On October 18, 2017, the European Commission published its report and supporting documents regarding its first annual review of the EU-U.S. Privacy Shield (Privacy Shield), which sets forth procedures and safeguards for transferring personal data from the European Union (EU) to the United States. The report concludes that Privacy Shield “ensures an adequate level of protection for personal data” transferred from the EU to the United States.
The EU Commission met with U.S. authorities involved with Privacy Shield in Washington D.C. in September of 2017 as part of the mandatory Annual Joint Review meetings conducted to review the adequacy of Privacy Shield. The EU Commission also received input from Privacy Shield certified companies, nongovernmental organizations, U.S. authorities, and EU data protection authorities regarding the administration of Privacy Shield since it became operational in August 2016.
In finding that Privacy Shield continues to provide adequate safeguards for personal data transferred to the United States from the EU, the Commission stated that the U.S. authorities had enacted several structures and procedures to ensure the correct functioning of Privacy Shield such as new redress possibilities for EU individuals, complaint-handling and enforcement procedures, increased cooperation with EU data protection authorities, a well-functioning self-certification process, and relevant safeguards regarding access to personal data by U.S. public authorities for national security purposes.
Significantly, the EU Commission also provided several recommendations for improving the functioning of Privacy Shield including:
-
more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce;
-
increased enforcement against companies that falsely claim to participate in Privacy Shield;
-
providing more information to EU individuals about how to exercise their rights under Privacy Shield including how to lodge complaints;
-
closer cooperation between U.S. and EU regulators, notably to develop guidance for companies and regulators;
-
enacting the protections afforded to individuals who are not U.S. residents as set forth in the Presidential Policy Directive in the reauthorization and reform of the Foreign Intelligence Surveillance Act (FISA); and
-
the appointment of a permanent Privacy Shield ombudsman, who processes requests from EU individuals relating to national security access to EU-transferred data, and the appointment of additional members to the Privacy and Civil Liberties Oversight Board, which ensures that U.S. executive branch actions regarding terrorism are balanced against the need to protect privacy and civil liberties.
Key Takeaways for Employers
The EU Commission’s finding that Privacy Shield is an adequate method to transfer personal data from the EU to the United States provides some certainty to employers that have self-certified under Privacy Shield or that have waited to see if Privacy Shield would pass muster with the EU Commission before self-certifying. However, Privacy Shield employers should expect greater enforcement efforts from both U.S. and EU regulators.
The EU Commission’s Privacy Shield report is especially relevant for employers that use standard contract clauses rather than Privacy Shield to transfer human resources data between their EU and U.S operations. The validity of standard contract clauses is currently under legal review by the European Court of Justice, which, many predict, will hold that standard contract clauses are invalid for the same reasons the court invalidated the EU-U.S. Safe Harbor framework in 2015, i.e., improper access to EU data by U.S. surveillance agencies. Although the validity of Privacy Shield is also under legal challenge, the fact that the EU Commission has determined that the U.S. has enacted relevant safeguards under Privacy Shield regarding access to personal data by U.S. public authorities for national security purposes bolsters the validity of Privacy Shield and distinguishes Privacy Shield from standard contract clauses.
More importantly, the EU Commission’s Privacy Shield report is significant in light of the General Data Protection Regulation (GDPR), which is set to become effective on May 25, 2018. The GDPR will impose strict requirements upon employers regarding the collection, processing, and transfer of human resources data involving EU employees and applicants and will subject non-compliant employers to fines of up to $20 million euros or 4 percent of annual worldwide revenue, whichever is greater. Consequently, employers currently using standard contract clauses should consider self-certifying under Privacy Shield by May 2018 to ensure that they have a valid mechanism to transfer human resources data from the EU to the United States to avoid these hefty GDPR fines.
Finally, employers should note that both Privacy Shield and the GDPR impose different and often stricter requirements for human resources data than for commercial or consumer data. For example, the GDPR expressly provides that each EU member state can enact its own, stricter requirements for human resources data under national data privacy laws, labor laws, and collective agreements with labor unions. Thus, employers should implement Privacy Shield and GDPR compliance programs, in addition to their commercial and consumer data compliance programs, that are specific to human resources data.