By Mary Kate Bonner and Andrew Baer
The United States government and the European Union are moving forward with the framework to enable transfers of personal data from the EU to the U.S. On February 29, the U.S. Department of Commerce released a draft of the EU-U.S. Privacy Shield Framework, which includes the Privacy Shield Principles that U.S. organizations must comply with if they want to receive personal data from the EU. On the same day, the European Commission released a draft of its adequacy decision, which is needed to establish that the Privacy Shield ensures an adequate level of protection for personal data transferred to participating organizations. While the adequacy finding is still under review and is yet to be approved, U.S. companies should prepare now to implement necessary measures to comply. The Commerce Department plans to accept submissions from organizations to self-certify their compliance as soon as the framework is approved across the Atlantic. This is expected some time mid-2016.
While those familiar with the now-invalidated Safe Harbor Framework will recognize many of the principles and requirements, there are several new provisions as well. The State Department, Commerce Department, and Federal Trade Commission each have implementing work ahead of them. U.S. organizations can prepare now to participate in the new Framework.
Transfers of personal data from the EU to the U.S. are currently permitted if the parties have agreed to Standard Contractual Clauses (SCCs) or, in the case of transfers between affiliates within multinational organizations, Binding Corporate Rules. SaaS providers hosting data, for example, would need to execute the SCCs with every client that has data transferred from the EU. The Privacy Shield Framework, like Safe Harbor before it, simplifies the legal process for data sharing. U.S. organizations that comply with the requirements of the Framework, including the Privacy Principles, listed below, can self-certify their compliance with the Commerce Department, and the parties will not need to execute the SCCs to permit the transfer. Before self-certifying, U.S. organizations should review their technical and organizational measures for data security to ensure that they can comply with the Privacy Principles, and implement any necessary changes, including updating privacy policies.
Self-certification requires annual re-certification. If a participating organization subsequently is removed from the list (whether voluntarily or as a result of U.S. administrative enforcement), it must delete all EU personal data received under Privacy Shield or annually affirm its continued commitment to the Privacy Principles.
1. Notice – Organizations must provide individuals with information about the processing of personal data. This is typically found in privacy policies, often online or in employee handbooks or other human resources documents. The policy should specify what data is collected, how and why it is used, who else can access it, and what options individuals have. Privacy policies must also include links to the Commerce Department, the Privacy Shield list of participating organizations, and an appropriate dispute resolution provider to settle complaints concerning personal data (detailed below in the 7th Principle).
2. Choice – Individuals can choose not to allow their personal data to be disclosed to third parties, to be used for a purpose other than the purpose it was collected for, and/or to be used for direct marketing. Organizations need to have a mechanism in place to allow individuals to opt out, and can notify individuals of this, along with contact information, in privacy policies.
3. Security – An organization’s data security practices must be “reasonable and appropriate” in light of both the data itself (including the sensitivity of the type of data) and processing activities (e.g., storage, onward transfer, modification, or merging with other data).
4. Data Integrity and Purpose Limitation – Following up from the first principle, requiring that individuals be notified about the purposes for processing their personal data, organizations may only process personal data for those stated purposes. Organizations must also continuously ensure the accuracy and completeness of the data.
5. Access – Organizations must provide individuals with access to their personal data and correct, amend, or delete it as appropriate.
6. Accountability for Onward Transfer – Organizations that use subcontractors to process data must contractually require that the subcontractors ensure that personal data is provided a level of protection at least as robust as the protection in the Privacy Principles. If a subcontractor is non-compliant, the organization will be liable for the non-compliance unless it can overcome such presumption and prove that it was not responsible. This is a shift in the presumption from the Safe Harbor Framework. Organizations should continuously monitor their subcontractors and maintain up-to-date records of any audits and other monitoring and enforcement measures.
While many of the changes from the Safe Harbor Framework found in the Privacy Shield Framework are in oversight and enforcement, organizations can prepare themselves now to comply with these requirements to receive personal data from the EU. Organizations compliant with Safe Harbor may not have too much work ahead, but this time before Privacy Shield goes into effect is an opportunity to review policies and practices, update them as needed, and ensure the organization’s compliance.
For any questions on how this may impact your business, or for assistance with Privacy Shield, such as updates to privacy policies or self-certification, you can contact Mary Kate Bonner (firstname.lastname@example.org) or Andrew Baer (Andrew@baercrossey.com). Baer Crossey McDemus will present a free webinar on April 19, 2016, so stay tuned for more information.