “FTC”) to ensure complaints are investigated and fairly resolved.  U.S. companies must make publicly available any reports submitted to the FTC if the U.S. company is subject to an FTC court order.

The Privacy Shield was almost immediately challenged by one of the EU regulators, questioning whether it followed the order invalidating the Safe Harbor and also supporting many EU interested parties in suggesting that until GDPR became effective, any attempts to change the US framework were premature.  As a result, companies in the US must not only work to ensure that they are compliant with the requirements of GDPR, but also must self-certify and comply with the requirements of the Privacy Shield.  Finally, US companies should expect that the Privacy Shield will continue to be reviewed (and potentially challenged and overturned) and modified in the future, creating potential uncertainties for US companies wishing to import data from the EU. One example of challenge is Max Schrems, who challenged the Safe Harbor, has continued his challenge. Recently, the Irish High Court referred 11 questions to the ECJ, including whether the Privacy Shield is sufficient. For now, it remains the mechanism to use for United States companies, but be forewarned it too may come under attack.

 Impact on US companies if US-based only

Why do you or your clients that are US-based only care about the GDPR and Privacy Shield?  There are a number of reasons to pay attention, including the flatness of the world and the potential that US-based companies may in fact be engaging with EU citizens.  In addition, the EU has long been on the forefront of privacy and human rights, and many of the EU GDPR elements likely will find their way into US laws.  (One need look no further than HIPAA laws that went into effect in the late 1990s in the US, not long after the EU issued its directive on privacy.). In addition, all organizations can use this period before GDPR takes effect to review their privacy and security policies and procedures and ensure they are following best practices to secure their data. 

Conclusion

The EU remains on the forefront of privacy of individuals.  The newest iteration, GDPR, will begin to be enforced on May 25, 2018.  US companies must not only review the regulation to determine if it is applicable and if so, must also review its compliance with the existing Privacy Shield.  Failure to understand the way the EU privacy directives and US workarounds interact can result in your clients not being in compliance with the certification, listing and notification requirements imposed by the Privacy Shield and may not be ready for the likely changes to Privacy Shield that may be forthcoming once GDPR is effective. 

Companies not directly impacted by GDPR should still take this opportunity to review and inventory its data and where such data resides and to consider whether its current data privacy and security programs are up to date and best practice.