More than nine months after the Court of Justice of the European Union struck down Safe Harbor, and five months since the Privacy Shield agreement was first announced, it’s official. Privacy Shield is approved. Organizations seeking to transfer European data to the U.S. will be able to sign up for certification starting August 1, according to U.S. Commerce Secretary Penny Pritzker.
We covered the operational changes in Privacy Shield when the provisional text was released in March, which are contained within Annex II of the Privacy Shield framework and are outlined in a set of Principles. Since then, Privacy Shield has undergone review by the Article 29 Working Party, the European Parliament, the European Data Protection Supervisor, and, finally, the Article 31 Committee. The new text, released today, addresses many of the concerns that were raised on review.
The most significant changes concern the thorny issue of U.S. national security access to European data, which largely don’t affect companies participating in the transfer mechanism. The new Privacy Shield text, for example, contains additional assurances and clarifications around the bulk collection of signals intelligence. For companies seeking to self-certify to Privacy Shield, however, there are several tweaks to the text that are noteworthy. In particular, the latest Shield language clarifies standards around secondary processing, retention periods and onward transfers of personal information.
Greater detail on what counts as compatible secondary processing
To comply with Privacy Shield, an organization may process only personal information that is “relevant for the purposes of processing.” Moreover, “an organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” This language is contained within the Data Integrity and Purpose Limitation Principle.
Critics worried that allowing processing so long as it is “relevant” and not “incompatible” could permit overly broad interpretations and practices. The new Privacy Shield text therefore adds examples of compatible processing activities. What will be considered compatible depends on the circumstances, but may include processing “that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.”
The Commission’s adequacy decision also provides new clarification that these rules around compatible processing interact with the Choice Principle. Thus, “where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out).” This does not mean, however, that an organization can use an opt-out mechanism for incompatible processing.
Privacy Shield adopts a “risk-based approach” to deidentification and data retention
The new text adopts a “risk-based approach” to defining identifiable personal information for the purposes of secondary processing. While a Shield-certified organization may retain personal information “only for as long as it serves a [the original or compatible] purpose of processing,” it may retain the information indefinitely if it is not “in a form identifying or making identifiable the individual.” Whether an individual remains identifiable in a dataset depends on the ability of the organization or any other third party to identify the individual “given the means of identification reasonably likely to be used (considering, among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained.”
This risk-based framework notably conflicts with the Article 29 Working Party’s definition of identifiability under the Data Protection Directive, which allowed for essentially zero risk of reidentification.
Full article by