The Working Party of European Union Data Protection Authorities (“WP29”) recently issued its opinion on the draft EU-U.S. Privacy Shield Adequacy Decision (“Privacy Shield”). WP29 is the committee of data protection authorities organized under Article 29 of the EC Data Protection Directive. As part of the internal European Union “comitology” review process for the Privacy Shield, WP29 provides a non-binding opinion to the European Commission on the arrangement.
Given its role as the champion of privacy rights, it is not surprising that WP29 identifies concerns with the Privacy Shield, and recommends clarifications and improvements to the text. It is noteworthy, however, that WP29 indicates that Privacy Shield offers “major improvements” compared to its predecessor, the invalidated EU-U.S. Safe Harbor Privacy Arrangement (“Safe Harbor”). Also, WP29 “greatly welcomes” the opportunity that will be presented to engage in an annual joint review of Privacy Shield, and considers the annual review process as a “key factor to the overall credibility” of Privacy Shield.
Organizations considering whether to certify to the Privacy Shield, or to rely on other organizations that do, should carefully consider the views of WP29. Even if Privacy Shield is promulgated by the European Union in its current form without modification, the data protection authorities will retain substantial power to review individual data transfers made under Privacy Shield. As such, the WP29 opinion is a roadmap to key points that might be examined by data protection authorities in such individual cases.
WP29 notes various “overall” issues, such as:
- Scope of application of Privacy Shield. WP29 notes that EU Member State data protection law applies to the processing of personal data in the local jurisdiction, and such law is not displaced by Privacy Shield. WP29 suggests that this point should be made explicit in the decision. In practice, although there already is a reference in the Privacy Shield documents in Annex II.I (1) (“The Principles do not affect the application of national provisions implementing Directive 95/46/EC (“the Directive”) that apply to the processing of personal data in the Member States”), it is helpful to remind organizations of this point when developing their privacy compliance strategies.
- Clarity of the Privacy Shield documents. WP29 notes that between the adequacy decision itself and the annexes, along with terms that are often not defined, there is a lack of clarity regarding the details of the new framework, and it may be difficult for data subjects and others to understand the requirements. Among other points, WP29 recommends the development of a glossary of terms to be added to the Privacy Shield. It is possible that such a glossary could be developed either before approval of the Privacy Shield, or perhaps as a follow-up in connection with an annual review or otherwise. In any event, organizations should be prepared that there would need to be some interpretation of the terms, particularly as they may be applied in practice to an individual organization’s operations. Organizations should also make efforts to be clear and transparent with data subjects regarding their Privacy Shield compliance programs.
- Joint review. WP29 welcomes the procedure for a joint annual review of the arrangement, and seeks clarification on the details of the structure and approach to the meetings. WP29 seeks confirmation that the review will take account of GDPR requirements once it enters into force. Organizations should therefore be prepared that the substantive terms may evolve over time in connection with the annual joint reviews and otherwise.
WP29 raises several key commercial issues with the text, such as:
- Application of the Privacy Shield to agents/processors. WP29 notes that it is not entirely clear how the rules apply to agents/processors (e.g., how duties of notice and choice would apply to an agent). In many respects, these are carry overs from the predecessor Safe Harbor rules, and organizations historically under Safe Harbor have needed to make risk-based decisions on how the U.S. Federal Trade Commission (“FTC”) and other authorities would interpret and apply potential conflicts or tensions between the rules as drafted. Organizations should be prepared to make similar determinations in connection with the Privacy Shield.
- Exceptions to the Principles for statutes, regulations, or other legal obligations. WP29 indicates that the exceptions to compliance with Privacy Shield Principles for US statutes, regulations, and legal obligations should be assessed in light of limitations that are “justifiable in a democratic society” within the meaning of European notions of those standards. Organizations that regularly are required to disclose data for regulatory or legal compliance reasons should consider how to address any concerns that may be raised by local authorities with such disclosures.
- Data retention. WP29 notes that the Privacy Shield does not contain an express data retention/deletion principle. Organizations should be prepared to address questions that may be raised regarding the retention of personal data obtained under Privacy Shield.
- Choice. WP29 expresses concerns regarding the details of how and when opt-out choice options would be presented to data subjects. Organizations should focus on making sure that, to the extent relevant to their data processing activities, such options are presented in a suitably clear and conspicuous manner, and such opt-out choices are properly effectuated.
- Onward transfers. WP29 notes that Privacy Shield contains new requirements regarding contracts for onward transfers to third party controllers and other related obligations. WP29 raises concerns about making sure that, beyond the contracts, organizations in Privacy Shield should evaluate the circumstances surrounding the transfers (such as the surveillance rules in a third country) before making such disclosures. Notably, this appears to be a point where WP29 is applying more burden on Privacy Shield organizations than on organizations subject to other adequacy findings, such as the adequacy finding for Canada, where there are no material restrictions on onward transfers to non-local jurisdictions.
- Redress mechanisms. WP29 expresses concerns that the different layers of redress mechanisms (from raising complaints with the company directly, thru to back stop arbitration) may be complex and difficult for data subjects to understand. Organizations should therefore take care to maintain clear and easy to understand instructions for data subjects on how to seek redress.
- Grace period for organizations that certify within two months. WP29 notes that organizations that certify within two (2) months of approval of the Privacy Shield arrangement receive a nine (9) month grace period from compliance with the third party contracting requirements. WP29 considers that companies should be compliant right away upon certification with all the Privacy Shield requirements in order to enjoy the benefits of the adequacy finding. In practice, organizations should be ready to demonstrate that they are proceeding with all deliberate speed to align third party contracts with these requirements, and should avoid a delay of adherence to the requirements until the end of the grace period.
National Security and Law Enforcement Issues
WP29 notes that the extensive provisions on national security and law enforcement in the draft Privacy Shield adequacy decision “demonstrates that a multi-layered approach of both internal and external oversight mechanisms is in place in the U.S.” WP29 analyzes the various components of this framework that have been developed in recent years, including Presidential Policy Directive 28 (PPD-28), Executive Order 12333 (EO 12333), the USA Freedom Act, the Foreign Intelligence Surveillance Act, and other provisions. It also examines the letter from the Office of the Director of National Intelligence (ODNI) regarding the safeguards and limitations applicable to U.S. national security authorities and other provisions within Privacy Shield.
The issues that WP29 raises in this section generally relate to how the U.S. authorities apply these laws, policies, and procedures to their national security and law enforcement activities. These issues are outside the scope of anything that private sector organizations can control. Nevertheless, organizations may help to mitigate concerns from data protection authorities if they follow some key principles in responding to any such legal demands. Although these “best practices” are not articulated in the WP29 opinion, such principles can include:
- Confirm legal requirements before making disclosures. Organizations should carefully review any requests from law enforcement, national security, or other authorities and, before any production, confirm that there is a properly-issued court order or legal demand without legal defect that compels production.
- Narrow the scope of required disclosures where possible. To the extent possible, organizations should seek to narrow production to the data that is strictly required to address the relevant law enforcement, national security, or other legal demand.
- Encourage use of mutual legal assistance treaties (MLATs) and other direct avenues for government data collection. To the extent possible, organizations should encourage authorities to make use of MLAT and other direct procedures to obtain data from European authorities, rather than seeking the data from the organizations.
- Promote transparency with data subjects. Organizations should identify in their privacy statements if they are often required by national security, law enforcement, or other authorities to disclose personal data. Organizations should also include other helpful information for data subjects to the extent permitted by law (e.g., regarding the frequency of the requests), and should notify data subjects of their rights under Privacy Shield to petition the U.S. Department of State Ombudsperson regarding any individualized concerns about national security, law enforcement, or other legal demands for information.
Next steps on EU review of Privacy Shield.
With respect to next steps in the EU “comitology” review process, the European Commission will consult with the Article 31 Committee of Member State Representatives. If the Member State representatives vote to approve the arrangement, Privacy Shield can proceed to a final decision by the EU College of Commissioners. Post-adoption, it is expected that Privacy Shield may also be subject to legal challenge in European courts. Such challenges may require months or years to mature into a review by the CJEU. Although the outcome of any such challenge is difficult to predict with certainty, there is reason to be hopeful given that Privacy Shield contains procedures, and protections that are specifically designed to address concerns raised by the CJEU in its earlier case on Safe Harbor.
Expectations for adoption of Privacy Shield by US organizations
Despite the additional steps and issues with respect to Privacy Shield, the expectation is that many U.S. organizations will find the adoption of Privacy Shield to be a helpful tool to facilitate compliance with European Union data transfer restrictions. Our recent survey at the IAPP Privacy Summit in Washington, DC shows that a majority of the respondents believe that companies should certify within the first two months of the adoption of Privacy Shield, so as to take advantage of the grace period. Many organizations are nevertheless also expected to maintain model clauses, binding corporate rules, and other solutions “on top” of Privacy Shield. Depending on the jurisdictions where their operations or customers are located and other factors, such additional solutions may remain an important means to obtain certainty about data protection regulatory compliance for global transfers in an otherwise uncertain data protection world.