The European Commission recently released details of the new Privacy Shield framework designed to heighten protections for transferring European Union residents’ personal data to the U.S. Although its approval faces procedural hurdles, Privacy Shield could provide a much-needed solution for organizations seeking to respond to Safe Harbor’s invalidation. At more than 130 pages, the Privacy Shield package is dense, and potentially daunting. But never fear, we here at the Westin Research Center have picked through it with a fine-toothed comb.
The Privacy Shield contains detailed requirements for U.S. organizations to safeguard EU residents’ personal data. It also requires organizations to implement binding recourse mechanisms for EU residents to pursue potential violations. Privacy professionals should begin now to consider operational reforms in anticipation of the Privacy Shield’s approval, which could come as early as June.
Background on “adequacy”
The EU’s Data Protection Directive 95/46/EC prohibits the transfer of personal data from Europe to a third country, unless that country “ensures an adequate level of protection.” Only the European Commission may find a country’s protections adequate, and it may do so by virtue of that country’s “domestic law or international commitments.”
Rather than adopting comprehensive privacy legislation, the U.S. negotiated the Safe Harbor framework, which the Commission found adequate in 2000. Safe Harbor, like the proposed Privacy Shield, relied on the concept of enforceable self-certifications to assure adequate protection. Organizations could publicly commit to uphold certain principles for protecting personal data. Because these commitments were public, they became enforceable by the Federal Trade Commission in the U.S. under its Section 5 authority over unfair and deceptive acts and practices. Thus, without legislation, Safe Harbor offered a means of providing enforceable protections for personal data. The concept of self-certification is explicitly endorsed in the EU’s new General Data Protection Regulation (GDPR) as a means of securing international data transfers.
Under the negotiated framework, organizations certifying their compliance with the Privacy Shield Principles will be authorized to transfer the personal data of EU residents to the U.S. In essence, this process requires the organization to make two binding commitments. First, the organization must commit to the U.S. Department of Commerce that it will adhere to the Principles. Second, the organization must publicly declare its commitment, thereby promising to individuals that it will process data only in accordance with the Principles.
An organization seeking certification with the Department of Commerce must provide a detailed description of its activities involving EU residents’ personal data and its related privacy policies. The certification application must be signed by a corporate officer and renewed annually.
The Privacy Shield Principles extend beyond what was required by Safe Harbor, aligning closely with the heightened requirements of the GDPR. Thus, organizations that certified to Safe Harbor may need to update their policies to meet the detailed obligations set out in the Principles.
Privacy Shield embraces seven Principles for assuring the adequate protection of personal data. We will address the first six, which we call “data subject rights,” together, and the final principle—“recourse, enforcement and liability”—separately.
• Enhanced Data Subject Rights
The Privacy Shield Principles mirror those in the Safe Harbor framework, but each is expanded to offer greater protection for individuals.
Participating organizations must provide individuals, in clear and conspicuous language, with notice of the organization’s participation in Privacy Shield, the type of data collected, and the purposes for which the data is collected. Individuals also must be informed of any third parties to whom their data will be transferred, their right to access their data, and the means for limiting the use and disclosure of their personal data. Finally, the organization must describe available recourse mechanisms and acknowledge the FTC’s (or other statutory body’s) enforcement authority.
Organizations must provide “clear, conspicuous, and readily available mechanisms” by which individuals can opt out of any disclosure of personal data to a third party or the use of data for a purpose other than the one for which it was initially collected.
For sensitive information, including data related to health, racial or ethnic origin, political and religious opinions, trade union membership, or information revealing an individual’s sex life, the individual must affirmatively opt in to allowing the organization to disclose the information to a third party or use the information for a separate purpose.
- Accountability for onward transfer / vendor agreements
Privacy Shield expands regulation of and accountability for third party personal data transfers. A Privacy Shield certified organization must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. Third parties must agree to “provide the same level of protection as the Principles.”
Where the third party is acting as an agent, such as a vendor, the organization must in addition “take reasonable and appropriate steps” to ensure the agent upholds the Principles, including to stop and remediate any unauthorized processing. This downstream data protection accountability puts significant pressure on vendor selection and monitoring practices. A Privacy Shield certified organization must even provide the DOC with relevant third party contractual provisions, which place some restrictions on contractual confidentiality.
Regardless of contractual language, moreover, a Privacy Shield certificate holder remains liable to the data subject for its vendor’s violation of the Principles, unless it “proves that it is not responsible for the event giving rise to the damage.”
Like under Safe Harbor, participating organizations “must take reasonable and appropriate measures to protect [data] from loss, misuse and unauthorized access, disclosure, alteration and destruction.” These measures must be appropriate to the “risks involved and the nature of the personal data.”
- Data integrity and purpose limitation
Privacy Shield maintains the requirement that the data must be “relevant for the purposes of processing,” but it introduces language requiring organizations to “limit” collection to only the relevant data. Organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”
Even after certification has lapsed, moreover, an organization remains bound by the Principles when processing data collected under the Shield. This presents significant data management issues for long-term data processing, including risk disclosures in merger and acquisition transactions.
Organizations must provide individuals with access to their personal data as well as the opportunity to correct, amend, or delete information that is inaccurate or processed in violation of the Principles.
Privacy Shield sets out detailed rules for how organizations should comply with the access principle. Organizations must provide individuals the opportunity to confirm whether their personal data is being processed, as well as whether the data is accurate and whether the organization is processing it lawfully. They may charge a fee for access as long as it is “not excessive,” and they must respond within a reasonable time and in a reasonable manner.
An organization may restrict access to data “in exceptional circumstances where the legitimate rights of persons other than the individual would be violated or where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy.” An organization also may deny access where it could reveal confidential commercial information, such as trade secrets. Organizations need not retain data merely to comply with access requests.
Additionally, access may be restricted in a number of situations, including where disclosure would interfere with national security, defense, public security, or research.
• Recourse, enforcement and liability
One of the most significant changes in the Privacy Shield is the introduction of detailed mechanisms for recourse and dispute resolution. Organizations will need to implement processes for handling complaints in order to obtain the approval from the Department of Commerce to operate under the Privacy Shield. Therefore, these new obligations are relevant for all organizations, not just those that are faced with alleged violations.
Privacy Shield sets out three requirements for effective enforcement: “(a)(i) recourse for individuals to whom the data relate; (a)(ii) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (a)(iii) obligations to remedy problems arising out of failure to comply with the Principles and consequences for such organizations.”
- (a)(i) Recourse and (a)(iii) Remedies
Privacy Shield treats these two elements together. Organizations are required to implement “independent recourse mechanisms,” distinct from the FTC’s authority to bring enforcement under Section 5, that are empowered to provide remedies. Unlike internal dispute processes such as those created pursuant to section 512 of the Digital Millennium Copyright Act, Privacy Shield requires the use of third party dispute resolution bodies, based either in the U.S. or the EU, to investigate and resolve complaints. Importantly, they must respond to complaints within 45 days and provide resolution free of charge to users. Alternatively, an organization also may elect to appoint a panel of Data Protection Authorities (DPAs) from the EU Member States as the independent recourse mechanism.
These dispute resolution bodies must be empowered to provide users with remedies for violations, including compensation, suspending a Privacy Shield certification, or publicizing an organization’s non-compliance. In the case of a DPA panel, an organization must comply with its advice within 25 days. If the organization fails to do so, the DPA panel may refer the matter to the FTC.
If an organization selects a dispute resolution body other than a DPA panel, the individual may refer an organization’s failure to comply to the DPA of her Member State of residence. The DPA may subsequently notify the Department of Commerce to resolve the complaint. If the DOC fails to do so, Privacy Shield provides for binding arbitration. The individual must, however, exhaust all other options before seeking arbitration.
- (a)(ii) Verification
The verification requirement ensures that organizations actually implement the policies they promise. An organization can meet this requirement either through self-assessment or outside compliance reviews.
Self-assessment: An organization can self-assess by certifying that its policies comply with the Principles and that it has procedures for training employees, disciplining misconduct, and conducting periodic reviews. A corporate officer or other representative must sign the self-assessment at least once per year.
Outside compliance review: Outside compliance reviews are where an organization engages an outside party to assess its compliance with the Privacy Shield Principles. They must be conducted at least once per year and signed by the outside party or a corporate officer.
Human Resources Data
Several administrative steps remain before the Privacy Shield will come into force, including review and approval by EU representative bodies. Approval may come as early as June, but it could take longer. Already, some EU politicians have expressed their opposition to the agreement.
If and when it is approved, the Department of Commerce will deliver the text for publication in the Federal Register within 30 days. Organizations that self-certify to the Principles in the first two months after publication must bring all existing relationships with third parties into conformity as soon as possible, but no later than within nine months. Accordingly, organizations anticipating obtaining Privacy Shield certification should account for it when negotiating third party agreements now.
After the initial two months from the effective date, the Principles become binding upon an organization immediately upon certification.
Privacy Shield imposes significantly greater obligations upon organizations and their vendors than existed under the Safe Harbor framework. In the context of the rights accorded to individuals, these new requirements mirror those set out in the GDPR. Privacy Shield also includes detailed mechanisms for resolving disputes and providing recourse for individuals whose rights have been violated. Given these heightened obligations, organizations that intend to certify to the Shield should consider updating their policies around notice, choice, access, onward transfers, and recourse, as well as reviewing their standard vendor agreements, even if they have already met the Safe Harbor Principles.
Image courtesy European Commission.
If you want to comment on this post, you need to login.