The Privacy Shield heightens the level of scrutiny and the burden on organizations that voluntarily self-certify.
On October 6, 2015, the Court of Justice of the European Union invalidated the European Commission’s (the Commission’s) Safe Harbor Decision, which (previously) allowed for U.S.-based companies to transfer personal data of European Union (EU) citizens from the EU to the United States if they complied with certain principles. “Personal data” is a broad term encompassing all data through which a unique person can be identified or is identifiable. Pepper previously reported on this invalidation,1 and U.S. companies waited with bated breath to see what would take the Safe Harbor Decision’s place. On February 2, 2016, the U.S. Department of Commerce (the Commerce Department) and the Commission announced the new EU-U.S. Privacy Shield (Privacy Shield), which Pepper also reported.2 Finally, Pepper can now report on the Commission’s July 12, 2016 formal adoption of the Privacy Shield.
On the EU side, the Commission and the European Data Protection Authorities (DPAs) will administer the Privacy Shield. The Commerce Department, the Federal Trade Commission (FTC) and the Department of Transportation (DOT) will monitor and enforce the Privacy Shield on the U.S. side, though other subject-matter regulators may subsequently express interest. The Privacy Shield allows for personal data of EU citizens to flow from entities located in EU member states and European Economic Area member countries to organizations in the United States. By implementing the Privacy Shield, the Commission has deemed that the transfer of data under the Privacy Shield provides an “adequate level of protection for personal data transferred to the U.S.” (Adequacy).
The Privacy Shield consists of several components. The first is the Privacy Shield Principles (the Principles), which is a code of conduct governing how U.S.-based organizations that make an enforceable commitment to abide by the Principles may handle personal data transferred from the EU to the United States (EU-U.S. transfers). Second, the Privacy Shield provides for Oversight and Enforcement, which outlines how U.S. governmental agencies will administer and enforce the Privacy Shield. Third, the Privacy Shield creates an Ombudsperson Mechanism to facilitate EU-U.S. transfers relating to national security. Fourth and finally, the Privacy Shield puts in place Safeguards and Limitations that require an annual review of Adequacy, including how national security and law enforcement agencies access and use data.
Notably, while the Privacy Shield includes many new, first-time requirements for law enforcement and national security agencies (many of which may implicate the commercial sector), this article focuses on the Principles, which are most applicable to companies seeking Privacy Shield self-certification.
Privacy Shield Principles
While adherence to the Principles is voluntary, U.S. organizations seeking self-certification subject themselves to monitoring and enforcement from the Commerce Department, FTC and/or DOT for failure to comply. There are seven requirements under the Principles.3 These principles have long been the basis for EU data protection.
- Notice: Organizations must provide data subjects with information concerning how their data will be processed, for example, the type of data collected, the purpose of processing, etc. Organizations must also provide links to the Commerce Department’s website regarding details on self-certification and the Privacy Shield List (the list of self-certifying entities).
- Data Integrity and Purpose Limitation: Organizations must only use personal data for the limited purposes for which it was originally collected and/or authorized by the data subject. Organizations must also ensure that personal data is “reliable for its intended use, accurate, complete and current.”
- Choice: If the purpose of collection or use changes, the organization must give data subjects the right to opt out of continued use. In the case of sensitive data, organizations must obtain affirmative express consent (opt in) prior to use.
- Security: Organizations must take “reasonable and appropriate security measures” to make sure personal data remains protected. Organizations must also contract with third parties that the organizations use for sub-processing to ensure that these third-party processors provide the same level of protection as provided under the Principles.
- Access: Organizations must ensure that data subjects have the right to confirm whether an organization has a data subject’s personal data and, if so, be able to access and correct the data for free or for a nonexcessive fee. Organizations may not deny access except under exceptional circumstances.
- Recourse, Enforcement and Liability: Organizations must implement policies to ensure compliance with the Principles. Organizations must also annually recertify their compliance with the Principles and verify that their published privacy policies conform to the Principles. The latter can be achieved through self-assessment or by outside compliance reviews. Additionally, organizations must put in place redress mechanisms that allow the organizations to redress any complaints by data subjects. These new requirements are explored further below.
- Accountability for Onward Transfer: Organizations must ensure that any onward transfer of personal data is only for “(i) limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.” This requirement is even more explicit than the version under the Safe Harbor Decision.
While self-certification is not available until August 1, 2016, organizations may begin to prepare for the process. Self-certification requires that an organization certify, on an annual basis, that the organization agrees to adhere to the Privacy Shield’s requirements, including “notice, choice, access, and accountability for onward transfer.”
In helping organizations prepare for self-certification, the Commerce Department has provided the following guidelines:
- Confirm your organization’s eligibility to participate in the Privacy Shield. Under the Commerce Department’s current guidance, only organizations subject to the jurisdiction of the FTC or DOT may participate in the Privacy Shield. However, the number of subject-matter agencies may expand over time.
- Identify your organization’s independent recourse mechanism. While the first step should be for the organization itself to resolve complaints from data subjects, an organization must also provide an IRM that can investigate unresolved complaints at no cost to the data subject. The IRM can utilize private-sector dispute resolution programs, such as the Council of Better Business Bureaus, JAMS or TRUSTe. Alternatively, the organization may choose as its IRM to cooperate and comply with DPAs for all data types. But, for human resource-related data, cooperation and compliance with DPAs is mandatory. Moreover, cooperation with the Commerce Department or the FTC is mandatory, independent of data type. The organization must also submit to binding arbitration by the Privacy Shield Panel for any disputes unresolved by its IRM.
- Ensure your organization’s verification mechanism is in place. An organization must be able to verify compliance with the Privacy Shield’s requirements. An organization can conduct a self-assessment or third-party assessment to verify compliance. An organization must ensure that, if it chooses or is no longer able to be compliant with the Privacy Shield, it notifies the Commerce Department and it continues to protect, destroy or return personal data it already has received.
- Designate a contact within your organization regarding the Privacy Shield. An organization must provide a contact for handling inquiries regarding the Privacy Shield. An appropriate designee is usually a corporate officer, such as a Chief Privacy Officer. An organization must respond to a data subject within 45 days of receiving a complaint.
From a commercial sector aspect, the Privacy Shield, its Principles and self-certification embody many of the previous requirements under the Safe Harbor Decision. However, the Privacy Shield heightens the level of scrutiny and the burden on organizations that voluntarily self-certify. It makes any subsequent noncompliance subject to federal agency enforcement, including Section 5 of the Federal Trade Commission Act. It also requires organizations to provide data subjects with the ability to seek redress for their complaints.
Furthermore, by annually requiring self-certification renewal and periodic verifications, the Privacy Shield increases an organization’s due diligence obligation for assessing whether its privacy program adequately protects EU citizens’ personal data. Additionally, it explicitly requires self-certifying organizations to impute the Principles to third-party processors by making them contractually required to provide the same level of privacy and security to personal data transmitted to them. Thus, even if an organization has not self-certified, it may still be required to adhere to the Principles if it is a vendor to a self-certifying organization. As organizations start to self-certify and the Privacy Shield progresses, Pepper will continue to track these developments.