On the very last day of February, the European Commission (EC) released the text of the successor to the EU-U.S. Safe Harbor Program, the EU-U.S. Safe Harbor Shield. The text is in the form of an “Adequacy Decision,” indicating that, in the view of the EC, the U.S. would provide an adequate level of privacy protection through implementation of the new programs’ Draft Privacy Principles.
The press release accompanying the decision notes that the Adequacy Decision is subject to the opinion of the EC’s Article 29 Working Party on Data Protection, and then approval by the College of Commissioners. The Privacy Principles, prepared by the U.S Department of Commerce, will be published in the Federal Register. There is a lot of work remaining, and there is some disconnect between the U.S. and EC’s view of the Principles. The agreement may still be the subject of a court challenge as result of its failure to meet the standards set forth in the Court of Justice of the European Union decision in Schrems v. Data Commissioner.
Yet, U.S. multinational companies would be well advised to study the draft principles and begin the process of implementing the safeguards and standards in those Principles, as the new data protection concepts will not go away and may significantly affect a company’s data transfer practices, which often comprise an organization’s core business activity.
Registration will be a requirement of the Shield program, and the Department of Commerce will oversee compliance (often in cooperation with E.U. Data Protection Authorities). Principles of the Program will include Notice and Choice; Data Integrity, Purpose and Limitation on Use; Access and Accountability for Onward Transfer; and Data Security. There are “carve-outs” for human resources data, sensitive personal data (health, religion, political party affiliation and other characteristics) and pharmaceutical and biotech clinical trial data.
Dispute resolution is addressed in great detail in the Dispute Resolution and Enforcement provision within the agreement. It begins with a requirement that the complaint be addressed to the organization in question and ends, if all prior remedies have been exhausted, with arbitration for non-monetary relief only. Rules for these proceedings will be negotiated between the EC and the Department of Commerce within the next several months.
The documents also comprise a few areas of disconnect between the EU and the U.S. For example, the EC’s statement indicates, in its Accountability for Onward Transfer section, that if compliance issues arise with regard to agents or sub-contractors in processing personal data, the organization acting as data controller will bear the burden of proof “that it is not responsible for the event giving rise to the damage, or face liability.” The Onward Transfer Privacy Principles in Annex II, as drafted by the Department of Commerce, have no such provision. As it was with the late Safe Harbor program, onward transfer promises to be remain a contentious issue.
If you have any questions regarding implementation of practices to comply with the EU-U.S. Privacy Shield, please contact Kenneth N. Rashbaum.