The Privacy Shield (1), the scheme that was designed by US and EU authorities to replace Safe Harbor to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States, has undergone its first annual joint review in September 2017.
First Annual Joint Review and Remaining Concerns
Although noting improvements to the prior framework (2), EU working group on data protection matters (“G29”) identified at least six areas of concern with respect to its commercial aspects (3). Such concerns include the need for clear guidance and information to the adhering companies on the Principles of the Privacy Shield (4), clear and easily available information for EU individuals regarding their rights and available recourses and remedies, the diverging interpretation between the Department of Commerce (“DoC”) and G29 on HR data (5), the distinction to be made between data controllers and data processors, the necessity to provide legal guarantees for automated decisions (6), the need for increased cooperation between US authorities and the lack of oversight and supervision by US authorities of compliance with the Principles (7). The latter concern particularly resonates in connection with recurrent scandals of personal data misappropriation and misuse, such as the one relating to Cambridge Analytica’s unauthorized use of Facebook subscribers’ data to influence the last US presidential campaign (8).
G29 also reiterated prior concerns, such as the absence in the Privacy Shield scheme of key definitions or the absence or limitation of certain rights of data subjects (9). G29 has requested that all these areas of concern be resolved by the next annual joint review, failing which it would initiate judicial proceedings against the Privacy Shield adequacy decision.
The inconsistencies with and extra-territorial reach of, GDPR
The Privacy Shield and GDPR principles are defined differently and a number of inconsistencies exist between the two sets of rules. For example, certain Privacy Shield principles are subject to a reasonableness qualifier such as the security principle or the obligation to ensure that personal data are reliable for their intended use, accurate, complete and current. No such reasonableness qualifier applies to the equivalent GDPR principles of respectively security (10), data minimization and accuracy (11). The Privacy Shield is silent on automated decisions, and it falls short on certain rights of data subjects, such as the rights to object, to erasure, restriction of processing or data portability. In addition, certain GDPR obligations of controllers or processors, such as privacy by design and by default, the notices of security breaches or the joint liability of controllers and processors, are not reflected in the Privacy Shield scheme.
Nonetheless, GDPR may directly apply to US self-certified organizations under the Privacy Shield, to the extent they are also subject to GDPR’s extra-territorial provisions. Indeed, GDPR applies to organizations not established in the EU, if the processing is relative to the sale of goods or services in the EU; or the monitoring of individuals’ behavior within the EU. Arguably, the majority of Privacy Shield self-certified organizations would fulfill either of these conditions and be subject to GDPR and its dramatically increased sanctions (12). In addition, these organizations will have to appoint a representative in the EU (13).
Still under scrutiny (14) and calls by G29 for further improvement, the Privacy Shield will not be a sufficient framework to those US companies processing European personal data who are also subject to the GDPR. As a result, Privacy Shield self-certified US companies will need to assess whether they satisfy the criteria for GDPR extra-territorial application. In such case, said companies will be required to comply with GDPR, failing which they may be subject to the severe sanctions provided by this new European legislation.
(1) Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 (…) on the adequacy of the protection provided by the EU-US Privacy Shield, entered into force in the EU on August 1, 2016.
(2) G29 noted the efforts made by the US authorities to set up a comprehensive procedural framework to support the operation of the Privacy Shield, including the implementation of thorough procedural checks prior to self-certification by a dedicated team within the US Department of Commerce (10 people on a full-time basis to date), the use of Independent Recourse Mechanisms providers (IRMs) for outside compliance review, specific steps taken for annual recertification, and following up with companies that withdraw from the scheme.
(3) « EU-US Privacy Shield – First Annual Joint Review » adopted on 28 November 2017.
(4) Based on the figures in the G29 report, over 2400 organizations are self-certified under the Privacy Shield to date, among which 60% are SMEs and 83% conducted an internal self-assessment to self-certify (vs an assessment by an external auditor).
(5) US authorities consider that HR data are only those related to the employees of the certified organization, whereas G29 considers that any data concerning an employee in the context of an employer-employee relationship from an EU company should be treated as HR data and the receiving US organization should have an active HR data certification.
(6) G29 called for the right to know the logic involved and the possibility for the individual to request the reconsideration of the decision on a non-automated basis.
(7) To date, oversight principally relies on IRM providers which entails possible conflicts of interest, as they do both ex ante compliance review and act as ex post independent recourse mechanism.
(8) Le Monde 25-26 March 2018, “Cambridge Analytica au coeur de la tempête politique, médiatique et judiciaire”. According to the Privacy Shield website, Cambridge Analytica LLC self-certified under Privacy Shield on 11 May 2017.
(9) G29 opinion dated 13 April 2016 on the draft Privacy Shield decision.
(10) Pursuant to Article 32 of GDPR, the obligation for the controller or the processor “to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk” is not subject to a reasonableness standard, although state of the art, costs of implementation and nature, scope, context and purposes of the processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, must be taken into account.
(11) Article 5(c) and (d) of GDPR.
(12) Pursuant to Article 83 of GDPR, depending on the severity of the breach, the higher of either 10 or 20 million Euros and 2 or 4% of total worldwide annual turnover of the preceding financial year.
(13) Article 27(1) of GDPR.
(14) Two annulment actions have been filed with the CJUE against the implementing decision of the Privacy Shield by Digital Ireland (Case n° T-670/16) and by the Quadrature du Cercle (Case n° T-738/16). The former action has been declared inadmissible by the CJUE (Order dated 22 November 2017), but the second procedure is still pending.