Data Transfers/Safe Harbor/Privacy Shield

As we reported on October 19th, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data challenged the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program. Today, the European Commission (EC) issued a public statement confirming its commitment to working with the United States on a “renewed and sound framework for transatlantic transfers of personal data.” The apparent trigger for today’s announcement are “concerns” from businesses about “the possibilities for continued data transfers” while the Safe Harbor Sequel is under negotiation.

In its statement, the EC confirms that during the pendency of the U.S.-EU negotiations, Standard Contractual Clauses and Binding Corporate Rules (BCRs) are viable bases for legitimizing data transfers that formerly were validated by the Safe Harbor Program.

The EC was careful to note that today’s guidance “does not lay down any binding rules” and “is without prejudice to the powers and duty of the DPAs (Data Protection Authorities) to examine the lawfulness of such transfers in full independence.”  In other words, a DPA still may decide that Standard Contractual Clauses and BCRs are not viable under its country’s laws.

The Judicial Redress Act of 2015 (H.R. 1428) (Judicial Redress Act) is on its way to the U.S. Senate. On October 20th, the U.S. House of Representatives voted in favor of passage.

The Judicial Redress Act extends certain privacy rights under the Privacy Act of 1974 (Privacy Act) to citizens of the EU and other specified countries.

The preamble to the Judicial Redress Act states that:

The Judicial Redress Act provides citizens of covered foreign countries with the ability to bring suit in Federal district court for certain Privacy Act violations by the Federal Government related to the sharing of law enforcement information between the United States and a covered foreign government. Any such lawsuit is subject to the same terms and conditions that apply to U.S. citizens and lawful permanent residents who seek redress against the Federal Government under the Privacy Act. Under current law, only U.S. citizens and lawful permanent residents may bring claims against the Federal Government pursuant to the Privacy Act despite the fact that many countries provide U.S. citizens with the ability to seek redress in their courts when their privacy rights are violated. Enactment of this legislation is necessary in order to promote and maintain law enforcement cooperation and information sharing between foreign governments and the United States and to complete negotiations of the Data Protection and Privacy Agreement with the European Union.”

The House’s passage of the Judicial Redress Act is expected to help mitigate one of the key criticisms of U.S. privacy protection from EU regulators. As discussed in our blog posts from earlier this month, in the Court of Justice of the European Union (CJEU) decision invalidating the U.S.-EU Safe Harbor Program, the CJEU noted that EU residents lack an “administrative or judicial means of redress enabling, in particular, the data relating to them to be accessed and, as the case may be, rectified or erased.”  Once passed by the Senate (as is generally expected), the Judicial Redress Act will provide that means of redress.

Check back for updates on the Senate’s consideration of the Judicial Redress Act and the ongoing EU-US negotiations about a Safe Harbor Sequel.

As we wrote on October 6, 2015, the Court of Justice of the European Union (CJEU) announced its invalidation of the U.S.-EU Safe Harbor program as a legally valid pathway for transferring personal data of European Union (EU) residents from the EU to the United States. An avalanche of reports, analyses and predictions followed the CJEU announcement because so many U.S. businesses operating in the EU relied on the validity of the Safe Harbor program.

As we expected, the CJEU decision was not the final chapter. On October 16, the Article 29 Working Party on the Protection of Individuals with Regard to the Processing of Personal Data (the Working Party, an independent advisory board to data protection authorities in EU members states) called on the EU member states to “open discussions with the US” to find a viable alternative to the Safe Harbor program.

Echoing the CJEU’s concern about “massive and indiscriminate surveillance” by the U.S. government, the Working Party challenged the United States and EU to produce by 31 January 2016, a new data transfer framework with “stronger guarantees” of EU residents’ “fundamental rights” to data privacy, as well as “redress mechanisms” for violations.

In the meantime, the Working Party affirmed that data transfers formerly validated by the Safe Harbor program are not legal. It also noted its intent to evaluate the validity of the two other key data EU-U.S. transfer pathways: Binding Corporate Rules (BCRs) and Standard Contractual Clauses.

What This Means for U.S. Businesses

While waiting for news of Safe Harbor: The Sequel, our Privacy and Data Protection Group continues to advise a business that relied on the Safe Harbor program to:

  1. Classify the data transferred from the EU to the United States (employee, consumer, business contacts, etc.).
  2. Determine which of the data transfers from the EU to the United States were formerly validated by Safe Harbor.
  3. Identify vendors that transfer EU personal data for the business and determine how those vendors validate their transfers (e.g., Did a vendor represent that it could make legitimate transfers via Safe Harbor, and, if so, what happens now?).
  4. Decide how best to address EU to U.S. personal data transfers under one of the other data transfer pathways based on data classification (e.g., Binding Corporate Rules for intra-company transfers; Standard Contractual Clauses for transfers to third parties that do not otherwise meet EU requirements; or consent of each EU data subject—an impractical option for high-volume transfers).

Stay tuned for more on Safe Harbor: The Sequel and guidance for businesses.

Earlier today, the Court of Justice of the European Union (CJEU) announced its determination that the U.S.-EU Safe Harbor program is no longer a “safe” (i.e., legally valid) means for transferring personal data of EU residents from the European Union to the United States.

The CJEU determined that the European Commission’s 2000 decision (Safe Harbor Decision) validating the Safe Harbor program did not and “cannot eliminate or even reduce the powers” available to the data protection authority (DPA) of each EU member country. Specifically, the CJEU opinion states that a DPA can determine for itself whether the Safe Harbor program provides an “adequate” level of personal data protection (i.e., “a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union” as required by the EU Data Protection Directive (95/46/EC)).

The CJEU based its decision invalidating that Safe Harbor opinion in part on the determination that the U.S. government conducts “indiscriminate surveillance and interception carried out … on a large scale”.

The plaintiff in the case that gave rise to the CJEU opinion, Maximilian Schrems (see background below), issued his first public statement praising the CJEU for a decision that “clarifies that mass surveillance violates our fundamental rights.”

Schrems also made reference to the need for “reasonable legal redress,” referring to the U.S. Congress’ Judicial Redress Act of 2015. The Judicial Redress Act, which has bi-partisan support, would allow EU residents to bring civil actions in U.S. courts to address “unlawful disclosures of records maintained by an [U.S. government] agency.

Edward Snowden also hit the Twittersphere with “Congratulations, @MaxSchrems. You’ve changed the world for the better.”

Background

Today’s CJEU opinion invalidating the Safe Harbor program follows on the September 23, 2015, opinion from the advocate general (AG) to the CJEU in connection with Maximilian Schrems vs. Data Protection Commissioner.

In June 2013, Maximilian Schrems, an Austrian student, filed a complaint with the Irish DPA. Schrems’ complaint related to the transfer of his personal data collected through his use of Facebook. Schrems’ Facebook data was transferred by Facebook Ireland to Facebook USA under the Safe Harbor program. The core claim in Schrems’ complaint is that the Safe Harbor program did not adequately protect his personal data, because Facebook USA is subject to U.S. government surveillance under the PRISM program.

The Irish DPA rejected Schrems’ complaint because Facebook was certified under the Safe Harbor Program. Schrems appealed to the High Court of Ireland, arguing that the Irish (or any other country’s) DPA has a duty to protect EU citizens against privacy violations, like access to their personal data as part of U.S. government surveillance. Since Schrems’ appeal relates to EU law (not solely Irish law), the Irish High Court referred Schrems’ appeal to the CJEU.

What This Means for U.S. Business

The invalidation of the Safe Harbor program, which is effective immediately, means that a business that currently relies on the Safe Harbor program will need to consider another legally valid means to legally transfer personal data from the EU to the United States, such as the use of EU-approved model contractual clauses or binding corporate resolutions.

We believe, however, that this is not the final chapter in the Safe Harbor saga. Please check back soon for more details and analysis.

After over four years of negotiations, the European Union and the United States have agreed on a framework data protection agreement on 8 September 2015 (Umbrella Agreement). The Umbrella Agreement covers all personal data exchanged between the European Union and the United States for the purpose of prevention, detection, investigation and prosecution of criminal offences, including terrorism. According to the Q&A’s posted on the EU Commission’s website, the Umbrella Agreement shall “provide safeguards and guarantees of lawfulness for data transfers.”

During the negotiations, the Umbrella Agreement was widely criticized throughout the EU because EU citizens could not file lawsuits in the United States to enforce their data protection rights. The U.S. Privacy Act allows only U.S. residents to obtain redress for data privacy and protection violations. As part of the Umbrella Agreement, the U.S. Congress introduced an amendment to the U.S. Privacy Act known as the “Judicial Redress Bill.”   If adopted, the Judicial Redress Bill will permit an EU citizen to use U.S. courts to (for example) have his or her name deleted from U.S. blacklists if the name was mistakenly included.

In Germany, first reactions by political commentators on the agreement are moderately optimistic and an important step to rebuild trust after the National Security Agency (NSA) spying revelations.  More importantly, the Umbrella Agreement includes many of the   same general data privacy and protection principles followed in Germany and other EU countries, including:

  • Limitations on data use – Personal data may only be used for the purpose of preventing, investigating, detecting or prosecuting criminal offences.
  • Onward transfer – Any onward transfer to a non-U.S., non-EU country or international organisation requires the prior consent of the competent data protection authority of the country from which the personal data was originally transferred.
  • Retention periods – Personal data may not be retained for longer than necessary or appropriate. The decision on what is an acceptable duration must take into account the impact on people’s rights and interests.  Retention periods must be published or otherwise made publicly available.
  • Right to access and rectification – Any individual will be entitled to access their personal data – subject to certain conditions, given the law enforcement context – and to request corrections.

While the increased data protection and proposed Judicial Redress Bill are positive developments, some commentators in Germany criticize the Umbrella Agreement’s lack of a clear and easy process for data protection enforcement in the United States for EU citizens.   The critics claim that most individuals will not even know when and if their data protection rights are violated.

The U.S. Congress and the EU Parliament and Council still must ratify the Umbrella Agreement, the full text of which is not yet available, but we expect that the Umbrella Agreement will unite the European Union and the United States on an increased level of data protection.   We will report on the Umbrella Agreement again once its full text is made public.

On August 17, 2015, the Federal Trade Commission (FTC) announced settlements with 13 companies on charges that they misled consumers by claiming that they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor programs when in fact their certifications had lapsed or never existed in the first place. The FTC’s announcement comes on the heels of two previous settlements reached in late May 2015 with companies that had lapsed certifications despite representations to the contrary made to online consumers. This recent activity by the FTC serves as yet another reminder to businesses to monitor their Safe Harbor program certification renewal dates and to exercise care when making representations in privacy policies related to Safe Harbor program certification.

The Safe Harbor programs provide a method for U.S. companies to transfer personal data outside of the European Union (EU) or European Economic Area (EEA) consistent with the requirements of the European Union Directive on Data Protection or the Swiss Federal Act on Data Protection. To participate in a Safe Harbor program, a company must self-certify to the U.S. Department of Commerce that it complies with seven privacy principles and related requirements. Once certified, a company is required to renew its certification with the Department of Commerce each year to maintain its status as a current member of the Safe Harbor program.

The companies at the center of the recent enforcement actions represent a variety of industries, including app development, pharmaceutical and biotechnology research, medical waste processing and wholesale food manufacturing. This broad industry representation suggests to us that the FTC is committed to ongoing enforcement. Accordingly, we want to remind readers of these tips:

  • Check your company’s certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
  • Review any privacy policies and online statements referencing the Safe Harbor programs to ensure that they properly reflect the certification status and the company’s actual privacy and data security practices;
  • Institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline;
  • Remove all references to the Safe Harbor programs from publicly available privacy policies and statements if the company’s certification status is unclear; and
  • Review substantive compliance with the Safe Harbor programs and institute corrective action and controls to ensure that compliance is maintained.

 

On June 30, 2015, the Federal Trade Commission (FTC) published “Start with Security: A Guide for Businesses” (the Guide).

The Guide is based on 10 “lessons learned” from the FTC’s more than 50 data-security settlements. In the Guide, the FTC discusses a specific settlement that helps clarify the 10 lessons:

  1. Start with security;
  2. Control access to data sensibly;
  3. Require secure passwords and authentication;
  4. Store sensitive personal information securely and protect it during transmission;
  5. Segment networks and monitor anyone trying to get in and out of them;
  6. Secure remote network access;
  7. Apply sound security practices when developing new products that collect personal information;
  8. Ensure that service providers implement reasonable security measures;
  9. Implement procedures to help ensure that security practices are current and address vulnerabilities; and
  10. Secure paper, physical media and devices that contain personal information.

The FTC also offers an online tutorial titled “Protecting Personal Information.”

We expect that the 10 lessons in the Guide will become the FTC’s road map for handling future enforcement actions, making the Guide required reading for any business that processes personal information.

Just prior to recessing for the summer, the Canadian government enacted the Digital Privacy Act. It includes a number of targeted amendments to strengthen existing provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA), but falls short of providing the Privacy Commissioner of Canada (Commissioner) with direct enforcement powers, as some stakeholders—including the former Commissioner—had proposed.

The Digital Privacy Act was introduced in April 2014 as part of the government’s “Digital Canada 150” strategy. While it was touted as providing new protections for Canadians when they surf the web and shop online, there is nothing that is particularly “digital” about the bill, which will equally affect the bricks and mortar, paper-based world.

Of particular note, the Digital Privacy Act creates a duty to report data breaches to both the Privacy Commissioner and to affected individuals “where it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.” Failure to report data breaches in the prescribed manner could result in fines of up to $100,000 for non-compliant organizations. While the majority of the new law is currently in force, the provisions relating to breach notification have yet to be proclaimed in force by the government.

Once in force, the mandatory breach-reporting regime will bring the federal law into alignment with many international laws, as well as with Alberta’s own Personal Information Protection Act, which has had a breach notification provision since 2009. However, unlike the Alberta law, the Digital Privacy Act would also require organizations to maintain records of all data breaches involving personal information under their control—even if they do not require reporting to the Commissioner or to affected individuals—and to provide these records to the Commissioner on request. Failure to comply with these requirements could also result in a fine of up to $100,000.

The law also creates an explicit authority to enable the federal Privacy Commissioner to enter into a compliance agreement with an organization, where the Commissioner believes on reasonable grounds that the organization has, or is about to, contravene the Act.  If such an agreement is later contravened, the Commissioner will be able to apply to the Federal Court of Canada for a remedial order, even if the original limitation period for such an application has lapsed. The law also extends the limitation period for an application to the Federal Court for damages or injunctive relief to one year after the Commissioner issues a report of findings or otherwise discontinues an investigation. Previously, such applications had to be brought by either the Commissioner or a complainant within 45 days of a report of findings or discontinuation.

The Digital Privacy Act also imposes new requirements on the form of consent that the Act requires from individuals respecting the handling of their personal information. Going forward, any consent will be valid only if an individual to whom an organization’s activities are directed would understand the nature, purpose and consequences of the collection, use and disclosure of the personal information to which they are consenting. In introducing the bill originally, the government indicated that the revised consent provision is intended to better protect children and adolescents, although some have expressed concern that the proposed amendment may require “customized” consent language for a much broader range of constituencies. In light of the revised language, companies should review their existing privacy policies and requests for consent to the collection, use and disclose personal information in order to ensure that the intended audience will understand the nature, purpose and consequences of the data usage to which they are consenting. This is particularly true for businesses targeting children and youth, but could also extend to other potentially vulnerable groups, such as senior citizens and recent immigrants.

The law contains a number of amendments that are beneficial to the business community. For example, it expands the scope of “business contact information,” a category of personal information excluded from the application of the Act, to include any information that is used to communicate with an individual in relation to their employment, business or profession. In other words, the Act will not apply to business-contact information that is used solely for the purpose of communicating with an individual in relation to their employment, business or profession.

The Digital Privacy Act fills another important gap in PIPEDA, whereby companies currently require consent to disclose personal information to buyers, or potential buyers, of a business—creating complexities if the seller has not previously secured such consent through its privacy policy.  The law now includes an exception allowing for the use and disclosure of personal information, without consent, in the context of prospective or completed business transactions, such as the sale of a business or portion thereof.  Similar exceptions are currently available under both the Alberta and British Columbia private sector privacy laws.

One controversial change in the Digital Privacy Act is an amendment to PIPEDA that permits an organization to disclose personal information without consent to any other organization in connection with investigations of a breach of a law or agreement, or for the purposes of detecting, suppressing or preventing fraud. Many observers have raised concerns about the apparently broad scope of this provision, which could, for example, authorize internet service providers to disclose subscriber identities to copyright holders alleging online infringement.

Organizations doing business in Canada will want to review their privacy compliance programs to ensure compliance with the amended federal law, particularly with respect to breach reporting and breach record retention. Many will also be watching closely for the announcement of the date on which the data breach notification provisions come into force. In particular, businesses might be well advised to

  • Develop and implement policies and procedures respecting the creation and retention of records of all data breaches;
  • If they have not already done so, put together a specialized data breach response team, and protocols for the assessment of data breaches and potential reporting to affected individuals and regulators;
  • Review all documents and communications through which consent to the handling of personal information is obtained, to ensure that such communications will be meaningful to the intended audience;
  • Review and revise, as necessary, privacy policies and internal procedures respecting the situations in which the organization may disclose personal information to other organizations for the purpose of investigation breaches of law or for detecting, suppressing or preventing fraud, as well as what documentation will be required in order for such disclosures to be made.

On the third anniversary of the EU Commission’s proposed new data protection regime, the UK ICO has published its thoughts on where the new regime stands. The message is mixed: progress in some areas but nothing definitive, and no real clarity as to when the new regime may come into force.

The legislative process involves the agreement of the European Commission, the European Parliament and the Council of Europe (representing the governments of the member states). So far the European Parliament has agreed its amendments to the Commission’s proposal and we are still waiting for the Council to agree it’s amendments before all three come together and try and find a mutually agreeable position.

The Council is guided by the mantra “nothing is agreed until everything is agreed”, and so even though there has been progress with the Council reaching “partial general agreement” on international transfers, risk-based obligations on controllers and processors, and the provisions relating to specific data processing situations such as research and an approach agreed on the one-stop shop principle (allowing those operating in multiple states to appointed and deal with a single authority), this progress means nothing until there is final agreement on everything. At this stage that means all informal agreements remain open to renegotiation.

It is noted that Latvia holds the presidency of the Council until June 2015. The Latvians have already noted that Anydata protection reform remains a key priority but progress has been slow and time may be against them. Where Latvia fails, Luxembourg will hopefully succeed as it takes up the presidency from June.

The ICO is urging all stakeholders to push on with the reform, although they see the proposed timetable of completion of the trilogue process by the end of 2015 as being optimistic. Instead a more reasonable timetable may be a final agreement by mid-2016 with the new regime up and running in 2018.

On 26 November 2014, the Article 29 Working Party adopted a working document on establishing a cooperation procedure for issuing common opinions on whether contractual clauses are compliant with the European Commission’s Model Clauses (Model Clauses).

The working document establishes the procedure in which companies wishing to use identical contractual clauses in different Member States for transfers of personal data outside the European Economic Area (EEA) are able to obtain a coordinated position from the relevant Data Protection Authorities (DPA) on the proposed contracts, without the need to approach each relevant DPA individually for approval.

Background

Model Clauses represent one of the ways that a data controller can overcome the general prohibition contained in the EU Data Protection Directive (95/46/EC) on cross-border transfers of personal data to countries outside the EEA that do not offer adequate levels of data protection.  The Model Clauses are intended to be used without amendment – although some divergence, e.g., through the use of additional clauses having no impact on the overall compliance of the Model clauses adopted, may be acceptable.

Company groups in Europe often use identical contractual clauses in different jurisdictions for the purposes of transfers out of the EEA.  However, differing implementation of the Data Protection Directive between Member States has resulted in the situation whereby some jurisdictions require DPA approval of the Model Clauses used (such as Austria, Denmark, France and Spain), whether used with or without amendment, whereas other jurisdictions do not require such DPA approval where the Model Clauses are used without amendment.  The result of the above is that it may be possible that identical contracts using the Model Clauses with only minor amendment are considered compliant by a DPA in one jurisdiction but not in others.

According to the Working Party, the purpose of this working document is to create a procedure allowing companies to obtain a coordinated position from the relevant DPAs when using identical contractual clauses based on the Model Clauses with minor amendment, in particular as to whether the contractual clauses are compliant with the Model Clauses.

The Process

Should a company wish to know whether its contract is compliant with the Model Clauses, under the proposed cooperation procedure, it will first need to ask the DPA it believes is entitled to act as the lead DPA to launch the EU cooperation procedure.

The company will then need to provide the lead DPA a copy of the contract, indicating the references to the Model Clauses together with any divergences and additional clauses, as well a list of EEA countries from which the company will be carrying out the transfers.

The Lead DPA

The Working Party has suggested that the company should choose the lead DPA from a Member State in which the transfers will take place and it will be for the company to justify why the DPA should be considered the lead.  According to the Working Party, the following criteria should be considered by the company:

  1. The location from which the contractual clauses are decided and elaborated;
  2. The place where most decisions, in terms of the purposes and the means of the processing, are taken;
  3. The best location, in terms of management functions, administrative burden, etc., for the handling of the application and the enforcement of the contractual clauses;
  4. The Member States within the European Union from which most transfers outside the EEA will take place; and
  5. The location of the group’s European headquarters or the location of the company within the group with delegated data protection responsibilities.

The lead DPA will then have two weeks to respond to the company and accept the role of lead DPA.  If it accepts the role, it will forward all information to the other DPAs that will be involved in the process and identify the proposed reviewer DPAs.

The reviewer DPAs will need to respond to the lead DPA indicating whether they accept their roles and the lead DPA will be in charge of considering if the proposed contract is in conformity with the Model Clauses.

The Cooperation Procedure

Once the lead DPA has established whether the proposed contract is compliant with the Model Clauses, it will prepare a draft letter that it will share with the reviewers.  The reviewers will have one month to consider the letter and provide any comments.  The letter will then be sent to the other relevant DPAs, who will have one month to respond with any comments.  Should there be no response from these DPAs, they will be deemed to have agreed to the draft letter.

Once the process is complete, the lead DPA will sign the letter on behalf of the other DPAs and send the letter to the company, specifying whether the proposed contract conforms to the Model Clauses.  From this point, the EU cooperation procedure is closed and the letter will be taken into consideration as a basis for providing the necessary national authorisations or permits from the relevant national bodies.

Comment

This process should be welcomed at least as an attempt to ease the administrative burden on data controllers when they wish to transfer personal data overseas.  Under the process, data controllers will be able to obtain a common position from the relevant DPAs in the jurisdictions affected through a single point of contact, which should provide some comfort.  However, it should be noted that a positive letter from the lead DPA will not dispense of the need to obtain DPA authorisations from those jurisdictions that require as such by law, nor necessarily guarantee that such authorisations will be granted.  Furthermore, it remains to be seen whether this will actually streamline the process or add further to delays.