U.S. organizations transmitting personal information across the Atlantic can breathe a sigh of relief – sort of. The U.S. and E.U. agreed this month to a new framework designed to protect the online privacy of E.U. citizens and to mitigate legal exposure for U.S. entities transmitting personal information across the Atlantic. The agreement, known as Privacy Shield, replaces Safe Harbor, a fifteen-year-old privacy agreement, was ruled illegal by the Court of Justice of the European Union (“CJEU”) - the highest EU court, last October.
This developing area of the law is often not on the radar of nonprofit organizations. In fact, many nonprofits are not eligible to participate in Privacy Shield and its Safe Harbor predecessor. However, as discussed below, Section 501(c)(6) trade associations and certain other nonprofit entities should qualify to enjoy the legal protections available under these legal frameworks. Since the abrogation of Safe Harbor, many eligible nonprofits have faced uncertainty regarding the legal status of their transatlantic data transfers. The new replacement Privacy Shield promises to both protect E.U. citizens’ personal information and shelter U.S. qualifying nonprofits and other entities who comply with its terms.
It may be too soon to celebrate, however. Specific terms and conditions of Privacy Shield have not yet been disclosed. Furthermore, it is not clear that the new agreement will pass legal muster with E.U. Data Protection Authorities (“DPAs”) once the details are published. Until this occurs, U.S. organizations conducting transatlantic transfers of personal information remain in murky legal waters. During this time of uncertainty, U.S. organizations should continue to implement alternative legitimization mechanisms (discussed below).
Background: Safe Harbor, Applicability to Nonprofits and its Abrogation.
At issue is the handling of online users’ personally identifiable information (“PII”). The U.S. and E.U. have historically taken different approaches to the issue of users’ online privacy of PII. The E.U. regards online privacy as a right of paramount importance, and recognizes an individual’s “right to be forgotten” with respect to their PII. The legal approach in the U.S. does not provide the same level of rights and protection to users as E.U requirements and generally favors freedom of expression over individuals’ privacy rights. To address these philosophical and legal differences, in 2000 the E.U. and U.S. agreed to the Safe Harbor Privacy Principles. Under Safe Harbor, U.S. companies could self-certify that they met an “adequate level of protection” required by the EU. Companies self-certifying could mitigate their exposure to legal privacy claims emanating from the E.U., and E.U. citizens were assured of certain minimum protections of their personal information.
Nonprofits and the FTC/Safe Harbor
In the United States, Safe Harbor was administered by the U.S. Department of Commerce through the oversight of the Federal Trade Commission. Generally speaking, only U.S. organizations that are subject to the jurisdiction of the FTC could participate in Safe Harbor. Although FTC jurisdiction applies to most industry sectors, it does not apply to most nonprofits. Accordingly, Safe Harbor was not an option for many nonprofits.
However, the FTC does have jurisdiction over nonprofits that carry on business for the profit of their members (e.g., trade organizations whose activities provide greater than de minimis or presumed economic benefit to for-profit members), including lobbying, litigation, marketing, and public relations efforts for the benefit of its members’ interests. Increasingly, a wide array of nonprofits conduct such activities, making them subject to FTC jurisdiction and, therefore, eligible to participate in Safe Harbor.
E.U. Abrogates Safe Harbor
Last year, in the wake of the Edward Snowden’s disclosures of monitoring practices of online data by the National Security Agency and other U.S. governmental bodies, serious doubts began to arise in the E.U. community about the privacy of E.U. citizens’ personal information being transferred to the U.S. In October 2015, in Maximillian Schrems v. Digital Rights Ireland Ltd the CJEU considered the complaint of an Austrian national who objected to Facebook’s transfer of his personal data from Facebook’s Irish servers to the company’s servers in the U.S., alleging that the U.S. failed to meet EU data protection standards. The CJEU held for Schrems and affirmatively held the Safe Harbor framework to be invalid. The Schrems decision left U.S. organizations scrambling for alternative ways to legitimize their transatlantic data transfers, and put serious pressure on U.S. / E.U. authorities to develop a replacement framework.
The New Agreement: Privacy Shield
On February 2, 2016, after months of post-Schrem negotiations, E.U. and U.S. authorities announced their replacement for Safe Harbor – Privacy Shield. According to the U.S. Department of Commerce, “The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.” Privacy Shield is expected to include the following.
- More numerous channels for redress of privacy violations for E.U. individuals.
- Participating U.S. entities must agree to mandatory arbitration as a “matter of last resort”
- Commitments by U.S. authorities to no longer conduct mass monitoring and surveillance of E.U. citizens.
- The Department of Commerce, the FTC, and EU Data Protection Authorities will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield.
- Participating entities must submit to additional data security obligations in their contractual relationships with third parties.
As discussed above, specifics regarding the above additional provisions have not yet been disclosed, so it is difficult to determine the impact of the new provisions on participating organizations.
In addition, while the E.U. and U.S. have agreed in principle to the terms undergirding Privacy Shield, actual implementation of the framework hinges on approval by a group of E.U. DPAs known as Working Party 29 (“WP29”). The WP29 is in the process of assessing whether the Privacy Shield will hold up if tested (ala Schrems) in the CJEU. If WP29 determines Privacy Shield does not pass legal muster, the legitimacy of data transfers between the U.S. and the E.U. will once again be in doubt.
In the Interim: Alternative Legitimization Mechanisms
Given the above uncertainties, during this waiting period, organizations should take alternative steps to legitimize their transatlantic transfers. There is no one-size-fits-all approach to legitimization efforts, but the following three mechanisms can provide some measure of protection in the appropriate context.
- Model Contract Clauses. The E.U. has provided several Model Contract Clauses (“MCC”) for inclusion in contracts between U.S. and EU entities sharing personally identifiable information. Because of their complexity, MCC’s are generally suitable for larger organizations. Transactional costs associated with MCC’s may make them cost-prohibitive for smaller organizations.
- Binding Corporate Rules. Binding Corporate Rules (“BCR”) are utilized by “closely-knit, highly hierarchically structured multinational companies.” BCR’s govern the sharing and transfers of data within these organizations. Organizations with corporate subsidiaries could find BCRs a useful means of legitimizing data transfers between parent and subsidiary organizations. BCR’s, however, like MCC’s have substantial associated transactional costs, and further require approval by specific E.U. DPAs, making them quite cumbersome to implement.
- Unambiguous Consent. Websites and online servers routinely capture, store, process, and pass on users’ personal information to others – often automatically. Giving users an advance opportunity to give their unambiguous consent to specific uses of their personal information, can mitigate an organization’s exposure to privacy claims.
In this context, “unambiguous consent,” means that a user must give consent that is (1) informed, (2) unambiguously given, (3) freely given and not given under compulsion, intimidation, coercion, or as a result of an act of deceit. The consent must be an informed indication that a person wishes for their personal information to be used in a specific way.
While less costly from a transactional point of view, incorporating unambiguous consent will require an organization to carefully evaluate the ways in which its sites, servers, and third parties utilize user information. Websites, servers, and agreements with third parties may need to be altered to accommodate consent needed to safeguard the organization.
While Privacy Shield certainly shows promise, many questions remain concerning its specific provisions and as to whether the WP29 will endorse it at all. Until these questions are answered, organizations subject to FTC jurisdiction should continue to pursue alternative legitimization mechanism to minimize their exposure to E.U.-based privacy claims.
 Personally Identifiable Information is information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc., and may include information related to an individual’s use of a website as tracked through cookies, web beacons, and other similar tracking technologies.