On 12 July 2016 the European Commission adopted a decision under Directive 95/46/EC on the adequacy of the protection provided by the EU–US Privacy Shield, confirming that entities operating in the United States that meet the conditions specified in the Privacy Shield programme will be deemed to provide an adequate level of protection of personal data. This means that it will be permissible to forward personal data to such entities without the need to apply other mechanisms to ensure adequate protection of the data, such as binding corporate rules or approval of the data protection authority.
The EU–US Privacy Shield Framework is the successor to the Safe Harbour programme, developed and implemented by the US Department of Commerce with the aim of enabling entities operating in the United States to voluntarily comply with data protection standards and obtain administrative confirmation of compliance. Consequently, such entities are deemed to provide an adequate level of protection of personal data, and thus, from the European perspective, may receive personal data of data subjects from the EU.
The years of functioning of the Safe Harbour programme revealed its numerous weaknesses, the most important of which were:
- Lack of real enforcement of data subjects’ rights
- The unlimited ability to outsource processing of personal data to entities operating outside of the Safe Harbour regime
- Access by security services enabling mass surveillance of individuals’ data.
Safe Harbour was overturned in October 2015, and the irregularities found in that programme were addressed in Privacy Shield.
Will Privacy Shield live up to the expectations for data protection as understood from a European perspective? This will have to be shown in practice. But it must be fairly admitted that in developing Privacy Shield, the issues raised by Safe Harbour were carefully considered and remedies were constructed for the greatest drawbacks of that programme.
Voluntary compliance and enforcement
As in the case of Safe Harbour, joining the programme and obtaining the necessary certification is voluntary, but the participant will undergo periodic audits and reviews conducted by the DoC. The records on the site show the date the participant joined the programme as well as the scheduled date of its next audit. A negative result in a periodic review or other finding of irregularities can have concrete consequences for the participant, including suspension or removal from the programme.
Transparency and limited purpose of data processing
Processing of data by participants in Privacy Shield will be subject to new rules in terms of openness and communications, as well as the actual possibilities for processing. In the area of communications, participants will be required to notify data subjects of the purposes for which their data are provided to third parties. They will also have to indicate the sanctions faced by the data controller in the event of unauthorised release of data to third parties, and to instruct the data subject on the right to access the data and the rights and mechanisms for pursuing claims arising out of violations.
With respect to the scope and purpose of processing of data, data subjects have been ensured greater control over “secondary processing”—processing of data for purposes beyond the purposes explicitly or implicitly permitted on the basis of the person’s consent. Under Privacy Shield, a participant in the programme intending to begin processing a person’s data for purposes “materially different” from the purposes the data subject previously consented to will first have to offer the data subject an opt-out: the possibility of withdrawing consent or objecting to the processing for new purposes. By contrast, under Safe Harbour active offering of an opt-out was required only when the data controller intended to process the data for purposes “incompatible” with the purposes the data subject originally consented to.
Onward transfer of data
Onward transfer of data processed by a participant in Privacy Shield will be subject to strict limitations. If the data are to be forwarded to a data controller, then a written agreement will be required, in which the recipient of the data undertakes to process the data exclusively within the limited scope necessary to achieve the purposes indicated by the data subject in the consent to processing of the data, and ensures that processing of the forwarded data will be conducted in compliance with the same level of protection as required by Privacy Shield.
Similar requirements will apply to outsourcing of data processing. The processing agreement will have to be produced at the request of the Department of Commerce.
Mechanisms for effective enforcement of data protection rights
The existence of effective and enforceable rights of data subjects is a key indicator for determining whether personal data are adequately protected. As pointed out in the legal literature several years ago, “It is not necessary for the protection in a third country to be the same as it is in Poland. What is essential first and foremost is that the fundamental rules of protection are analogous (we have in mind e.g. the principle of being bound by the purpose of the processing, the principle of data quality, measures ensuring the security of data, and obviously the principle of special protection when forwarding data on to a third country. It is important that the interested party (the data subject) be entitled to essentially the same rights as provided by Polish law” (J. Barta, P. Figielski & R. Markiewicz, Komentarz do ustawy o ochronie danych osobowych (Commentary on the Personal Data Protection Act), Lex 2011). In other words, it is key for a mechanism to exist enabling recourse to a court or public administrative body with authority to apply instruments forbidding a specific violation, ordering restoration of legal compliance, and imposing adequate sanctions on violations.
The catalogue of sanctions that may be applied if a violation is found includes administrative sanctions analogous to those applied by Poland’s data protection authority, GIODO. For example:
- Removal or suspension from the Privacy Shield programme
- Restoring a state of legal compliance and redressing the consequences of the violation
- An order to cease and desist processing of data
- An order to delete data
- Public announcement of violations.
Civil sanctions are also provided for, i.e. payment of damages to the person injured by a data violation.
Several mechanisms for enforcement of the rights of data subjects were designed as part of Privacy Shield. The first of these is a complaint filed directly with the entity processing the data, alleging a violation, which the processor must response to within 45 days. Another is free use of alternative dispute resolution methods. A complaint can also be filed with the data protection authority of the country where the data subject resides, and that authority is then required to intervene in that person’s case with the US Department of Commerce. Significantly, the ADR bodies are required to notify the DoC of violations they find.
If none of these mechanisms leads to a satisfactory resolution, cases may be heard by arbitrators on a Privacy Shield Panel, operating under specific procedures adopted by the panel. The members of the panel will be named by the US DoC and the European Commission. To ensure realistic access to arbitration for EU citizens, solutions have been adopted such as:
- Support for data subjects from their data protection authority in formulating their claims
- Participation in arbitration hearings by telephone or video conference
- Availability of simultaneous translation of the hearing into the complainant’s language.
National security and Ombudsman
Access by security services to huge quantities of personal data as a result of mass surveillance, and the social response to that, was what finally killed Safe Harbour. In creating the new programme and a new legal reality, the US assured the EU that access to data by public authorities—connected with law enforcement and national security issues—would be limited, and in particular they would conduct no “general” processing of any and all personal data, but only processing of specific data in justified instances. It has been promised that filters will be used to minimise the quantity of data retained. For these undertakings to be enforceable, an Ombudsman has been appointed who is independent of US intelligence agencies and charged with resolving complaints by individuals alleging violation of their personal data in connection with national security operations.
Sylwia Paszek, Personal Data Protection Practice, Wardyński & Partners