On July 5, the European Parliament recommended by way of a non-binding resolution from its Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) that the Commission suspend the EU/U.S. Privacy Shield Sept. 1 unless and until all defined corrective actions are taken by the U.S. Department of Commerce. Those corrective actions include, but are not limited to:
- Privacy Shield being made fully compliant with the GDPR.
- Privacy Shield being made fully compliant with the recommendations made by the Article 29 Working Party (now the European Data Protection Board) Nov. 28, 2017.
The following will likely happen: On Oct. 18 (not Sept. 1, as originally announced) the Commission will present its findings to U.S. Secretary of Commerce Wilbur Ross, in Brussels.
- The Privacy Shield will likely not be suspended. It will most likely be allowed to continue with the 2016 Privacy Shield principles unchanged.
- There likely will be no additional changes required to comply with or conform more closely to the GDPR.
- While most of the key WP29 and Commission requirements of last fall will need to have been met, the U.S. Department of Commerce will be likely given time to fulfill the remaining few.
Except for one specific requirement: Failure by the U.S. administration to appoint a permanent privacy ombudsman by Oct. 18, 2018 may result in serious consequences for the Privacy Shield. This article focuses on the evidence and clues provided by the Commission (and the U.S. DOC) that support the belief that Privacy Shield will not be suspended. In addition, while cloning the GDPR is not a requirement for future adequacy decisions for other countries, adherence to a set of principles similar to the 2016 Privacy Shield principles is.
During an EU Parliamentary debate July 4, Commissioner for Justice Vera Jourova’s statements made during the EU Parliament debate July 4, “Commissioner Jourova stressed that at this stage suspension is not warranted.” And Jourova highlighted, according to an article by Squire Patton Boggs, that "the Privacy Shield Framework has been functioning even if the system does not work to perfection." She also stated that all open issues raised during the debate are expected to be resolved by Oct. 18, 2018, the date of the second annual review.
The good news is that of all the issues in both the Commission’s report of Oct.18, 2017 and the WP 29 report of Nov. 28, 2017, the ombudsman issue appears to be the only “big issue” on the commissioner’s mind today.
Another piece of good news is that the U.S. Department of Commerce's Privacy Shield website has been extensively revamped to address WP 29 and Commission requests of last year. Processes have been clearly identified and explained. DoC management and oversight processes have been beefed up, according to the DoC, including compliance review and implementation audits.
With respect to the GDPR compliance demanded by the LIBE Committee, the DoC website makes no mention of the GDPR and continues to include only the 2016 Privacy Shield Principles on its web site, unchanged.
The Privacy Shield is an adequacy decision, so it might be useful to examine the latest EU documentation on a similar matter, that being the mutual adequacy decision with Japan. The commission stated in its July 17 press release: “An adequacy decision is one of the tools provided for under the General Data Protection Regulation to transfer personal data from the EU to third countries.
"Adequacy does not require the third country's data protection system to be identical to the EU's. It is based on the standard of 'essential equivalence.' It involves a comprehensive assessment of this country's data protection framework, both of the protections applicable to personal data and of the relevant oversight and redress mechanisms available.”
It refers to WP254, the Adequacy Referential published by WP 29 Nov. 28, 2018, which goes to great lengths to underline that an Adequacy Decision is to be based on Privacy Shield-like principles and not the letter of the EU implementation of those principles, the GDPR.
The Commission's press release sheds light on the process steps required to adopt an adequacy decision, following the usual procedure:
- Approval of the draft adequacy decision by the College.
- Opinion from the European Data Protection Board (EDPB).
- Update of the LIBE Committee.
- Adoption of the adequacy decision by the College.
Given this, existing Privacy Shield certified companies should expect to see no change on and after Oct. 18. Nothing will have really changed with the program except that the DoC and participants will need to do what the program originally required them to do. No GDPR compatibility will be required, in spite of the European Parliament's resolution July 5.
The DoC has promised to increase its oversight significantly via review and audit, including the requirement that the audit would be fully implemented prior to certification. In order to demonstrate compliance, a company needs to have it documented. The DoC itself recommends that third-party certifications would be helpful in this respect. Software products could be a help, as could governance, risk and compliance packages. Look for solutions that allow you to monitor compliance simultaneously by both third-party vendors and different legal systems as well.
All this said, lack of GDPR compatibility could pose problems between data exporters and data importers. Consider what happens when a breach occurs downstream. There is no breach reporting requirement for the Privacy Shield company to tell the EU-based controller, a GDPR-compliant company, of the breach. Further, if the Privacy Shield company is at fault and the controller penalized by the data protection authority, there is no mechanism to transfer the liability downstream to the company causing it. Cleary, tight contracts between all parties are required.
In that vein, Controllers may come to the conclusion that the best approach for them is to utilize standard contractual clauses instead of the Privacy Shield to transfer data. Companies who elect to continue with the Privacy Shield will need GDPR compliance, as well, for data they might receive directly from EU data subjects. Software, coordination and simplification of processes can help here.
Hilary Wandall, chief data governance officer and general counsel for TrustArc said, "Pursuant to Supplemental Principle 7 on verification, participating organizations are required to verify their compliance with Privacy Shield either through an internal self-assessment or an outside compliance review. A number of organizations elect to undergo an annual outside compliance review. As reported by TRUSTe, a subsidiary of TrustArc, in its annual Privacy Shield report, close to 400 organizations completed an outside compliance review with TRUSTe during the last annual reporting period." Wandall added, “The complexity of privacy requirements and how they apply to businesses that operate across jurisdictions necessitates analysis of the interoperability among requirements. At TrustArc, we have evaluated interoperability between implementing the Privacy Shield principles and implementing the GDPR principles and requirements for individual rights and data processors and found approximately 70 percent alignment.”
photo credit: archer10 (Dennis) 90M Views via photopin