Following formal approval of the EU-US Privacy Shield, US organizations will now be considering how to apply for Privacy Shield certification.
On July 12, 2016, the European Commission formally approved and adopted the EU-US Privacy Shield, providing a new compliance framework for US organizations that are involved in the importation of personal data from Europe (see our recent Newsflash). Starting August 1, 2016, organizations can self-certify with the International Trade Administration, which administers the Privacy Shield Framework within the US Department of Commerce. Those that do so will appear on a public list available here.
Among other things, Privacy Shield certification requires that contracts with third parties involved with the onward transfer of personal data be amended, and organizations that submit their self-certification before September 30, 2016, have a nine-month grace period, starting from their certification date, to bring existing third-party contracts into conformity.
Who can certify?
Certification is available to US organizations that are processing personal data in connection with an activity that is subject to the jurisdiction of the Federal Trade Commission (the FTC) or the Department of Transportation. This covers most US organizations although general exclusions include: banks, federal credit unions, and savings and loan institutions, telecommunications and interstate transportation common carriers, labor associations, most nonprofit organizations, and most organizations involved in packer and stockyard activities, and the FTC only has limited jurisdiction over insurance companies.
How to certify?
Organizations can self-certify here: https://www.privacyshield.gov/PS-Application. The requirements are as follows:
- A statement that the organization adheres to the Principles;
- A link to the Privacy Shield website (https://www.privacyshield.gov/); and
- A link to the website or complaint submission form of the independent recourse mechanism (see below).
- Recourse Mechanism: Identify the organization's independent recourse mechanism (and register, if required by the mechanism). This is because compliance with the Principles includes adopting an independent mechanism to investigate individuals' unresolved complaints regarding the organization's compliance with the Privacy Shield (at no cost to those individuals). Options for organizations include: registering with a private sector privacy programs (that incorporates and satisfies the Principles); or committing to cooperate and comply directly with the EU data protection authorities (DPAs). If the self-certification will cover human resources data, then the organization must agree to cooperate and comply with the EU DPAs with respect to such data. Organizations that either choose to or must use the DPAs option are required to pay an annual fee of US $50.
- Verification Mechanism: Use either a self-assessment or an outside/third-party assessment program to verify compliance.
- Privacy Shield Contact: Provide a designated contact for the handling of questions, complaints, access requests and any other issues relating to the organization's Privacy Shield certification (under Privacy Shield organizations must respond to complaints within 45 days of receipt). This can be either the corporate officer that is certifying the organization's compliance with the Privacy Shield Framework or another official within the organization, such as a Chief Privacy Officer.
- Fees: Pay the annual fee, calculated by reference to the organization's annual revenue as follows:
- Annual revenue $0 to $5 million: Annual fee $250
- Annual revenue Over $5 million to $25 million: Annual fee $650
- Annual revenue Over $25 million to $500 million: Annual fee $1,000
- Annual revenue Over $500 million to $5 billion: Annual fee $2,500
- Annual revenue Over $5 billion: Annual fee $3,25
- Other Information: Submit the following information:
- Organization: name and address;
- Designated Privacy Shield Contact (as described above): name and contact information;
- Corporate Officer certifying the organization's compliance with the Privacy Shield Framework: name and contact information;
- Description of the organization's activities with respect to all personal data received from the EU in reliance on the Privacy Shield, including:
- Types of personal data the organization’s self-certification covers, and whether or not that personal data is human resources data;
- The purposes for which the organization processes personal data in reliance on the Privacy Shield, including the types of personal data processed by the organization (e.g. customer, client, visitor and clinical trial data);
- If applicable, the type of third parties to which the organization discloses personal data; and
- All US entities (affiliates and subsidiaries) within the organization’s corporate group that are also adhering to the Principles and are to be covered under the organization’s self-certification;
- The independent recourse mechanism (as described above);
- Effective date;
- Whether the FTC or the DOT has jurisdiction to investigate claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy;
- Any privacy program in which the organization is a member;
- Whether the organization's verification method is by self-assessment or outside compliance review (and, if so, the name and web address for the third party that conducts the review); and
- The organization's annual revenue (to calculate the annual fee).
For further details on the information required to certify, see the list published by the Department of Commerce.
To continue receiving Privacy Shield benefits, an organization must annually renew its self-certification and pay the fee.
What about onward transfers?
Accountability for onward transfers is one of the core Privacy Shield Principles. To transfer personal data to a third party acting as a controller, organizations must:
- Give individuals notice and the opportunity to opt out, or, in case of sensitive data, obtain their consent prior to the transfer.
- Enter into a contract with the third-party controller (or comparable arrangement within a corporate group) that provides that:
- Such data may only be processed for limited and specified purposes consistent with the consent provided by the individual; and
- The third party will provide the same level of protection as the Principles, will notify the organization if it makes a determination that it can no longer meet this obligation and, if so, cease processing or take other reasonable and appropriate remedial steps.
To transfer personal data to a third party acting as an agent, organizations must:
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization's obligations under the Principles;
- Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and, if so, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.