More than nine months after the Court of Justice of the European Union struck down Safe Harbor, and five months since the Privacy Shield agreement was first announced, it’s official. Privacy Shield is approved. Organizations seeking to transfer European data to the U.S. will be able to sign up for certification starting August 1, according to U.S. Commerce Secretary Penny Pritzker.

We covered the operational changes in Privacy Shield when the provisional text was released in March, which are contained within Annex II of the Privacy Shield framework and are outlined in a set of Principles. Since then, Privacy Shield has undergone review by the Article 29 Working Party, the European Parliament, the European Data Protection Supervisor, and, finally, the Article 31 Committee. The new text, released today, addresses many of the concerns that were raised on review.

The most significant changes concern the thorny issue of U.S. national security access to European data, which largely don’t affect companies participating in the transfer mechanism. The new Privacy Shield text, for example, contains additional assurances and clarifications around the bulk collection of signals intelligence. For companies seeking to self-certify to Privacy Shield, however, there are several tweaks to the text that are noteworthy. In particular, the latest Shield language clarifies standards around secondary processing, retention periods and onward transfers of personal information.

Greater detail on what counts as compatible secondary processing

To comply with Privacy Shield, an organization may process only personal information that is “relevant for the purposes of processing.” Moreover, “an organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” This language is contained within the Data Integrity and Purpose Limitation Principle.

Critics worried that allowing processing so long as it is “relevant” and not “incompatible” could permit overly broad interpretations and practices. The new Privacy Shield text therefore adds examples of compatible processing activities. What will be considered compatible depends on the circumstances, but may include processing “that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.”

The Commission’s adequacy decision also provides new clarification that these rules around compatible processing interact with the Choice Principle. Thus, “where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out).” This does not mean, however, that an organization can use an opt-out mechanism for incompatible processing.

Privacy Shield adopts a “risk-based approach” to deidentification and data retention

The new text adopts a “risk-based approach” to defining identifiable personal information for the purposes of secondary processing. While a Shield-certified organization may retain personal information “only for as long as it serves a [the original or compatible] purpose of processing,” it may retain the information indefinitely if it is not “in a form identifying or making identifiable the individual.” Whether an individual remains identifiable in a dataset depends on the ability of the organization or any other third party to identify the individual “given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained.”

This risk-based framework notably conflicts with the Article 29 Working Party’s definition of identifiability under the Data Protection Directive, which allowed for essentially zero risk of reidentification.

Changes to the Privacy Shield text also allow organizations to retain personal information “for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research, and statistical analysis.” Like the research exemptions in the GDPR, this data retention exemption may allow a broad range of processing activities.

Greater accountability for onward transfers

One of the most important innovations in Privacy Shield, exceeding the requirements of Safe Harbor, is the expansion of accountability for onward transfers of personal information to third parties, outlined under the Accountability for Onward Transfer Principle. A certified organization may transfer data to a third party only if the transfer is governed by contract, regardless of whether the third party is Shield-certified as well.

The contract must limit processing to the terms of the data subject’s consent and hold the third party to the same standards promised by the certified organization. Additionally, the certified organization must “take reasonable and appropriate steps” to ensure that the third party processes the data consistent with the Privacy Shield Principles. Where the third party breaches its duties, the certified organization must “take reasonable and appropriate steps to stop and remediate unauthorized processing.” A Privacy Shield-certified organization remains liable for any downstream third party processing, unless it “proves that it is not responsible for the event giving rise to the damage.”

The new Privacy Shield text adds to this framework a notification requirement for third parties. Under the new text, a third party must notify the certified organization if it can no longer meet its obligations. This duty to notify must be specified in the parties’ contract.

Rules around automated processing are on the horizon

The Commission’s adequacy decision notes that U.S. law protects individuals from adverse decisions that result from automated processing in several specific domains, such as credit lending, mortgage offers, and employment. U.S. law does not, however, provide for broader regulation of automated processing as exists in the EU. The adequacy decision highlights this as “an area that needs to be closely monitored” and an agreement to discuss automated processing as part of Privacy Shield’s first annual review.

Just two years of relevance?

When the General Data Protection Regulation (GDPR) comes into effect in under two years, it will apply to any organization, anywhere in the world, that processes personal data or monitors the behavior of EU residents. The GDPR contains stricter obligations than those of Privacy Shield. Within two years, therefore, organizations in the U.S. that are subject to the GDPR will have to meet the GDPR’s heightened obligations.

Privacy Shield addresses this issue in two ways. First, the ongoing process of annual review will allow the Commission to raise the standards required by Privacy Shield as the GDPR gains legal force. Second, the adequacy decision recognizes that “the [Privacy Shield] Principles apply solely to the processing of personal data by the U.S. organization in as far as processing by such organizations does not fall within the scope of Union legislation.” Organizations that decide to certify to Privacy Shield should remain ready to comply with GDPR within two years. 

Photo courtesy of European Commission.