EU-U.S. Privacy Shield: Companies Can Now Certify

Privacy Shield

As of, August 1st, 2016, U.S. companies can now join the Safe Harbor successor EU-U.S. Privacy Shield (the “Privacy Shield”) for personal data transfers from the EU to the U.S.

This post gives a high level summary of what companies should consider with the Privacy Shield.

Background:

On July 12, 2016, the European Commission (the “Commission”) formally adopted the adequacy decision necessary to implement the Privacy Shield. This means that transfers of personal data from the EU to the U.S. that are made pursuant to the Privacy Shield’s requirements are lawful under EU law.  The Privacy Shield replaces the EU-U.S. Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union (“CJEU”) on October 6, 2015.

Which companies may be interested in certifying?

In general, any company located in the U.S. that receives personal data from the E.U. should understand the legal basis for its data transfers to the U.S.  If the transfers it engages in are not subject to an EU-approved data transfer process, it should evaluate whether the Privacy Shield is appropriate.

U.S. companies that previously used the Safe Harbor Framework as a basis for transferring data may be interested in certifying, however, they should take the time to understand the additional obligations that the Privacy Shield involves.  The Privacy Shield has stricter requirements and enforcement provisions than the Safe Harbor Framework; however, even with these stricter requirements it may offer the most efficient way for U.S. companies that need to transfer personal data from the European Union/EEA to comply with EU requirements.

There is no uniform answer to the question of whether a company should join the Privacy Shield.  For example, there may be another viable method for personal data from the EU to be transferred to the U.S.—such as model contractual clauses, binding corporate rules, or even, potentially, a narrow exception such as consent.  The nature of the company’s activities and personal information it transfers to the U.S. may also be relevant in assessing what the company’s obligations are and the relative level of legal risk it faces.

Whether Privacy Shield is appropriate for a company should be determined on an individual basis that takes into account:

  • Whether the company will be making its own decisions about how the data will be used and processed, or merely carrying out activities on behalf of another company (i.e., acting as a data controller or data processor);
  • The overall compliance level the data-receiving company has already achieved under the new Privacy Shield requirements; and
  • Whether the company believes that its EU customers will want it to rely on the Privacy Shield.

For example, U.S. companies that want to process EU personal data on behalf of their EU customers should carefully weigh whether joining the Privacy Shield is sensible or whether use of the EU Model Clauses for Processors is more appropriate. If EU customers will still expect U.S. companies to enter into direct data processing agreements with them—which are often nearly as burdensome as the EU Model Clauses—then it may not be worth joining the Privacy Shield.

As a result of the well documented concerns around Safe Harbor and need for a written data processing agreement, it may be that EU customers insist on using EU Model Clauses despite a US company certifying under the Privacy Shield.

What are the advantages and disadvantages of Privacy Shield?

Whether the Privacy Shield is appropriate for a company should be examined on a case-by-case basis, as there will be advantages and disadvantages that vary from company to company. The clearest advantage is having an EU-approved method of transferring personal data from the EU to the U.S. without the need for implementing binding corporate rules, entering into EU Model Clauses or other data processing agreements.

However, there are potential disadvantages for U.S. companies. For example:

  • Participation in the Privacy Shield may require significant due diligence, policy and practice changes, as well as ongoing obligations, to ensure compliance;
  • Once joined, all data received pursuant to the Privacy Shield program must be permanently protected by the Privacy Shield—or equivalent protections—which may be hard to implement with the co-mingling of data;
  • The level of detail and types of provisions required in a privacy policy may be onerous, and, if not complied with, could increase the likelihood that the company will face scrutiny or lawsuits for its privacy practices in the U.S.; and
  • U.S. companies may have difficulty complying with the onward transfer restrictions, as service providers and third parties they do business with may not be willing to comply with the same types of requirements.

How can companies certify?

U.S. companies that want to use the Privacy Shield as a transfer mechanism must certify using the U.S. Department of Commerce’s (“DOC”) newly launched Privacy Shield website: https://www.privacyshield.gov/welcome. Companies that certify must comply with the Principles and applicable Supplementary Principles set forth in the Privacy Shield documentation.  Some of the key requirements include the following:

1. Confirm eligibility to participate in the Privacy Shield

Any U.S. company under the jurisdiction of either the Federal Trade Commission (“FTC”) or the Department of Transportation (“DOT”) is eligible for self-certification:

a.  The FTC’s jurisdiction covers, in general, all acts or practices in or affecting interstate commerce by any “person, partnership, or corporation.” This includes most companies, but the FTC’s jurisdiction does not cover certain financial institutions, common carriers, or air carriers.

b. The DOT has exclusive jurisdiction over U.S. and foreign air carriers.

2. Develop a Privacy Shield-compliant privacy policy

An external Privacy Shield-compliant privacy policy must be developed before a company submits its self-certification to the Department of Commerce.

The privacy policy, which must be publicly posted, must comply with the Privacy Shield Principles and applicable Supplemental Principles, which require disclosure of thirteen specific matters related to how the company processes personal information.  For example, these requirements require the following matters to be included in a privacy policy:

a. A commitment to comply with the Privacy Shield;

b. Information about the company’s data-handling practices and the choices the company offers to individuals regarding their personal data (namely the choice to opt out);

c. Information about the purposes for which the company collects and uses personal information; and

d. Identification of the types of third parties that the company discloses personal information to, and the purposes for doing so.

3. Verify compliance

The company is required to verify that its internal practices and procedures comply with both the Privacy Shield Principles and applicable Supplemental Principles, and with the representations that it makes in its privacy policy. This verification will require the company to have processes and procedures that enable it to fulfill each of the Privacy Shield Principles and applicable Supplemental Principles, including, for example to: offer individuals  the choice about sharing of personal information with third parties or using it for new purposes; have appropriate information security controls in place; limit the amount of personal information collected to the information necessary to fulfill the purpose of collection; and limit the period for which personal information can be retained.

To meet the verification requirement, the company may use either a self-assessment program or an outside/third-party assessment program. The verification must be attested to by a corporate officer of the company, or another authorized official, and it must be re-attested annually.

The verification must be complete before participating in the Privacy Shield framework, and any gaps identified during the verification process should be remedied before participating.

4. Have processes for responding to complaints and access requests

The company will need to have processes to respond to inquiries by individuals promptly, and in any event within forty-five (45) days.  Individuals also are entitled to access personal information about them, including to request correction, amendment, or deletion of the information, and companies have obligations to ensure that the personal information they possess is reliable, accurate, complete and current.  The company will need policies and procedures to grant these rights and comply with the obligations they involve.

5. Assess third party data sharing and contracts

Privacy Shield requires a company to be accountable for third parties that it shares personal information with—including service providers, business partners, or other third parties.  Before certifying, the company should identify what third parties it shares personal information with, and assess whether its contracts with those third parties comply with the Privacy Shield requirements.  Among other things, this will require contractual provisions that limit the purposes for which personal information can be processed, and require privacy protections consistent with Privacy Shield.  These and other “onward transfer” requirements may require amendments to existing company contracts, and a reexamination of vendor management and contracting processes.

For companies that join Privacy Shield within the first two months, there is a grace period to meet this requirement.

6. Select an independent recourse mechanism

The company must provide an independent recourse mechanism to investigate any complaints that an individual raises that it is not able to resolve to the individual’s satisfaction.

An independent recourse mechanism cannot be internal to the company.  Companies can utilize private sector dispute resolution programs as the independent recourse mechanism. Alternatively, organizations may choose to cooperate and comply directly with the EU data protection authorities regarding all types of data (this is mandatory when HR data are concerned).

The company must ensure that its independent recourse mechanism is in place prior to self-certification and the recourse mechanism must be disclosed in the company’s privacy policy.

7. Designate a contact person

Each company is required to provide a contact person for the handling of questions, complaints, access requests, and any other issues arising under the Privacy Shield. This contact must be named in the privacy policy.

For more details on the Privacy Shield, or for help exploring whether it is appropriate for your company, please contact any member of Orrick’s Cybersecurity and Privacy team.