Can a Privacy Shield protect the hero of data free-flows?

By Kim Smouter

A month after it was announced, the formal Commission decision establishing the EU-US Privacy Shield has been released. The European Commission (EC) and the US Department of Commerce (DoC) are both confident that this new agreement will stand the test of the European courts and will facilitate the continued flow of personal data between the EU and US.

ESOMAR, alongside CASRO, EFAMRO, and the MRA have started looking into more detail about what the agreement will actual mean for you and your company. However, it’s important to remember that the procedure is still ongoing, and that key European stakeholders still need to give their agreement before the Shield can come into force. The ambition is for the EU-US Privacy Shield to come into force by summer 2016.

How will the Privacy Shield work in practice?
The requirements of the Privacy Shield, and how one complies to it, will be very similar to that of the old Safe Harbor agreement. Companies will again have to register themselves on a Privacy Shield List and self-certify they meet the requirements set out. This procedure must be renewed every year. The Department of Commerce will maintain the List and will also be responsible for monitoring and verifying the companies signing up.
If a company ceases to be a member of the Privacy Shield, they should still process any personal data received under Privacy Shield according to the Shield’s principles. The Department of Commerce will monitor the compliance of companies with the Privacy Shield principles on an ongoing basis, including through detailed questionnaires.
The agreement will not be limited to EU citizens, but everyone residing in the European Union will be protected under the Privacy Shield agreement.

How will the Privacy Shield be enforced?
One of the objections against the Safe Harbor agreement that led to its invalidation, was the lack of complaints and enforcement mechanisms that Europeans could use. So one of the major changes in the new agreement is the way complaints will be dealt with.
Where it used to be that the FTC was free to decide whether it would investigate infringements of Safe Harbor, in the Privacy Shield an elaborate complaint mechanism is foreseen. This includes a dispute resolution platform that will be set up where individuals can file a complaint when they feel that their rights have been violated. Companies will then have 45 days to solve the complaint. The exact implementation is not yet known. ESOMAR will monitor and report when more is known about this platform and any impact on business operations for the US.
In addition, the role of the European Data Protection Authorities (DPAs) has been increased. EU citizens can go directly to their country’s DPA to file a complaint. They will work together with US authorities to investigate complaints. The DPAs will also play a role in ensuring that every complaint is investigated, representing a much stricter monitoring and enforcement compared to Safe Harbor.
As a last resort, if a case is not resolved by any of the other means, there will be an enforceable arbitration mechanism. Moreover, companies can commit to comply with advice from European DPAs. This is obligatory for companies handling human resource data.
The FTC already indicated the following four areas where it will focus on for its enforcement actions: referral prioritization; false and deceptive Privacy Shield claims; continuous monitoring; and engagement with European data protection authorities.

Privacy Shield principles
The heart and soul of the Shield is formed by its principles. The text outlines seven different principles that have to be met by the subscribing company. As was to be expected, these principles reflect to a large extent the approach the European Union has taken with regards to privacy and data protection.
The careful reader will recognise that the ICC/ESOMAR Code on Market and Social Research covers the majority of these point. For market, social and opinion researchers abiding to the Code will thus already comply with most of the points outlined below. Our sector is thus in an excellent position to successfully subscribe to the program, without disproportional extra effort.
These principles are:

  1. Notice, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organisations to make public their privacy policies.
  2. Choice, data subjects may object (opt out) if their personal data shall be disclosed to a third party (other than an agent acting on behalf of the organisation) or used for a “materially different” purpose. In case of sensitive data, organisations must in principle obtain the data subject’s affirmative express consent (opt in). Moreover, under the Choice Principle, special rules for direct marketing generally allowing for opting out “at any time” from the use of personal data apply.
  3.  Accountability for onward transfer, any onward transfer of personal data from an organisation to controllers or processors can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Privacy Principles.
  4. Security, organisations creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data.
  5. Data integrity and purpose limitation, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.
  6. Access, data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within reasonable time. Where personal information is processed solely for research or statistical purposes, access may be denied. The organisations has to justify its motivations for denying the request.
  7. Recourse, enforcement, and liability, participating organisations must provide robust mechanisms to ensure compliance with the other Privacy Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies.

There’s also a supplemental set of principles that includes provisions around sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.
What about BCRs and Model Clauses?
Safe Harbor wasn’t the only means to legally transfer personal data to the United States. There’s always been to possibilities for Binding Corporate Rules and Standard Model Contracts. But when the Court ruled Safe Harbor as insufficient for EU-US data transfers, the European DPAs, organised in the Article 29 Working Party (A29WP), made it clear that they will not just assess any new agreement but also take these two measures into account.
Nevertheless, they do still provide a short and medium term solution especially for entities that want space to reflect, without the risk of being dragged into a Privacy Shield regulatory storm. According to the Commission, the data collected under the Privacy Shield agreement will cover these alternatives.

The next steps
The Commission has now submitted the Privacy Shield to data protection authorities. The A29WP will meet in Brussels in April to agree a common position on the privacy shield. This opinion will not be legally binding, but it will be a very strong indication whether the Privacy Shield meets the legal requirements from the perspective of top data protection experts.
EU Member States also are able to issue a binding opinion, but it is not expected to that they will oppose the agreement that is reached as their main concern appears to be to restore the data flows for the sake of the digital economy as quickly as possible.
Progress therefore will likely be driven by economic considerations which could lead us to expect to see privacy shield in action as soon as late Spring 2016 to early Summer 2016.

Kim Smouter is Government Affairs Manager at ESOMAR, #esoGOV #esomar