The EU and US have announced another agreement requiring US companies to self certify that they are compliant with certain data privacy principles in order to conduct transatlantic data transfers. This agreement is called the EU-US Privacy Shield (“Privacy Shield”) and is similar to its predecessor Safe Harbor program, but requires US companies to conform to more stringent data privacy standard. Although EU-US have announced this deal, the Privacy Shield has not yet been finalized or enacted, as the authorities are still negotiating a final version of this agreement.
During this interim, US Companies should consider adopting the Privacy Shield’s published Privacy Principles into their business practices in order to commit to doing business long-term in Europe. If they do so, then they would not only put themselves on a fast track to self-certification under the Privacy Shield, but they would also be minimizing their exposure to data privacy/breach liability in the US.
Under the first published draft of the Privacy Shield, US companies must adopt and implement certain Privacy Principles in order to collect, store and transfer EU personal data. These Privacy Shield’s Privacy Principles are generally good data privacy and security policies and procedures, that when implemented, would help a company minimize its exposure to data breach liability here in the United States (e.g., Section 5 of the Federal Trade Commissions Act, the Fair Credit and Reporting Act, the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act of 1996 (HIPAA), state data breach notification laws, etc.).
In fact, if US law has not already required some of the Privacy Shield’s Privacy Principles to be adopted by US companies, most of these principles have been found to be good practices in administrative and judicial decisions that have considered these US privacy and data breach laws in their rulings.
A closer look at these Privacy Shield’s Privacy Principles clearly show how they can minimize US companies’ liability exposure while building goodwill with their consumers.
The Privacy Shield requires US companies that collect, store and transfer EU personal data to adopt and implement into their business practices and policies, the following:
(1) Notice. US Companies must provide Notice to their data subjects of how they process their data that they collect, store and transfer under 13 subjects. Such Notice requirements include:
- the type of data they are collecting,
- the purpose of processing their data,
- the right of access their data,
- the right to choose whether the US companies can continue to collect, store and transfer their data (i.e., opt-out),
- the conditions for onward transfers of their data, and
- who is liable and what remedies are available to them for security breaches involving their data.
(2) Choice. US Companies must allow their data subjects a Choice to opt-out of any collection, storage and transfer of their data, especially if a US company changes its data privacy principles. If a US company is a direct marketer, then there are special opt-out rules that the US direct marketer must implement in order to allow their subjects to opt-out at any time from the use of their personal data.
(3) Security. US Companies collecting, storing and transferring personal data must take “reasonable and appropriate” security measures to minimize the data security risks involved in the collection, storage and transfer of such personal data. “Reasonable and appropriate” security measures must be implemented US companies because their security measures will be the key subject investigated and litigated with any data security breach. If US Companies are subcontracting any of their security obligations under the Privacy Shield, then such subcontracted security services must be materialized in an executed agreement where the subcontractor guarantees the same level of protection as provided by the Privacy Shield (i.e., the Privacy Principles) and guaranty the implementation of such privacy measures.
(5) Access. US companies must provide Access rights to EU data subjects to their data as follows:
- provide Access to their data without justification (i.e., for any reason),
- respond to Access requests without an excessive fee,
- respond to Access requests within a “reasonable” time frame,
- provide confirmation that they are processing their data, and
- provide Access to correct, amend or delete personal information where it is inaccurate or has been processed in violation of these Privacy Principles.
There are a few limited exceptions to these Access rights stated above that only apply in a few exceptional circumstances. Otherwise, US companies have the burden that these Access rights are being provided to EU data subjects.
(6) Accountability for Onward Transfer. When transferring EU personal data from controllers or processors, US companies must be accountable in such onward transfer by:
- limiting such transfer for a specified purpose;
- under the terms of an executed agreement;
- only if the executed agreement provides the same level of protection as the one guaranteed by the Privacy Principles; and
- controllers being accountable for all compliance problems unless some act(s) of gross negligence by the a processor.
(7) Recourse, Enforcement and Liability. If bad things happen to EU personal data while being collected, stored or transferred, then US companies must have in place an effective redress mechanisms to deal with such complaints, which includes:
- Within 45 days upon receipt, US Companies must respond to all data privacy/security complaints.
- Such responses to complaints must “provide an assessment of the merits of the complaint and, if so, information as to how the organization will rectify the problem.”
- US Companies must “retain their records on the implementation of their privacy polices and make them available upon request in the context” of a data privacy/security investigation or complaint.
EU data subjects can also bring complaints to independent EU data protection authority (DPAs) to investigate and attempt to resolve individual complaints and provide such appropriate recourse to EU data subjects free of charge.
Third, Privacy Shield companies must also offer alternative dispute resolution via an independent dispute resolution mediator free of charge. As a last resort, EU data subjects may invoke binding arbitration by a “Privacy Shield Panel” arbitrator who is appointed by the US Department of Commerce and the EU Commission.
The US Department of Commerce, Federal Trade Commission and other data protection authorities will also have the authority to investigate and prosecute US companies for non-compliance with the EU-US Privacy Shield.
(8) Self-Certify. US companies must annually self certify that they are compliant with the Privacy Shield’s principles and practices. “This can be done through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the company’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing and random checks.” Additionally, US companies must file their self-certification of adhering to the Privacy Principles with the Department of Commerce, who will then publish self-certifying US companies via a “Privacy Shield List.”
Like all legal matters, there are exceptions to some of these Privacy Shield rules identified above. Additionally, there are other unidentified provisions of the Privacy Shield that may be applicable to US companies under worse case data security breach scenarios.
As discussed in our last blog article, the EU Commission’s subcommittees are now reviewing the Privacy Shield with the purpose of submitting comments to the EU Commission. Once these comments are received, then the EU Commissions will either approve the Privacy Shield or require additional edits to it. Simultaneously through this EU review period of the Privacy Shield, there will likely be new laws required to be enacted in the US in order to authorize and facilitate such required privacy authority and procedures as set forth Privacy Shield. Expect another update on edits to the current draft of the Privacy Shield. It may be another 6 to 12 months before the Privacy Shield has been enacted and fully effective.
In the interim, adopting the above Privacy Shield rules into your business practices would put you on a fast track to comply with the EU-US Privacy Shield once it has been enacted, and it would also build goodwill with your consumers and minimize your exposure to data breach liability under the Privacy Shield and US federal and state laws.