On Tuesday July 12, 2016, the European Commission formally adopted the EU – U.S. Trans-Atlantic Privacy Shield data transfer deal, commonly referred to as the “Privacy Shield”. The action followed an earlier vote by representatives of each EU member state on July 8 to approve a key piece of the deal, the so-called “Adequacy Decision”.
The framework for the Privacy Shield was first revealed by EU and U.S. officials in February, just a few months after the European Court of Justice had invalidated the earlier EU- U.S. data transfer accord, the “Safe Harbor” treaty. The adoption of the Privacy Shield brings closure to a complicated and sometimes contested legislative process to replace the Safe Harbor program – one that many corporations had relied upon for the past 15 years for regulating the privacy aspects of data transfers from the EU to the United States.
In replacing the Safe Harbor treaty, the new Privacy Shield imposes stronger obligations on U.S. companies to protect the personal data of Europeans. Additionally, the Department of Commerce (“Commerce Department”) and the Federal Trade Commission (“FTC”) accepted greater responsibility for monitoring and enforcing the compliance of participating U.S. companies. Stemming from concerns arising from 2013 security breaches by the National Security Agency (i.e., the Snowden disclosures), the deal also includes written assurances from the U.S. that access to transferred data will be subject to clear limitations, safeguards, and oversight mechanisms that will prevent mass surveillance of European citizens’ data. In an effort to give voice to the public, the Privacy Shield created a new role, the privacy ombudsperson, which is responsible for addressing any complaints lodged by Europeans regarding data misuse.
The Commerce Department has released a list of the key new requirements for companies participating in the Privacy Shield, and it also announced that it will begin accepting self-certifications to the Privacy Shield on August 1, 2016. Companies interested in participating in the Privacy Shield program should become familiar with the new requirements.
New Requirements for Companies Participating in the Privacy Shield:
1. Informing Individuals about Data Processing
- A participating company must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to a lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Privacy Shield Framework, and the company’s liability in cases of transfer of data to third parties.
2. Providing Free and Accessible Dispute Resolution
- Individuals may bring a complaint directly to a Privacy Shield participant, and the participant must respond to the individual within 45 days.
- Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.
- If an individual submits a complaint to a data protection authority (DPA) in the EU, the Department of Commerce is committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
- Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
3. Cooperating with the Commerce Department
- Privacy Shield participating companies must respond promptly to inquiries and requests by the Commerce Department for information relating to the Privacy Shield Framework.
4. Maintaining Data Integrity and Purpose Limitation
- Privacy Shield participating companies must limit the personal information to thr information relevant for the purposes of processing.
- Privacy Shield participants must comply with the new data retention principles.
5. Ensuring Accountability for Data Transferred to Third-Parties
- To transfer a customer’s personal information to a third-party acting as a controller (a person or organization which, alone or jointly with others, determines the purposes and means of processing the personal data), a Privacy Shield participant must:
- Comply with the Notice and Choice Principles.
- Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles.
- Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Commerce Department upon request.To transfer personal data to a third-party acting as an agent (an entity that processes the personal data pursuant to the instructions of a person or organization), a Privacy Shield participant must
6. Transparency Related to Enforcement Actions
- Privacy Shield participating companies must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
7. Ensuring Commitments are kept as Long as Data is Held
- If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.
How to Self-Certify For Privacy Shield Participation
As noted above, the Commerce Department will begin accepting self-certifications to the Privacy Shield beginning on August 1, 2016. The Department has provided a Guide to Self-Certification, which includes the following steps:
- Confirm Your Organization’s Eligibility to Participate in the Privacy Shield.
- Identify Your Organization’s Independent Recourse Mechanism.
- Ensure Your Organization’s Verification Mechanism is in Place.
- Designate a Contact Within Your Organization Regarding Privacy Shield.
Stay tuned for further developments.
*Mr. Schiavoni is a student at Columbia Law School in New York, and a 2016 summer associate at Snell & Wilmer.