On October 27, 2015, Wilson Elser released a client alert that discussed the EU Court of Justice’s invalidation of the long-standing Safe Harbor program, previously relied on by many organizations as a means of authorizing transfers of EU citizens’ private data to the United States. U.S. companies eagerly awaited news of a replacement for Safe Harbor and kept a close watch as the January 31, 2016, grace period on enforcement announced by the EU Article 29 Working Party expired. News of a new framework broke in early February and the European Commission released extensive documentation revealing the details of Safe Harbor’s proposed replacement – the EU-U.S. Privacy Shield program (Privacy Shield) – on February 29, 2016.
Privacy Shield encompasses seven principles for assuring adequate protection when transferring and processing personal data originating in the European Union. Similar to Safe Harbor, organizations can self-certify their compliance with these principles, provided they (1) commit to the U.S. Department of Commerce that they will adhere to the Privacy Shield Principles, (2) publicly declare their commitment to the Privacy Shield Principles, and (3) actually implement the Principles. Once compliance is certified, organizations may seek inclusion on the Department of Commerce’s list of certified organizations, effectively authorizing them to transfer the personal data of EU residents to the United States.
Privacy Shield Principles
- Notice. Privacy Shield requires organizations to provide notice regarding the type of data collected, the purposes for which it is collected, any third parties to which the data may be transferred, individuals’ right to access their data, and how individuals can limit use and disclosure of personal data. The organization also must provide notice of its participation in Privacy Shield, acknowledge applicable enforcement authorities and describe recourse mechanisms available.
- Choice. Organizations must provide clear, conspicuous and readily available mechanisms allowing individuals to opt out of any disclosure of their personal data to third parties, or use of their personal data other than the purpose(s) for which it was initially collected or subsequently authorized by the individual. Certain sensitive information will require individuals to opt in affirmatively.
- Security. As under Safe Harbor, participating organizations must take “reasonable and appropriate measures,” based on the risks involved and the nature of the personal data, to protect the data “from loss, misuse and unauthorized access, disclosure, alteration and destruction.”
- Access. Privacy Shield–certified organizations must provide individuals with access to and the opportunity to correct, amend or delete inaccurate or improperly processed personal data. Individuals also must be allowed to confirm that their personal data is being processed. An organization may restrict access to data “in exceptional circumstances.”
- Data Integrity and Purpose Limitation. Privacy Shield requires not only that any data collected be “relevant for the purposes of processing” but also that organizations limit collection to relevant data only. Participating organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”
- Accountability for Onward Transfer. Certified organizations’ contracts with third parties receiving personal data must require that such data “may only be processed for limited and specified purposes” consistent with the level of consent given by the data subject. Third-party transferees also must agree to “provide the same level of protection as the [Principles].” Certified organizations also must “take reasonable and appropriate steps” to ensure third-party agents adhere to the Principles, and are required to stop and remediate any unauthorized processing by third parties, if necessary. Importantly, with limited exceptions, certified organizations remain liable to data subjects for any vendor’s violation of the Principles.
- Recourse, Enforcement and Liability. Perhaps Privacy Shield’s most significant new features are its recourse and dispute resolution provisions. Complaint-handling processes must be implemented to obtain Privacy Shield certification. To ensure effective enforcement, Privacy Shield requires (1) procedures for verifying representations made about privacy practices, (2) recourse for data subjects and (3) remedies for failures to comply with the Principles. These newly required “independent recourse mechanisms” are empowered to provide remedies separate from regulators’ enforcement authority.
Because the extent of U.S. government surveillance of personal data was a primary reason why the Safe Harbor program was invalidated, in support of Privacy Shield the U.S. Office of the Director of National Intelligence and the U.S. Department of Justice have furnished letters outlining the legal safeguards that will limit U.S. government access to personal data transferred pursuant to Privacy Shield. In addition, the U.S. Secretary of State is set to appoint a Privacy Shield Ombudsperson, who will be responsible for handling European complaints regarding whether personal data transferred under Privacy Shield has been accessed by U.S. intelligence activities.
In addition, the Judicial Redress Act of 2015, signed into law on February 24, 2016, allows EU citizens to bring civil actions against U.S. government agencies under the Privacy Act of 1974 to access, amend or correct records about them or seek redress for the unlawful disclosure of those records.
Certification and Compliance
Privacy Shield is expected to be approved by the European Commission later this year and published in the Federal Register shortly thereafter. Organizations that self-certify within the first two months following publication will be given nine months to bring all third-party relationships into compliance. Two months after the effective date, the Principles become binding on an organization immediately upon certification. Privacy Shield will thereafter undergo annual joint reviews by EU and U.S. authorities.
All organizations that intend to become Privacy Shield certified are strongly encouraged to immediately begin updating their policies to meet Privacy Shield’s heightened obligations, including reviewing their third-party agreements to ensure compliance.