On July 16, 2016, the European Commission ("Commission") adopted the Privacy Shield Adequacy decision, which sanctions the transfer of EU personal data to Privacy Shield certified entities in the United States. The EU-U.S. Privacy Shield replaces the defunct U.S.EU Safe Harbor framework that was invalidated in October 2015 by the European Court of Justice following a claim by Max Schrems.

Organizations that desire to self-certify under Privacy Shield are advised to contact us, as compliance will likely require adjustments to the organization's policies and practices relating to personal data. Organizations having questions about Privacy Shield certification of U.S. - based service providers are advised to contact us as well.

Background

EU data protection laws restrict the export of personal data to other countries unless certain requirements are met. These requirements include any one of the following: (i) transfer to a jurisdiction certified by the EU as having an 'adequate' level of protection for personal data (for example, Israel, which appears on the EU 'white list' of countries certified as adequate); (ii) meeting certain exceptions set forth under EU law (some of which are difficult to rely on in standard business transactions); or (iii) transfer pursuant to EU-sanctioned data transfer mechanisms. Transfer to a Privacy Shield certified entity is one of these EU-sanctioned data transfer mechanisms; others include standard contractual clauses and binding corporate rules.

Relevance to Israeli Companies

Privacy Shield is a mechanism designed to facilitate data transfers from the EU to the U.S. However, Privacy Shield may be relevant to Israel-based organizations for the following reasons:

Organizations that process EU personal data in the U.S., whether by means of employees located in the U.S., U.S. affiliates or service providers in the U.S., will likely be called upon by customers in the EU to demonstrate that such export of data complies with the EU data export restrictions described above. These organizations may find it worthwhile to self-certify as Privacy Shield compliant meet the demands of EU based customers.

  • Organizations that outsource data processing functions to US-based service
  • providers should examine their relationships with European customers to determine whether customer agreements require these entities to confirm that US-based service providers are Privacy Shield Compliant.
  • The Israeli Protection of Privacy Regulations (Transfer of Information to Databases outside of the State's Boundaries), 2001 permit data transfers from Israeli databases to US Safe Harbor entities, subject to compliance with other regulatory requirements. Under these regulations, the now-defunct US Safe Harbor certification provided a legal basis for transfers for any data from Israeli databases to US Safe Harbor certified entities, not only data originating in Europe. While as of the date of this memo the Israeli Law Information and Technology Authority, Israel's data protection authority, has not publicly commented on Privacy Shield, it is expected that Privacy Shield will be deemed legal basis for export of any data from databases subject to Israeli law to U.S.based recipients.

Privacy Shield Requirements

To self-certify as Privacy Shield complaint, organizations must comply with the following 7 key principles:

  1. Notice- data subjects must receive notice of data processing practices, including what data is collected and how it is used.
  2. Choice- data subjects must receive the opt out of disclosure of personal data to third parties (except agents), or use for a purpose that differs materially from the purpose for which the data was originally collected;
  3. Accountability for onward transfers- data transfers to third parties must be pursuant to written contracts requiring specific protections;
  4. Security- organizations must take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alternation and destruction;
  5. Data integrity and purpose limitation- data collected must be limited to that which is relevant to the purpose of processing, take reasonable steps to ensure personal data is reliable for intended use and accurate, and retain data only for as long as it serves the purpose of processing;
  6. Access- data subjects have the right to access personal data held about them, correct inaccurate data and delete information that is processed in violation of Privacy Shield requirements;
  7. Recourse, Enforcement and Liability- organizations must implement measures to assure Privacy Shield compliance, including an independent recourse mechanism for complaint, and procedures for verifying compliance with the organization's privacy policy and other privacy commitments.

These seven principles are complemented by 16 supplementary principles, including in respect of human resources data, sensitive information and other data transfer issues.

Procedures for Self-Certifying as Privacy Shield Compliant

To join the Privacy Shield Framework, an organization will be required to the following:

  • Confirm eligibility for participation;
  • Revise the organization's privacy policy to include specific reference to Privacy Shield compliance and to meet Privacy Shield principles, including disclosure of the following:
  1. identification of U.S. entities[US affiliates] that will access personal data and their commitment to adhere to Privacy Shield,
  2. description of categories of personal data collected;
  3. Purposes of collection;
  4. Third parties to whom data may be transferred;
  5. A description of data subjects' access rights ;and
  6. Individual to contact to exercise rights and submit complaints

The privacy policy must appear on the organization's website or in the organization's mobile application; alternatively, the organization may provide an address where the privacy policy is available for public viewing;

  • Implement an opt-out procedure for data sharing with third parties (other than agents) or use of data for materially different purposes than the original purpose of collection;
  • Ensure third party contracts include mandatory terms;
  • Select an independent recourse for disputes (for example, the American Arbitration Association (AAA), JAMS, Direct Marketing Association's arbitral body, TRUSTe or the Council of Better Business bureaus (BBB)), and place a hyperlink to the website of the relevant body in the organizations' privacy policy. As an alternative to utilizing private sector dispute resolution bodies, the organizations may choose to cooperate with EU data protection authorities, which will generally be a less expensive alternative may be accompanied by additional regulatory oversight;
  • Ensure prior to self-certification that the organization is Privacy Shield Compliant, and that the organization has procedures in place for verifying continued compliance by means of either a self-assessment or an outside third party assessment program (see note below regarding timing for compliance);
  • Designate a contact within the organization to handle questions, complaints, access requests, and other Privacy Shield-related requires, and respond to individuals within 45 days of receiving a compliant.

Self-certification is accomplished by filing on the Department of Commerce's Privacy Shield Website (www.privacyshield.gov) and paying a certification fee. Certification also requires payment of an annual fee of between US $250 and US $3250 calculated on the basis of the organization's annual revenue.

While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law.

When to Self-Certify

The U.S. Department of Commerce will begin accepting Privacy Shield applications on August 1, 2016. The general rule is that self-certifying companies must be Privacy Shield compliant prior to certification. However, as an inventive to self-certify, the U.S Department of Commerce allows organizations that self-certify within the first two months (between August 1 and September 30, 2016) up to nine months from the date of selfcertification to bring existing commercial relationships with third parties into conformity with Privacy Shield requirements for onward data transfers to third parties. During this period, certain requirements must be met with respect to such third party transfers.

The U.S. Department of Commerce's guide to self-certification, as well as other Privacy Shield materials, are available at the department's Privacy Shield website, https://www.privacyshield.gov.

Special requirements apply to the transfer of human resources data (employee data) to the U.S., including the mandatory selection of a national EU data protection authority as an independent dispute resolution mechanism.

Summary

Privacy Shield remains one of a limited number of alternatives for exporting EU personal data to the U.S.