To transfer personal data from the European Union ("EU") to the United States ("US"), a legal basis for the transfer must exist. The EU and the US have agreed to new principles, referred to as Privacy Shield Principles ("Privacy Shield" or "Principles"), that will permit the transfer of personal data between the US and the EU if the transferring entity does not have in place approved binding corporate rules or model contract provisions. US organizations can self-certify that they are in compliance with the Principles to enter Privacy Shield, thus permitting the transfer of personal data to the US entity. Health care organizations should consider whether they should require vendors to self-certify or if an alternative, such as model contract provisions, are a better approach to prevent a disruption in the ability to transfer personal data.
The EU Data Privacy Directive (95/46/EC) (the "Privacy Directive") establishes how personal data is to be handled within the EU's constituent countries (the "Member States") and the requirements for transfers of personal data to countries outside the EU. Personal data is defined very broadly and includes, but is not limited to, any information that relates to an identifiable individual. The full definition can be found under Article 2, paragraph A, here. The Privacy Directive applies even when the controller of the data is not part of the EU but uses equipment within the EU to process personal data. Article 25 of the Privacy Directive states that Member States may only transfer personal data to a non-EU country if the country in question ensures an adequate level of privacy protection. The EU does not view the US as providing an adequate level of protection. Accordingly, the EU developed three approaches to permit cross-border transfers to the US: binding corporate rules, model contract provisions and the "Safe Harbor," an agreement between the European Commission and the US Department of Commerce that was developed in 2000 as a streamlined process for US companies to demonstrate adequate protection of data sufficient to permit transfer of data from the EU to such companies. However, in the fall of 2015, the EU Court of Justice determined that the Safe Harbor did not provide sufficient protections to support cross-border transfers to the US. As a result, after a transition period of six months, a different method of ensuring adequate privacy was necessary to permit companies in Member States to transfer personal data to US companies that did not have binding corporate rules or model contract provisions in place.
In February 2016, the EU Commission and the US agreed on a new framework to allow for transatlantic data flow. The Privacy Shield identifies the Principles with which an organization must comply for its safeguards to be deemed adequate under the Privacy Directive and permits companies to self-certify as to compliance with the Principles. The Privacy Directive was structured to also comply with the EU's General Data Protection Regulation, which will be coming into force in two years. The International Trade Administration within the US Department of Commerce has been tasked with administering self-certifications and began accepting self-certifications on August 1, 2016. The full rule can be found here.
As a benefit of the EU Commission's decision that the Privacy Shield Principles are adequate to safeguard personal data, US companies that wish to receive personal data from the EU, but do not wish to adopt binding corporate rules or model contract provisions, can agree to follow the Principles and therefore qualify for Privacy Shield certification. Self-certification to the Department of Commerce (the "Department") is required before an organization can take part in the transfer of personal data from the EU under the authority of the Privacy Shield. Entering the Privacy Shield is voluntary; however, Privacy Shield companies making the commitment to adhere to the Principles must fully comply.
To qualify to participate in the Privacy Shield, an organization must: (a) be subject to the jurisdiction of the Federal Trade Commission (the "FTC") or the Department of Transportation; (b) publicly declare that it is committed to complying with the Principles; (c) publicly disclose its privacy policies, which must meet the requirements of the Principles; and (d) fully implement those privacy policies. The FTC is empowered to investigate and enforce allegations of failure to comply with the self-certification requirements as an unfair or deceptive act in or affecting commerce under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)) or similar laws or regulations. The FTC is required to maintain a public list of self-certified Privacy Shield companies, which is available here (the "Privacy Shield List"), as well as a list of those that have been removed from the Privacy Shield List is available here.
National security, public interest and law enforcement requirements as well as conflicting statutes may limit a Privacy Shield company's adherence to the Principles. Additionally, an EU Member State may have a law that provides for an exception or derogation. However, because EU law strongly favors privacy, these exceptions are interpreted narrowly. Therefore, if it is possible to comply with the Principles while still complying with the other law, or while meeting the competing public interest, compliance with the Principles will still be expected.
Notice and Choice. Among requirements for participation in Privacy Shield, an organization must provide clear and conspicuous notice to individuals about how personal data is collected, used and disclosed. Individuals must also be advised that they can access their personal data and their choices for limiting use and disclosure of their data.
Additionally, a Privacy Shield company must offer individuals a chance to opt out if they do not wish for personal data to be shared with a third party or used for a materially different purpose than the reason it was originally collected. The opportunity to opt out must be clear and conspicuous and cannot be unduly complicated.
Transfers. Transfers of personal information to third parties, among other things, requires that the third party only use the personal information for limited and specified purposes consistent with the consent provided by the individual. The recipient must provide the same level of protection as the Principles. In some situations, a contract with the third party may be needed. In health care, in most cases, data transferred to a third party for purposes other than treatment will be supported by a contract.
Security, Integrity and Access. Privacy Shield companies engaged in creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect the data. However, in doing so, Privacy Shield companies can take into account the inherent risks involved in the processing of personal data.
Privacy Shield companies may only process personal information in a manner compatible with the individual's authorization or purpose for which the personal information was collected. In addition, individually identifiable information may be retained only for as long as it is needed to accomplish a permissible purpose. Information may be kept for longer periods for purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis. However, additional Principles apply to such retention.
Individuals must have access to personal information about them and be able to correct, amend or delete that information where it is inaccurate or has been processed in violation of the Principles. This does not apply when the burden or expense of providing access would be disproportionate to the risks to the individual's privacy or where the rights of third parties would be violated.
Recourse, Enforcement and Liability. Privacy Shield companies must have in place compliance mechanisms and a recourse procedure for those affected in the event of noncompliance, and there must be consequences if the Principles are not followed. The mechanisms must include:*Procedures by which an individual's complaints and disputes are investigated and resolved, at no cost to the individual;*Procedures for assessing the accuracy of claims of Privacy Shield companies; and*Obligations to resolve problems arising out of non-compliance.
Sanctions must be severe to ensure compliance by Privacy Shield companies.
Privacy Shield companies are obligated to arbitrate claims and adhere to the Privacy Shield framework if an individual invokes binding arbitration. The Privacy Shield framework includes an Arbitral Model to be followed in such circumstances.
Privacy Shield companies are liable under the Principles if an employee or agent processes personal information in a manner that violates the Principles, unless the Privacy Shield company proves that it is not responsible for the event that causes the damage.
If a Privacy Shield company becomes subject to an FTC or court order based on noncompliance, any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC must be made public. While some sections may be kept confidential (for example, to protect trade secrets), companies need to anticipate that the greatest portion of such reports will be public.
The Privacy Shield framework also consists of Supplemental Principles that go into further detail about the Principles and certain exceptions.
Exceptions. Under the EU, information about medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or the sex life of the individual is called "sensitive data." Additional protections are offered to sensitive data, including special rules regarding express consent for processing of sensitive data. However, recognizing that at times express consent cannot be obtained, the Supplemental Principles provide some exceptions and nuances.
The Supplemental Principles state that an organization is not required to obtain affirmative express consent with respect to sensitive data where the processing of sensitive data is:
- In the vital interests of the data subject or another person;
- Necessary for the establishment of legal claims or defenses;
- Required to provide medical care or diagnosis;
- Carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects;
- Necessary to carry out the organization's obligations in the field of employment law; or
- Related to data that are manifestly made public by the individual.
However, it is important to note that derogations tend to be disfavored and that obtaining the consent of the data subject is preferred when possible.
Further journalistic material will continue to be governed by the First Amendment and is not subject to the requirements of the Principles; organizations that are "conduits" of information, like Internet Service Providers, telecommunications carriers and other similar Privacy Shield organizations are not responsible under the Principles for data transmitted by third parties; the processing of personal data without the consent or knowledge of the individual may be permitted under certain circumstances for audit and investment bank purposes; and travel information may be transferred outside the EU under Article 26 of the Privacy Directive if certain conditions are met without the need to self-certify under Privacy Shield.
The Supplemental Principals provide further detail regarding compliance with the Principles and address issues such as:
- Cooperation with EU data protection authorities ("DPAs") in relation to the Recourse, Enforcement and Liability Principle. DPAs can participate in investigation and advise with regard to remediation;
- The self-certification submission process and materials that must be provided to the Department;
- Verification requirements to indicate that attestations and assertions are true and have been implemented in accordance with the Principles;
- The Access Principle, which is the right of the data subject to access and verify the accuracy of personal information about the data subject, and practical implementation of this principle, such as the organization of databases, how to handle repetitious or vexatious requests for access and whether a fee can be charged to provide access;
- Guidance for handling the transfer of personal information between the EU and US about employees to parent, affiliate or unaffiliated service providers;
- When contracts are required for the transferring of personal information to third parties, between controllers and within controlled groups of corporations or entities;
- Recourse mechanisms, remedies and sanctions, FTC actions and persistent failures to comply with the Principles;
- Options to opt out of direct marketing and the timing associated with an opt out in relation to use of information;
- Circumstances in which personal data collected for scientific research activity can be used for future research, used after withdrawal of an individual from a clinical trial, transferred for regulatory and supervision purposes, excepted from the Access Principle for blind studies and transferred for product safety and efficacy monitoring;
- Application of Principles to publicly available information while others do not apply; and
- Prevention or impairment of a Privacy Shield company's ability to respond to any lawful request for personal information.
The cost for administration and enforcement of Privacy Shield will be passed through to those Privacy Shield companies that self-certify in the form of an annual fee that is tiered based on an organization's annual revenue. The proposed range in fees is $250 for Privacy Shield companies with an annual revenue below $5 million and $3,250 for Privacy Shield companies with an annual revenue above $5 billion.
Not all US companies are eligible to participate in Privacy Shield due to the limits of the FTC's jurisdiction. For example, in most cases, charitable non-profits ("501(c)(3) entities") are treated as outside the jurisdiction of the FTC because they do not carry on business for their own profit or the profit of their members. Rather, charitable entities carry on business for the furtherance of their missions. The FTC can attempt to assert jurisdiction with respect to the prohibition against unfair competition by "persons, partnerships and corporations..." by claiming that the charity is a "person," but there is no definition that extends the term "person" to corporations, and the fact that there is a definition of corporation that excludes 501(c)(3) entities makes it difficult to argue that they should be subsumed within a "person." Further, as described in the Supplemental Principles, Article 26 of the Privacy Directives allows for derogation from the principles in Article 25 that govern the transfer of personal data to non-EU countries, whereby data transfers are permitted in certain circumstances even if there is not an adequate level of protection in place. However, it is advisable to ensure that one of the required conditions for this derogation unquestionably applies, or else a violation of the Privacy Shield requirements may occur, resulting in sanctions. These derogations include situations such as when an individual has given unambiguous consent to the proposed transfer, performance of a contract between an individual and another party requires the transfer of data and other situations that are in line with the exceptions to obtaining affirmative express consent to transferring sensitive data that are identified in the Supplemental Principles. Accordingly, 501(c)(3) entities and others that do not wish to become a Privacy Shield company may still be able to transfer data between the US and the EU.
There is already discussion about a court challenge to the Privacy Shield and significant speculation that the European Court of Justice will again find that the Privacy Shield fails to offer equivalent privacy protections to the Directive or the pending General Data Privacy Regulation. This, combined with the lack of applicability of the Privacy Shield to exempt organizations, leaves the potential for a significant gap in a reliable framework for cross-border transfers of personal data between the US and the EU in the future. While health care organizations should consider mandating that vendors who qualify for the Privacy Shield seek to self-certify, consideration should also be given to whether alternatives such as binding corporate rules or use of the model contract provisions provide a more reliable approach to ensure the continued ability to transfer personal data.
As the health care industry, like all other industries, moves to cloud computing, software as a service and other software/data hosting models, the likelihood of personal data being maintained by a hospital entering into the EU becomes more likely. Accordingly, hospitals should consider the following.
- Determine which of your vendors maintain or process personal data within the EU;
- Require your vendors to self-certify to enter the Privacy Shield;
- Update your vendor agreements to require self-certification and compliance with Privacy Shield;
- Determine whether you can and should self-certify;
- Determine whether certain transfers of data are permitted by exceptions in the Supplemental Principles and derogations to the Privacy Directive; and
- Consider whether the use of binding corporate rules or model contract provisions are appropriate as a more reliable alternative to ensure the continued ability to maintain cross-border transfers of personal data in certain cases.