What is Privacy Shield?
The Privacy Shield Framework provides US based organisations with a mechanism to certify transatlantic transfers of personally identifiable data, and has been a welcome development for some since the Safe Harbor [sic] Framework was found to be invalid by the Court of Justice of the EU back in October 2015. The self-certification process has been available since its launch on 1 August 2016.
Following the invalidation of Safe Harbor the Privacy Shield was developed by the US Department of Commerce, the Federal Trade Commission and the European Commission with the following principles in mind – transparency; US Government oversight (including management and enforcement of the regime); and increased cooperation with EU Data Protection Authorities (EU DPAs).
Accountability for onward transfers is one of the key Privacy Shield principles. Certified companies must ensure that onward transfers of personally identifiable data to third parties are covered by the same level of protection that the certified company is providing.
As mentioned in our International Data Transfers of Personal Data blog, there were concerns that the Article 29 Working Party (the group of EU DPAs) would not approve the Privacy Shield Framework, with the issue of indiscriminate mass surveillance by the US Security Services being the key concern. The US has provided written assurances to the EU that US Security Services will not conduct indiscriminate mass surveillance of European citizens’ personally identifiable data. The Office of the Director of National Intelligence has clarified that bulk collection of data can only be used in a focused manner, and must be filtered to remove non-pertinent information. In addition, the Judicial Redress Act, signed by President Obama on 24 February 2016, provides European citizens with the right to challenge misuse of their personally identifiable data in US courts.
Despite these assurances, US surveillance is one of the key areas of concern surrounding the Privacy Shield, and whilst the Article 29 Working Party approved Privacy Shield they did so on the proviso that this issue will be reviewed at the first Annual Joint Review between the European Commission and the Department of Commerce. These annual reviews will be used to promote transparency and address any concerns regarding the operation of the Privacy Shield arising during the previous 12 months.
What do I need to do?
The practical steps that you as a company will need to undertake to be certified can be broken down into the following five steps:
1. Create / update / maintain a Privacy Shield Policy
You must provide both free and accessible dispute resolution. Dispute resolution will involve:
- Individual complaints being responded to within 45 days.
- The provision of an independent and expeditious recourse mechanism (at no cost to the individual).
- Potentially committing to a binding arbitration procedure, at the request of an individual, to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
2. Security Due Diligence
Your company must provide adequate and commercially reasonable technical and physical controls and safeguards to meet the security requirements under the Privacy Shield. If your company intends to keep personally identifiable data for a period of time your commitments must be maintained for as long as the data is held by you. Note that you will only be entitled to keep personally identifiable data for so long as the retention is required and only to assist the purpose for which it was originally collected by you.
In order to assess whether your company has the adequate security safeguards you will need to analyse and assess your security system.
3. Onward Transfers
As mentioned above, you must ensure that onward transfers of personally identifiable data to third parties are covered by the same level of protection that you are providing for personally identifiable data. As a result, you will need to ensure that existing contractual arrangements involving transfers of personally identifiable data address the specific requirements for onward transfers.
4. Staff Preparations
The Privacy Shield requires your staff (that have access to EU citizen data) to be updated and trained on the Privacy Shield. This process can be viewed positively as a chance for you to develop your staff’s understanding of global privacy commitments. Your company should also provide a key contact for Privacy Shield related queries and a compliance verification mechanism.
5. Apply for Certification
Any US company that is subject to the Federal Trade Commission or the Department of Transportation may participate in the Privacy Shield. In order to apply you will need to provide evidence of the steps you have taken in order to ensure your company is Privacy Shield Compliant. In order to remain certified, you must re-certify annually and pay an annual fee.
Current state of play
If you are interested in finding out the companies that have been added to the Privacy Shield certified list you can find this at https://www.privacyshield.gov/list.
Among this list are high-profile companies such as Microsoft Corporation and Salesforce, however so far there has been quite a low take-up for Privacy Shield.