The Adoption of the EU-U.S Privacy Shield
The European Commission (EC) has just adopted the new framework for transatlantic flow of personal data from the European Union (EU) to the United States – the EU-U.S. Privacy Shield – which provides stronger protection for transatlantic personal data flows[1]. The Privacy Shield aims to ensure the highest standards to protect the fundamental privacy rights of Europeans and provides legal remedies to enforce the proper transfer of their personal data to the U.S. The new framework brings back the commercially certainty for businesses that transfer data across the Atlantic.
Background
The EU Data Protection Directive[2] (the “Directive”) requires companies collecting personal data of EU citizens to retain such data within the European Economic Area, unless it is being transferred to a jurisdiction that ensures ‘adequate’ protection of such personal data which is in line with the EU privacy rules. In July 2000, the European Commission declared that the EU-U.S. “Safe Harbor Scheme”, established by the European Commission and the U.S. Department of Commerce (the “DOC“), would provide adequate protection of personal data (the “Safe Harbor Framework”)[3]. The scheme was widely adopted to legitimize transfers of personal data from the EU to U.S. based organisations that certify to and comply with the Safe Harbor Framework’s principles.
On October 6, 2015, the Court of Justice of the European Union ruled in the Schrems case[4] that transfers of personal data from the EU to the U.S. can no longer rely on the Safe Harbor Framework, and invalidated it. The ruling came after Edward Snowden’s NSA leaks showed that European data stored by U.S. companies was not safe from surveillance that would be considered illegal in the EU. In practice, the Safe Harbor Framework was unable to prevent large-scale access by the U.S. intelligence authorities to data transferred from Europe. The judgment made it clear that the national supervisory authorities in the member states of the EU, having the responsibility of monitoring the implementation of the Directive, would have to be able to examine each individual case independently, and more specifically, decide whether the transfer of a person’s data from the EU to a third country complied with the Directive’s requirements. Such discretionary powers were not embedded in the Safe Harbor Framework which provided a “blanket” allowance.
As the flow of personal data between the EU and the U.S. is essential to both territories’ society and economy, it became necessary to find a new solution which would enable the legal transfer of such data. Hence, on February 2016 the European Commission and the U.S. Government reached a political agreement on a new framework for transatlantic exchanges of personal data for commercial purposes – the EU-U.S. Privacy Shield (IP/16/216) and on July 12, 2016, its adoption procedure by the European Commission was finalized (the “Privacy Shield“). The Privacy Shield enters into force immediately and companies will be able to certify with the DOC from August 1, 2016. Companies that have previously been Safe Harbor certified cannot automatically transfer to this framework. Prior to certifying with the DOC, companies will have to assess their compliance against the new and stronger requirements of the Privacy Shield, including by updating their privacy practices and policies.
The Privacy Shield Principles
The Privacy Shield reflects the requirements set out by the Court of Justice of the European Union in the Schrems case, which, as detailed above, declared the Safe Harbor Framework invalid. The Privacy Shield essentially provides a system of self-certification by which U.S. organizations can commit to a set of privacy principles issued by the DOC which are reflected on the Privacy Shield.
The key principles of the Privacy Shield are as follows:
1. Strong obligations on companies that collect and process Europeans’ personal data: The Privacy Shield brings stronger data protection standards on companies receiving personal data from the EU, such as (a) companies should take “reasonable and appropriate” security measures in order to protect personal data, (b) companies are obliged to provide information to data subjects on numerous issues, including the type of data collected, the purpose of its processing, the right of access to collected data, conditions for onward transfers and liability and; (c) the personal information should be used only for the purpose for which it was initially granted and can be retained only for as long as it serves such purpose.
Under the new framework, the DOC will conduct periodic inspections in order to monitor compliance by certificated Privacy Shield companies with the Privacy Shield principles. In the scope of such regulatory investigation, U.S. companies may be required to make their records on the implementation and compliance with the Privacy Shield available to the DOC. Failure to comply with the Privacy Shield principles may results in sanctions and removal from the certified list.
The new framework also includes an obligation to guarantee that onward transfers of personal data from a Privacy Shield company to third parties will be made in the same level of protection required by the Privacy Shield’s principles. Therefore, U.S. companies transferring data to a third-party processor must have contracts in place that protect personal data of EU citizens. Further, US processors should be contractually bound to act only on instructions from the EU controller and assist the controller in responding to individuals exercising their rights under the Privacy Shield.
2. Effective protection of individual rights: the new framework includes several alternative, accessible and affordable dispute resolution mechanisms, such as free of charge Alternative Dispute resolution (ADR), approach to the national Data Protection Authorities (DPAs), who will work with the Federal Trade Commission to resolve complaints and an arbitration mechanism.
3. Clear safeguards and transparency obligations on U.S. government access: under the new framework the U.S. has given the EU assurance that the access of U.S. authorities for law enforcement and national security purposes will be subject to transparency obligations and other limitations, safeguards and oversight mechanisms in line with the Privacy Shield, and that such access will be made only when necessary. Indiscriminate mass surveillance of European’s personal data (as was enabled due to the Safe Harbor Framework’s “blanket” allowance) is not permitted. Bulk collection of data could only be used under specific preconditions and needs to be as targeted and focused as possible.
Application in Israel
Israeli privacy laws impose restrictions, similar to those contained in the European Directive on data protection, on the transfer of information held in databases in Israel to other countries[5]. Where an organization wishes to transfer information to a third party located outside of Israel, the organization must ensure that the transfer outside of Israel is conducted in compliance with such requirements. The status of Israel as a non-EU state affording “adequate” levels of data privacy protection has allowed for easy flow of information, including in M&A transactions between Israel and EU countries. Israel has had the same ‘issues’ with transferring information to entities in the United States that EU countries have, and most companies relied on the same Safe Harbor Framework in order to legitimate the transfer of personal data from Israel to the U.S.
Prior to the Schrems case, Israeli entities were permitted to transfer personal data from Israel to U.S. based organizations that certify to and comply with the Safe Harbor Framework’s principles, based on the exception which allows transfer of data to a country which receives data from Member States of the European Community, under the same terms of acceptance. Following the Schrems case the Israeli Law, Technology and Information Authority (“ILITA“) issued a statement that pursuant to Shrems, it is no longer permissible to rely on the Safe Harbor Framework as a basis for transfers of personal data from Israel to the U.S. ILITA stated that organizations may continue to transfer data from Israel to the U.S. if they can rely on any of the other exceptions stipulated in the applicable Israeli privacy regulations.
We anticipate that, pursuant to the adaptation of the Privacy Shield, ILITA will issue a new statement or guidelines which will enable companies to rely on the Privacy Shield as a basis for transfers of personal data from Israel to U.S. certified companies. We will update once ILITA publishes its opinion regarding this matter.
____________
[1] http://ec.europa.eu/justice/data-protection/files/privacy-shield-adequacy-decision_en.pdf
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
[3] European Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce (OJ 2000 L 215, p. 7).
[4] Judgment in Case C-362/14. Maximillian Schrems v Data Protection Commissioner (October 6, 2015).
[5] See generally, the Israeli Privacy Law and Privacy Protection Regulations, 5761-2001, KT No. 6113 p. 900 (Isr.).
* * *
For further information regarding this update, please contact Adv. Ella Tevet, Partner, Head of IP Practice, at ellat@gkh-law.com or 03-6074588.