This article was co-authored by Alexandra Cooke, Trainee Solicitor
On 29 February 2016, the European Commission published the draft “adequacy decision” and legal texts that will constitute the EU–U.S. Privacy Shield, the framework intended to facilitate transatlantic data flows. The Privacy Shield seeks to achieve this by imposing stronger obligations on US companies to protect Europeans’ personal data. If adopted, the decision will establish that the legal regime governing US companies who sign up to it will ensure an adequate level of protection of personal data for EU purposes. This publication comes some four months after the European Court of Justice ruled the previous Safe Harbour framework invalid. That ruling created considerable uncertainty for the thousands of businesses relying on Safe Harbour as the basis for transferring personal data to the US (as discussed in our see previous article Safe Harbour: Where are we two months on?).
The European Commission has also issued a Communication, in which it describes the Privacy Shield as an arrangement which “comprises important new safeguards” and which will “provide the necessary legal certainty for companies on both sides of the Atlantic that want to do business together”. The draft adequacy decision outlines the enhanced obligations which the Privacy Shield imposes on US companies, and the requirements on US authorities to monitor and enforce these obligations more robustly. Significantly, the draft decision reveals that, for the first time, the US government will provide the EU with written representations and assurances that access by its public authorities for law enforcement, national security and other public interest purposes will be subject to clear limitations, safeguards and oversight mechanisms.
Draft adequacy decision – key points
In its draft adequacy decision, the Commission outlines the seven Privacy Shield Framework Principles (the “Privacy Principles”) that US companies wishing to import personal data from Europe under the Privacy Shield will need to abide by. The obligations on companies include:
tighter conditions and stricter liability provisions for any onward transfer of personal data from an organisation to controllers or processors (of particular concern to the technology sector, where services are often outsourced to smaller specialists);
annual re-certification under the Privacy Shield; and
ensuring the company has effective redress mechanisms for EU data subjects whose personal data has been processed in a non-compliant manner.
The US Department of Commerce has also committed to maintaining a public list of organisations that have self-certified their adherence to the Privacy Principles, and to monitor the compliance of these organisations and remove any who do not comply or withdraw from the framework. Organisations’ commitments are legally binding and enforceable under US law by the Federal Trade Commission (FTC). Those who do not comply will face severe sanctions.
The draft decision also outlines a number of redress mechanisms which will be available to EU data subjects who consider that their personal data have been misused under the Privacy Shield. First, EU individuals may address their complaint directly to the company in question, and the company must provide a response to the individual within 45 days of receipt of the complaint. Secondly, companies must nominate an independent dispute resolution body to deal with and resolve complaints free of charge. Thirdly, individuals can refer complaints to their ‘home’ Data Protection Authority (DPA), which will work with the Department of Commerce and FTC to resolve the complaint. Lastly, and as a final resort, individuals will have recourse to arbitration by the Privacy Shield Panel. This Panel will consist of a pool of independent arbitrators designated by the Department of Commerce and the Commission, from which the parties can select a panel of up to 3. The proceedings will be governed by standard arbitration rules to be agreed between the Department of Commerce and the Commission, and will take place in the US (with access provisions to be made for EU data subjects at no extra cost). There will be a fund to cover costs of the arbitration procedure, up to a maximum amount to be agreed by the US authorities, if the parties are represented by an attorney before the panel.
The US will also establish a new redress mechanism for EU data subjects in the area of national security through an Ombudsperson who will be independent from the national security authorities.
The draft decision envisages that the Commission will monitor the functioning of the Privacy Shield through an annual joint review mechanism, and will also draw on other sources of information available, including voluntary transparency reports by companies on the degree of government access requests. If the Commission finds that US companies or public authorities are not abiding by their commitments, the Privacy Shield will be suspended.
Implications for the pharmaceutical sector
Under many of the Privacy Shield Principles there are enhanced obligations. The Privacy Shield also includes 16 “Supplemental Principles” which replace the Frequently Asked Questions (FAQ’s) that were used in the Safe Harbour program. Supplemental Principle 14 specifically addresses pharmaceutical and medical products, addressing a range of issues, namely:
that EU law applies on data collection and until it is transferred to the US, after which the Privacy Shield applies – under both, data should be anonymised where appropriate;
that personal data generated from specific research studies can be used for future scientific research provided appropriate notice and choice has been provided at the outset;
personal data can be processed, with other data from the trial, after a participant has withdrawn from a clinical trial, if this was made clear on participation;
personal data from EU clinical trials can be provided to regulators, such as the FDA, for regulatory and supervisory purposes;
to preserve research integrity, trial subjects cannot access data on their treatment during a blinded study, if this is explained on entry;
the principles can be overridden where necessary to comply with regulatory requirements for adverse event reporting and other product safety and efficacy monitoring measures; and
key-coded research data, to which the company sponsoring the trial does not have the key, is not personal data and the Privacy Shield Principles do not apply to transfers by that company (although it would be personal data in the hands of a researcher with the key).
This Supplemental Principle is substantially the same as FAQ 14 of the Safe Harbour principles, which the Shield is intended to replace.
Before the Privacy Shield is finally agreed, the draft adequacy decision will be reviewed by the Member States and the Article 29 Working Party, an influential body with a representative from the data protection authority of each Member State. The Article 29 Working Party is expected to produce its opinion around 17 April following which the European Commission will make a formal decision on adequacy.
For UK companies, the UK Information Commissioner’s Office (“ICO”) currently recommends in its guidance note that organisations who relied on safe harbour should “not rush to change whilst the process to assess the Shield is ongoing”. Organisations who use alternative transfer mechanisms, such as model clauses and binding corporate rules can continue to do so but with caution, since the Article 29 Working Party is also assessing their adequacy in the context of data transfer to the US.
Typically, the approach of the German data protection authorities is stricter. For advice on transfer to the US from any specific jurisdiction within the EU, please contact Andrew Shindler.