U.S. companies receiving personal data from the European Union (EU) can now do so by certifying their compliance with the newly approved Privacy Shield framework. Privacy Shield has been dubbed by some as "Safe Harbor 2.0," although critical differences impact companies' obligations under this new framework.
As previously noted in our alert about the initial agreement between the European Commission and the U.S. Department of Commerce, the Privacy Shield authorizes transfers of EU personal data to the United States, and is intended to replace the Safe Harbor agreement invalidated by the European Court of Justice in October 2015. EU law requires that EU residents' personal data continue to benefit from the high level of protection afforded under EU law when transferred to the United States.
Certification Requirements and Obligations
The EU-U.S. Privacy Shield is based on a system of self-certification by which U.S. organizations commit to a set of privacy principles – the EU-U.S. Privacy Shield Framework Principles (the Principles).
To avail itself of the Privacy Shield as a streamlined avenue through which to transfer personal data from the EU, participating U.S. organizations must:
- Publicly commit to only process Europeans data in accordance with the Principles;
- Annually re-certify their compliance to the U.S. Department of Commerce;
- Provide free independent dispute resolution to EU individuals;1 and
- Be subject to the authority of the U.S. Federal Trade Commission (FTC), Department of Transportation (DOT), or another enforcement agency. A participating organization's failure to comply with the Principles constitutes a violation of Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45(a)) prohibiting unfair or deceptive acts or practices.
The Principles require organizations transferring personal data from the EU to the United States to comply with the following:
Notice: Organizations must notify individuals clearly and conspicuously of several items, including the types of data collected, the purposes for which the data is collected, any third parties to whom personal data may be transferred, and available dispute resolution mechanisms if individuals have complaints regarding the organization's treatment of their data.
Choice: Organizations must offer individuals the opportunity to choose (opt out) whether their personal information is to be disclosed to a third party or used for a purpose that is materially different from the purposes for which it was originally collected. The individual must affirmatively opt in to allow disclosure of sensitive data (including health or medical data, or data identifying racial or ethnic origin, political opinions, religious beliefs, sexual identity or trade union membership) to a third party or use for a materially different purpose.
Accountability for Vendor Agreements: Organizations must include provisions in their contracts with vendors to whom EU personal data will be disclosed that the data may only be processed for the limited and specified purposes consistent with the consent provided by the individual, and that the vendor will provide the same level of protection as the Principles.
Security: Participating organizations "must take reasonable and appropriate measures to protect [data] from loss, misuse and unauthorized access, disclosure, alteration and destruction." These measures must be appropriate to the "risks involved and the nature of the personal data."
Data Integrity and Purpose Limitation: Organizations must limit their collection to only relevant personal data. They also must "take reasonable steps to ensure that collected personal data is reliable for its intended use, accurate, complete, and current."
Access: Organizations must allow individuals access to their personal data, and permit them to correct, amend or delete such information where it is inaccurate or has been processed in violation of the Principles.
Dispute Resolution/Recourse and Remedies: To address any disagreements regarding potential misuse of data, organizations must have in place policies and practices to investigate and resolve disputes, and provide detailed contact information for any inquiries or complaints. They also must either select an independent recourse mechanism or declare their election to cooperate directly with European data protection regulators. If a complaint still remains unresolved, an individual may be permitted to seek arbitration.
In addition, organizations participating in Privacy Shield need to have in place a procedure for verifying ongoing compliance with the Principles on an annual basis, using either a self-assessment or third-party assessment program. Assessment and compliance documentation must be retained, and provided to the U.S. Department of Commerce upon request.
Dispute Resolution and Redressing Complaints
The Privacy Shield also boosts cooperation between the U.S. Department of Commerce and European data privacy regulators to strengthen compliance monitoring. Companies receiving EU data under the auspices of the Privacy Shield should prepare for and address potential complaints by individuals who believe their data has been misused under the Privacy Shield. Individuals have several options to lodge a complaint against a company handling their data in the United States under the Privacy Shield:
Company Contact: As noted above, to qualify for Privacy Shield certification a company must provide contact information for complaints. The company must respond to a complaint within 45 days of receipt, stating whether the complaint has merit and, if so, the remedy the organization will provide.
Independent Recourse Body: Organizations must elect whether to use an EU regulatory body, or an independent ADR entity such as the Council of Better Business Bureaus (BBB), TRUSTe, the American Arbitration Association (AAA), JAMS, or the Direct Marketing Association (DMA), as its appointed independent complaint recourse option. For personal EU human resources (personnel) data, a company must agree to EU regulatory oversight. Therefore, European employees may always go to their country's data protection regulatory authority with complaints concerning employment-related data transferred to the United States. EU data protection authorities will provide written advice to the subject organization within 60 days of receiving a complaint, and will also provide a copy of the advice to the complaining individual. The organization then has 25 days to comply with the authority's recommendations. Failure to do so may result in referral of the case to the FTC for an enforcement action and/or the Department of Commerce for revocation of the organization's Privacy Shield certification. Where the complaint reveals that the transfer of EU personal data to the U.S. violates EU data protection law, in certain instances the EU data protection authorities can order suspension of future data transfers out of the EU.
Privacy Shield Panel: If an individual's complaint remains unresolved after using the dispute resolution mechanisms described above, the complainant may seek redress through binding arbitration in accordance with rules set forth in Annex 1 to the Privacy Shield agreement. The Privacy Shield arbitration panel (consisting of one or three arbitrators, as agreed by the parties) has the authority to impose individual-specific, non-monetary equitable relief (such as access, correction, deletion, or return of the individual's data) necessary to remedy the violation of the Principles. Individuals and Privacy Shield organizations will be able to seek judicial review and enforcement of the arbitral decisions under the Federal Arbitration Act.
Tougher Rules and Future Uncertainty
Participating in Privacy Shield imposes greater obligations upon self-certifying organizations than previously existed under the Safe Harbor framework. Organizations must adapt their data governance and transfer programs and maintain policies and practices to ensure Privacy Shield compliance, particularly concerning required notices, data access rights, contractual vendor requirements, individuals' opt in and opt out rights, and dispute recourse mechanisms.
Given prior legal challenges leveled against the Safe Harbor framework, and concerns voiced by privacy advocates whether the Privacy Shield will meaningfully protect EU consumer privacy, the future viability of the Privacy Shield remains uncertain. In particular, critics cite the continued access to EU data by the U.S. government, and that EU citizens do not have meaningful redress for misuse of their data despite the required dispute resolution process, as reasons the Privacy Shield is fatally flawed and cannot withstand judicial challenge. In fact, the head of one German data protection authority has publicly expressed an intention to challenge the validity of the Privacy Shield agreement in a German national court. Therefore, companies considering participation in the Privacy Shield should also explore alternative authorized mechanisms to support their trans-Atlantic data transfers, such as binding corporate rules, consent or standard contractual clauses (i.e., model clauses).
Regardless, the first wave of companies participating in the Privacy Shield was announced late last week by the Department of Commerce. While the list does not include tech giants like Google and Facebook, which had previously relied upon the former Safe Harbor mechanism to transfer data from the EU to the United States, it does include Microsoft, Salesforce, AssureSign, and more than 30 other companies.
1 Organizations like the Council of Better Business Bureaus (BBB), TRUSTe, the American Arbitration Association (AAA), JAMS, and the Direct Marketing Association (DMA) have developed programs that assist in compliance with the Privacy Shield's dispute resolution and enforcement requirement. Alternatively, organizations may choose to cooperate and comply with the EU data protection authorities a data. In doing so, an organization must follow the procedures outlined in the Principles.