On February 29, 2016, the European Commission’s (EC) released a much anticipated draft adequacy decision on the EU–U.S. Privacy Shield.  With this and enactment of the Judicial Redress Act last week (see our post here), the European Union came yet another step closer to finalizing the agreement between the EU and the U.S. to enable data transfers from the EU to the U.S.  The draft adequacy decisions lays out the basis for a determination that, under the Privacy Shield, U.S. entities will adequately protect the privacy rights of EU citizens. 

In brief, last fall the European Court of Justice (ECJ) invalidated the U.S.-EU Safe Harbor Agreement that allowed self-certified companies to transfer data from the EU to the U.S. in Schrems v. Data Protection Commissioner (Case C-362/14).  The ECJ determined that allegations of widespread surveillance by U.S. national security agencies revealed by Edward Snowden rendered the promised protections of the Safe Harbor unreliable.  Further, the ECJ held that national Data Protection Authorities (DPAs) could not be prevented from protecting EU citizens’ fundamental right to privacy, meaning that they could take enforcement action despite EC decisions.  See more on the history here.

The draft adequacy decision finds that the newly negotiated Privacy Shield, along with representations and assurances from U.S. officials, will protect EU citizens’ data.  As reflected by the EC’s taking nearly half of the decision to describe constraints on the U.S. intelligence community, the response to the Snowden allegations is the centerpiece of the Shield.  Specifically, the EC found that a variety of restraints on government entities against accessing and using EU citizens’ data, along with oversight and redress mechanisms, provide sufficient safeguards for the prevention of unlawful interference and abuse.  Included among these are Executive Order 12,333 (which defines the goals, directions, duties, and responsibilities of U.S. intelligence efforts and lays out parameters for the conduct of intelligence of activities) and Presidential Policy Directive 28 (which limits signals intelligence operations).  Based on available information, the draft decision concludes that once EU citizens’ data is in the U.S., it may only be sought by the government in compliance with the Foreign Intelligence Surveillance Act (FISA) or by the Federal Bureau of Investigation through a National Security Letter (NSL).  A Privacy Shield Ombudsman will be appointed to monitor activity and ensure that “individual complaints are investigated and individuals receive independent confirmation that U.S. laws have been complied with or, in case of a violation of such laws, the non-compliance has been remedied.”

Additional protections for EU citizens’ data lie in more active policing by the Department of Commerce (DOC), the Federal Trade Commission (FTC), the Department of Transportation (DOT), and by the self-certifying entities themselves.  All entities wishing to participate in the Privacy Shield – including the 4,400+ already certifying under the Safe Harbor – must go through a new self-certification process.  DOC will be obligated to maintain a list of organizations removed from the Privacy Shield, which will indicate the reason (that is, whether the removal was voluntary or not).  Enforcement had picked up in recent years under the Safe Harbor, with the FTC regularly announcing consent orders with broad ranges of companies that allegedly falsely stated that they participated in the Safe Harbor even though their certifications had lapsed or never existed in the first place.  FTC Chairwoman Edith Ramirez also released a statement pledging continued enforcement focus and further cooperation with EU privacy authorities the same day, coinciding with the EU announcement.

Entities participating in Privacy Shield will be required to offer EU citizens procedural options for filing complaints, including responding to individuals’ complaints within 45 days of filing.  National DPAs will be able to investigate individual complaints under the Privacy Shield, and participating U.S. organizations will be required to assist in investigations and take remedial or compensatory actions in line with DPAs’ advice.  DPAs can also suspend data transfers that are the subjects of complaints.  The last resort for a complainant will be for an EU citizen to invoke binding arbitration by a “Privacy Shield Panel” made up of EC- and DOC-designated members that can provide individual-specific non-monetary relief.  With reference to the entire Privacy Shield agreement, the EC promises swift action to withdraw the Privacy Shield if the U.S. is found not to be in compliance with it, after a stated period during which the U.S. must come into compliance.

The draft adequacy decision, notably, recognizes and responds to the ECJ’s determination that national DPAs cannot be prevented from taking actions against violations their citizens’ privacy rights.  Acknowledging the import of the decision, the adequacy decision emphasizes that “Member States and their organs must take the measures necessary to comply with acts of the Union institutions, as the latter are in principle presumed to be lawful and accordingly produce legal effects until such time as [they are withdrawn or overruled].”  Thus, DPAs must presume that the adequacy decision is legal and binding, and should a DPA receive a complaint alleging that the adequacy decision is not well founded, the DPA must raise the objections with a national court that, in turn, must institute appropriate stay proceedings and refer the case to the ECJ for a preliminary ruling on the objections.  Where DPAs do take enforcement actions against data transfers to the U.S., they are required to inform the EC immediately.

The draft adequacy decision now goes to a committee of Member States’ representatives and will be the subject of an opinion by the DPAs (through the Article 29 Working Party) before the EC renders a final decision.  The U.S. is supposed to be working on implementing the Privacy Shield’s framework, including establishing monitoring mechanisms and the new Ombudsman.  Official adoption of the Privacy Shield cannot happen fast enough, with some DPAs (such as the Hamburg DPA) threatening imminent enforcement action against companies transferring under Safe Harbor.  Three major international companies are apparently soon to be the subject of proceedings by that DPA.  Binding corporate rules (BCRs) and model clauses are said to be adequate transfer mechanisms, for now.  National EU and U.S. authorities are seeking to calm industry fears that global data transfers will be halted with these coordinated announcements in support of the Privacy Shield.