Earlier this month the European Commission adopted the ‘Privacy Shield’, the new EU-approved mechanism for the transatlantic transfer of personal data, replacing the now defunct Safe Harbor scheme. We provide practical guidance for organisations considering self-certifying under the new framework.
Some of the key points to bear in mind if your organisation is considering participation in the Privacy Shield are as follows:
Is your organisation eligible to join Privacy Shield?
In order for a US organisation to be eligible to participate in the Privacy Shield, it must be subject to the jurisdiction of either the US Federal Trade Commission (“FTC”) or the Department of Transportation (“DOT”). Banks, financial institutions and non-profit organisations are generally not subject to the jurisdiction of the FTC and so are not eligible for participation in the Shield. Both the FTC and the DOT will play major roles in the enforcement of the Privacy Shield framework. These limitations on eligibility demonstrate the continuing importance of other means to legitimise ex-EEA data exports such as Standard Contractual Clauses.
When will the Privacy Shield come into effect?
Similar to Safe Harbor, the Shield operates by way of voluntary self-certification. The Department of Commerce (“DoC”) will begin accepting self-certifications from participating organizations from 1 August 2016. The principles laid down under the Shield will apply to organizations immediately upon certification. Participating organizations must subsequently self-certify on an annual basis to the DoC. For organizations that are organized in terms of certification requirements and processes, nothing prevents them from being able to rely on the Shield in a matter of weeks from now.
Are there any benefits for US organizations which join the Privacy Shield early?
Yes. While the Privacy Shield Principles apply to organisations immediately upon certification, there is one exception available for organisations with respect to the new onward transfer rules under the Shield, which are stricter than those which existed under Safe Harbor.
The European Commission recognises that organisations need time to bring existing business relationships with third parties into line with the new framework. Accordingly, transitional arrangements are available to organisations which join the Shield within two months of the Shield coming into force. If an organisation joins within this time, it will have nine months from the date of sign-up to negotiate contract amendments with third parties to ensure compliance with the onward transfer rules. This creates a real incentive and benefit for early joiners.
What is the Independent Recourse Mechanism?
The Privacy Shield requires self-certifying organisations to provide an independent recourse mechanism to individuals to investigate and resolve complaints. This must be made available at no cost to the individual.
This alternative dispute resolution mechanism must be put in place prior to self-certification. Private sector dispute resolution programmes such as the Council of Better Business Bureau ("BBB"), TRUSTe, the American Arbitration Association ("AAA"), JAMS and the Direct Marketing Association ("DMA") may be used.
Alternatively, organisations may choose, as a recourse mechanism, to cooperate with EU Data Protection Authorities (“DPAs”). Organisations that transfer human resources data as part of their self-certification, however, must use this mechanism and comply with advice given by EU DPAs regarding such data.
How do organisations verify compliance with the Privacy Shield?
Under the Shield, organisations are required to put procedures in place to demonstrate that assertions made about compliance with the Privacy Shield Principles are true and that stated privacy practices have been implemented. This can be done by way of self-assessment, which may be burdensome for many organisations, or by way of external compliance reviews. Organizations must ensure they document all privacy practices and retain such records in the event that the records are required further to a complaint by an individual or an investigation by one of the US authorities.
Does our organisation need to appoint a designated contact for Privacy Shield queries?
Yes. Each organisation self-certifying under the Shield must provide details of a contact for the handling of Privacy Shield related complaints and queries. A discretion is afforded as to who can be appointed within the organisation as the contact. For many, the most natural fit for this role may be the person who is certifying the organisation’s compliance with the Privacy Shield or the Chief Privacy Officer.
What fees are payable under the Privacy Shield?
Aside from costs which an organisation will incur prior to self-certification in ensuring that the organization is “Privacy Shield ready”, there are a number of additional costs set out under the Privacy Shield framework which should be considered. These are:
- Alternative Dispute Resolution (“ADR”) fees: Under the Shield, organisations must designate an independent organization to investigate and resolve complaints from individuals. This redress mechanism must be provided to individuals free of charge and organisations will be required to cover the costs of the ADR body.
- Arbitration fees: Arbitration is available as a “last resort” resolution to individuals under the Shield. Arbitration will be carried out by the Privacy Shield Panel which is a panel composed from a pool of at least 20 arbitrators chosen by the DoC and the European Commission. Organisations will be required to pay an annual contribution up to a maximum cap to cover the costs of arbitration.
- EU DPA Panel fees: Organisations that commit to co-operate with and comply with advice provided by an informal panel of European DPAs will be required to pay an annual fee, up to a maximum cap of $500, to pay for the operating costs of the panel. As mentioned above, organisations that transfer human resources data as part of their self-certification under the Shield will incur this cost - these organisations must agree to comply with advice given by European DPAs regarding this data.