It’s baaaack: The European Commission this month formally adopted the long-awaited transatlantic data transfer framework, establishing stringent new data privacy compliance obligations on U.S. companies seeking to transfer personal data from Europe into the United States.
The European Commission on July 12 adopted a final version of the EU-U.S. Privacy Shield, keeping intact all the data protection requirements set out in the proposed framework issued in February. Participating in Privacy Shield is voluntary. For companies that choose to participate, however, any non-compliance with Privacy Shield principles will be enforceable under U.S. law by the relevant enforcement authority, either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT). The U.S. Department of Commerce will begin accepting certifications Aug. 1.
The Privacy Shield replaces the Safe Harbor framework, which the European Court of Justice invalidated in October 2015 in the case of Schrems v. Data Protection Commissioner. That decision effectively meant that personal data transferred from Europe to the United States was no longer presumed to be adequately protected, leaving the more than 4,000 companies that self-certified under the Safe Harbor principles in a state of limbo.
For the most part, all the core data privacy principles in the Safe Harbor remain in Privacy Shield. “Thus, companies that previously certified under the Safe Harbor don’t have that much work to do to prepare for Privacy Shield,” says James Koenig, a partner and of counsel in the privacy and cyber-security practice at Paul Hastings.
For many other companies that are just thinking about self-certifying under Privacy Shield for the first time, the transition will demand significantly more costs and burdensome data privacy obligations. All companies—even if they self-certified under Safe Harbor—first and foremost need to review and update their privacy policies and procedures.
“Companies that previously certified under the Safe Harbor don’t have that much work to do to prepare for Privacy Shield.”
James Koenig says, partner, Paul Hastings
Under the Choice Principle, Privacy Shield requires companies to provide notice to EU citizens regarding how their data is collected and processed. Individuals must also be provided with the choice to “opt out” when their personal data is to be disclosed to a third party or to be used for a purpose that is “materially different” from the purpose for which it was originally collected. “Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice,” Privacy Shield states.
Because privacy policies must disclose the purposes for which data is collected and used, the company has to actually know what those reasons are in the first place. “Unfortunately, a lot of companies historically have inserted language into their privacy policies without really thinking through what it means,” says Tanya Forsheit, a partner and co-chair of the Privacy & Data Security group at law firm Frankfurt Kurnit Klein & Selz.
“I think we can fully expect that the FTC is going to step up enforcement in this area,” Forsheit says. “They will be looking at companies that self-certify to make sure that they are, in fact, doing what they say they are doing.”
HOW TO JOIN PRIVACY SHIELD
Below is a guide to self-certification issued by the U.S. Department of Commerce on how to join the Privacy Shield.
1. Confirm your organization’s eligibility to participate in Privacy Shield: Any U.S. organization that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield. The FTC and DOT have both committed that they will enforce the Privacy Shield Framework.
Generally, the FTC’s jurisdiction covers acts or practices in or affecting commerce by any “person, partnership, or corporation.” The FTC does not have jurisdiction over most depository institutions (banks, federal credit unions, and savings & loan institutions), telecommunications and interstate transportation common carrier activities, air carriers, labor associations, most non-profit organizations, and most packer and stockyard activities. In addition, the FTC’s jurisdiction with regard to insurance activities is limited to certain circumstances.
The DOT has exclusive jurisdiction over U.S. and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation.
If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DOT, then please be sure to contact the Privacy Shield Team at the Department of Commerce for more information.
3. Identify your organization's independent recourse mechanism: Under the Framework’s Recourse, Enforcement and Liability Principle, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual. [See Supplemental Principle 11 (Dispute Resolution and Enforcement) for more information regarding dispute resolution under Privacy Shield.]
Organizations self-certifying under Privacy Shield may utilize private sector dispute resolution programs as the independent recourse mechanism. Organizations like the Council of Better Business Bureaus (BBB), TRUSTe, the American Arbitration Association (AAA), JAMS, and the Direct Marketing Association (DMA) have developed programs that assist in compliance with the Framework's Recourse, Enforcement and Liability Principle and Supplemental Principle 11 (Dispute Resolution and Enforcement).
Alternatively, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) with respect to all types of data. In doing so, an organization must follow the procedures outlined in Supplemental Principle 5 (The Role of the Data Protection Authorities).
If your organization’s self-certification will cover human resources data (personal information about employees, past or present, collected in the context of the employment relationship), then your organization must agree to cooperate and comply with the EU DPAs with respect to such data. Additional guidance on the handling of human resources data under the Framework is provided in Supplemental Principle 9 (Human Resources Data).
Organizations that either choose to or must utilize the EU DPAs are required to pay an annual fee to cover the operating costs of the EU DPA panel.
4. Ensure that your organization's verification mechanism is in place: As discussed in Supplemental Principle 7 (Verification), organizations self-certifying to the Framework are required to have procedures in place for verifying compliance. To meet this requirement, your organization may use either a self-assessment or an outside/third-party assessment program. For additional guidance on the Framework's verification requirement, please see Supplemental Principle 7.
5. Designate a contact within your organization regarding Privacy Shield: Each organization is required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Privacy Shield. This contact can be either the corporate officer that is certifying your organization's compliance with the Framework, or another official within your organization, such as a Chief Privacy Officer. Under the Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint.
Source: Department of Commerce
One of the most significant provisions establishes accountability regarding the “onward transfer” of personal data. That provision explicitly requires companies transferring data to enter into a contract with the third-party data controller stating that such data may only be processed for limited and specified purposes consistent with individual consent.
Furthermore, third parties that process data on behalf of Privacy Shield companies must guarantee the “same level of protection” as the Privacy Shield companies themselves. If the third-party data processor is no longer able to ensure the necessary level of data protection, it must then inform the certified company.
“The contract shall provide that when such a determination is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate,” Privacy Shield states. If the agent processes personal data in a manner inconsistent with the Privacy Shield’s principles, the company will be liable, unless it can prove that it was not responsible.
For companies that were not previously certified under Safe Harbor, they may need to start by mapping their data flows to get a good handle on exactly what data is coming and going: Who are your service providers? What information do those service providers handle? What are you transferring to them?
The final Privacy Shield framework, however, does offer a carrot: Companies that certify within the first two months of the effective date of the Privacy Shield will get a grace period of nine months from the date of certification to bring contracts into compliance; companies that wait until Oct. 1 will need to have all their contracts already in compliance before they can be Privacy Shield certified. “Companies that are interested in Privacy Shield certification will want to move quickly to take advantage of the grace period,” Koenig says.
Being Privacy Shield compliant, as under the Safe Harbor, calls for having robust security controls in place. Companies that create, maintain, use or disseminate personal information must take “reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction,” the Privacy Shield states.
A stricter limitation has also been placed on data processing by requiring companies “not to process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.”
The Privacy Shield makes more explicit the limitations on data retention provisions by stating that companies may retain personal data only for as long as it serves the purpose for which it was initially collected, a requirement that for mature companies shouldn’t be too burdensome. “Data minimization is already a best practice,” says David Zetoony, a partner at law firm Bryan Cave who leads the firm’s global data privacy and security practice.
EU citizens will have multiple avenues through which they can seek recourse from companies that may have violated their rights under the Privacy Shield, significantly increasing the prospect for more liability, including more enforcement actions and greater accountability.
For example, the Privacy Shield encourages individuals to raise any concerns or complaints with the company itself, which must have in place a free-of-charge Alternative Dispute Resolution mechanism, and must respond to any complaints within 45 days. Although many companies already have a dispute resolution mechanism in place, those that don’t will now have to decide what independent dispute resolution body they want to use.
EU citizens can also go to their national data protection authorities, who will work with the Commerce Department and FTC to ensure that unresolved complaints are investigated and resolved. If a case is not resolved by any of the other means, individuals will have the option of a “prompt, independent, and fair mechanism” to resolve claimed violations of the principles not may not be resolved by any of the other Privacy Shield mechanisms.
Given that many U.S. companies try to insert arbitration provisions into their consumer contracts as a way to stay out of court, this should be a welcome option. “When the dust settles and the business community steps back, they’re going to realize they actually like this provision,” Zetoony says.
The final version of the Privacy Shield clarifies that the U.S. ombudsperson—a position that has been established to oversee complaints—must be completely independent of U.S. intelligence agencies. In this regard, the final framework states that the ombudsperson will be able to rely on independent oversight bodies with investigatory powers—such as the Inspector Generals or the Privacy and Civil Liberties Oversight Board.
The first step is deciding whether it’s in the company’s best interest to self-certify to Privacy Shield, whether a company previously certified under the Safe Harbor or not. The answer depends on a number of factors, including:
How mature are the other data transfer compliance mechanisms that the company has in place, such as its model contracts and binding corporate rules?
How mature is the company’s data privacy program, including its resolution mechanism?
What is the scope of the company’s global footprint?
What level of exposure does the company have to EU citizens?
Is the company in an industry that’s regularly targeted by regulators?
What is the company’s current state of third-party contracts?
The next step would be to have an actual action plan to become Privacy Shield certified. Koenig recommends a five-step checklist to certify under Privacy Shield:
Validate security safeguards with a customized security questionnaire deployed to system, application and interface owners who handle data that are subject to the certification.
Address onward transfers by review and revising existing contracts for third-party vendors and other onward transferees.
Update training for employees who have access to EU citizen data.
Compile within a single compliance binder documentation that supports the company’s Privacy Shield certification—such as policies and procedures, a gap assessment report, and contract addendums.
Many companies may be reluctant to become Privacy Shield compliant because they don’t want to pour time and resources into a framework that could suffer the same fate as the Safe Harbor: invalidation.
“The biggest concern is the uncertainty,” says Cynthia O’Donoghue, a partner and law firm Reed Smith and leader of the firm’s international information technology, privacy & data security team. “Most of what I’m hearing is that companies want to take a wait-and-see approach.”
Even if Privacy Shield is challenged in European courts—and further complicated by Brexit if the U.K. adopts its own approach to data privacy—waiting is not the answer. First, companies deferred prosecution because of uncertainty around the Safe Harbor, then Privacy Shield, and now some companies are deferring data privacy compliance even further as they wait for EU member states to implement the provisions of the General Data Protection Regulation (GDPR), Zetoony says. “You can’t put off compliance forever,” he says.
For any U.S. company that collects and handles data on EU citizens, the time to review privacy policies and practices and contracts with service providers and customers is now. “It’s not too soon to be thinking about GDPR compliance,” says Kendall Burman, cyber-security and data privacy counsel at law firm Mayer Brown. “We’ve been advising folks to think about them in combination, to think about Privacy Shield as being an additional step toward GDPR regulations.”
Continue the conversation at Compliance Week Europe: 7-8 November at the Crowne Plaza Brussels. Join us as we look at changes in global anti-corruption regulations, slave labour risks in your supply chain, and how to detect fraud, to name just a few topics. Learn more