After months of negotiations, it’s official: the EU-US Privacy Shield has been formally approved on both sides of the Atlantic, by the EU Commission and the US Commerce Department, despite concerns surrounding the adequacy of its earlier version.
The Shield is one of the legal mechanisms for transferring EU individuals’ personal information from the European Union to the United States. It is the replacement for the US-EU Safe Harbor framework, which was invalidated by the EU’s highest court last year. Earlier this year, both the Commission and Commerce announced the Shield as the product of their labor to negotiate a new data transfer framework. They shortly thereafter released the first text of the Shield, which was met with criticisms, particularly on the EU side, leading the two parties to revisit their negotiations and come up with a stronger framework.
We have reviewed the final text of the Shield, compared it to the first draft, and highlighted below its important aspects, for you to consider.
Why Should You Care?
Global companies that transfer personal information—specifically, the transfer of EU individuals’ personal information, from the EU to the US—must have a legal mechanism in place for doing so. Otherwise, they would be in violation of strict EU data protection laws. The recently passed GDPR would subject violators to fines up to 4% of its global annual turnover for undertakings, or 20,000,000 EUR, whichever is greatest. The GDPR allows for multiple mechanisms—including Binding Corporate Rules, Standard Contractual Clauses, EU adequacy decisions, and a framework like the Shield—for legally transferring data. From the US side, companies that choose to participate in the Shield, but fail to comply with its requirements could be subject to independent recourse mechanisms, FTC enforcement actions, or actions under the False Statements Act (for persistent failures to comply).
What Do You Need to Know?
The Shield has 7 main requirements surrounding the following familiar privacy principles:
Participating companies must provide individuals whose data they collect certain types of information, including: their participation in the Shield, the types of data they collect, their commitment to Shield Principles, their purposes for collecting data, how to contact them about Shield-related inquiries, how individuals can exercise their Shield rights, and so on.
Participating companies must provide individuals with certain options regarding how their data will be handled.
III. Accountability For Onward Transfer
Participating companies must implement certain contract provisions, only transfer data for a limited purpose, remediate unauthorized processing of personal information, provide Commerce with a copy or summary of its data protection contract provisions, in addition to other obligations.
Participating companies must take reasonable and appropriate measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
V. Data Integrity And Purpose Limitation
Participating companies must limit their information collection to their stated processing purpose, and should not process information in a manner that is incompatible with stated purpose.
Participating companies must provide individuals with access to personal information about them and allow them to correct, amend, or delete information that is inaccurate or has been processed in violation of the Shield. The Shield provides an exception here for when the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy, or where other individuals’ rights would be violated.
VII. Recourse, Enforcement And Liability
The Shield requires participating companies to provide individuals with an “independent recourse mechanism” for investigating and resolving most complaints and disputes under the Shield. The Shield provides requirements for and illustrative examples of these independent recourse mechanisms (e.g. private sector-developed program incorporating Shield Principles, with an enforcement mechanism), but it still remains to be seen what these will look like. In addition, individuals have the ability to invoke binding arbitration for “residual” claims, which exclude questions of the Shield’s adequacy or exceptions to the Shield’s Principles. Participating companies must also respond promptly to inquiries and requests by the FTC and Commerce and to complaints referred by EU Members States.
In addition to the above main principles, the Shield also has supplemental provisions covering sensitive data, journalistic exceptions for data collected for publication, secondary liability, due diligence and audits, and others.
How the Final Text Differs From the Earlier Version
The Shield’s final text addresses EU regulators’ concerns regarding the previous proposal. The following summarize the differences between the first and final texts:
- Data Retention. Participating companies must delete personal data that no longer serves the purpose for which it was collected.
- Contracting. Participating companies must flow down the same level of protections and obligations to third parties that handle EU personal information.
- US Bulk Surveillance. The US government clarified that bulk surveillance will be authorized only in exceptional circumstances or where targeted collection is not feasible, and assured that there will be safeguards to minimize the amount of data collected and subsequent access to the collected data.
- Ombudsperson’s Independence. While Shield’s earlier text already included the appointment of a US Ombudsperson for inquiries regarding the US’ intelligence practices, EU data protection regulators questioned the Ombudsperson’s independence and powers. These are clarified in the final Shield text, as follows: (a) the Ombudsperson will be able to rely on independent oversight bodies with investigatory powers, such as the Inspector-Generals or the Privacy and Civil Liberties Oversight Board; and (b) the US Secretary of State will ensure that the Ombudsperson will have the means to ensure that its response to requests is based on all necessary information.
Companies should determine whether joining the Shield makes sense for them, and, if so, begin preparations for self-certification. They should have this discussion, at the very least, with their privacy and security officers, legal counsel, and compliance and audit teams.
Why to and Why Not to Join the Shield
As previously stated, a company that engages in substantial data transfers from the EU to the US must have a legal mechanism for doing so, in order to comply with European data protection law. Whether the Shield (versus other mechanisms such as BCRs or SCCs) makes sense for a company depends on several factors, including operations, compliance posture, risk appetite, and privacy and security program maturity. Joining the Shield could subject a company to increased FTC scrutiny, because the FTC has indicated that it will prioritize referrals from EU regulators regarding Shield compliance.
If a company decides to join the Shield within two months from its effective date of July 12, 2016, it will have 9 months from the day it joins to renegotiate contracts with existing third parties who handle EU personal data on its behalf, and add the necessary language required by the Shield. All other requirements will apply from the date the company joins the Shield. If a company joins two months after the effective date, i.e. after around September 12, 2016 (depending on how this is calculated), all requirements will apply the day the company joins, and it will not receive the 9-month grace period to comply with contract requirements.
How to Join the Shield
The process for joining the Shield is very similar to the process for joining its predecessor, the Safe Harbor framework. To join the Shield, a US-based company will be required to self-certify to Commerce and comply with the Shield’s requirements. Commerce will begin accepting certifications to the Shield on August 1, 2016. Commerce provides the following 5 steps to meet the requirements for self-certification:
- Eligibility. Any U.S. organization subject to the FTC’s or the DoT’s jurisdiction may participate in the Shield.
- Privacy Statement. Companies that wish to participate must update their Privacy Statement or develop one that complies with the Shield’s requirements.
- Independent Recourse Mechanism. Companies that wish to participate must provide individuals an independent recourse mechanism to investigate unresolved complaints, at no cost to the individuals. They must identify this mechanism in advance, prior to certification.
- Verification Mechanisms. Companies that wish to participate must have procedures in place for verifying compliance. They can use either a self-assessment or an outside/third-party assessment program.
- Designated Contact. Companies that wish to participate must also designate a contact person for inquiries, complaints, access requests, and any other issues relating to the Shield. This can be either the corporate officer that is certifying your company's compliance with the Shield, or another officer within the company, such as the Chief Privacy Officer.
Arent Fox’s Cybersecurity & Data Protection group monitors developments in the data protection field. For more information, please do not hesitate to contact Sarah L. Bruno, Eva J. Pulliam, and Lourdes M. Turrecha.