As we previously reported, EU and US officials have reached an agreement to implement a program known as the EU-US Privacy Shield. The Privacy Shield is a successor to the US-EU Safe Harbor program, which was invalidated last year, and is the culmination of more than two years of negotiations between the EU and US to strengthen the protections afforded to individuals whose personal data is transferred from the EU to the US.
On Monday, the European Commission released the documents that will constitute the Privacy Shield, along with a draft adequacy decision. Key features of the new program include the following:
- Privacy Principles: As under the Safe Harbor program, Privacy Shield organizations (i.e., organizations that have self certified under the Privacy Shield) must comply with specified privacy principles (the “Principles”) when transferring and processing data originating in the EU. These principles are: Notice; Choice; Security; Data Integrity and Purpose Limitation; Access; Accountability for Onward Transfer; and Recourse, Enforcement and Liability.
- Choice: Individuals must be given the choice to opt out of having their personal information disclosed to a third party (except an agent of the Privacy Shield organization) or used for a purpose that is materially different from the purposes for which it was originally collected or which were subsequently authorized by the individual. For sensitive information, with limited exceptions, individuals must expressly opt in in order for such information to be so disclosed or used.
- Onward Transfer: Any transfers of data to a third party must be pursuant to a contract that provides,inter alia, that the recipient will provide the same level of protection as the Principles. In the case of contracts with agents, an organization must, upon request, provide a summary or copy of the relevant privacy provisions to the Department of Commerce.
- Redress of Rights:
- Privacy Shield organizations must have in place an effective internal mechanism to deal with complaints of non-compliance with the Privacy Principles and must commit to responding to complaints within 45 days.
- An independent Alternative Dispute Resolution mechanism also must be designated and available, free of charge, for individuals to pursue claims of non-compliance.
- Individuals can bring claims to their national DPA which will, in turn, work with the US Department of Commerce to ensure that the Privacy Shield organization addresses the complaint.
- Privacy Shield organizations remain liable if an agent to whom it transfers information processes such information in violation of the Principles, unless the Privacy Shield organization can prove that it is not responsible for the event giving rise to the damage.
- Privacy Shield organizations that wish for Privacy Shield benefits to cover HR data are required to commit to cooperate with the European Data Protection Authorities (“DPAs”) in the investigation and resolution of complaints, which would include an agreement to comply with any advice from the DPAs that the organization needs to take specific action to comply with the Principles. Privacy Shield organizations that are not seeking to cover HR data have the option whether or not to commit to cooperate with the DPAs in investigating and resolving complaints.
- The Privacy Shield framework also establishes a binding arbitration option for redress of certain complaints.
- Limits on US Government Access: The released documents include letters from the Office of the Director of National Intelligence and the U.S. Department of Justice outlining the legal restrictions and safeguards in place to limit access by the U.S. government to personal data transferred pursuant to the Privacy Shield. The U.S. Secretary of State also has appointed a Privacy Shield Ombusperson, whose responsibility it will be to serve as a point of contact for foreign governments who wish to raise concerns regarding U.S. intelligence activities.
- Periodic Review: The draft adequacy decision provides for ongoing review of the Privacy Shield Framework to ensure its continued adequacy. This continued review shall include an “Annual Joint Review” among the EU Commission, the US Department of Commerce and Federal Trade Commission, and other US agencies as appropriate. This meeting will be open to DPAs and representatives of the Article 29 Working Party.