Out-Law Analysis 6 min. read
25 Jul 2016, 3:08 pm
From 1 August the Privacy Shield will allow US businesses to self-certify their compliance with a set of privacy principles and, as a result, transfer personal data from the EU to the US in line with EU data protection law requirements.
Businesses adopting the principles are bound by them from the moment of self-certification. However, a time-limited exception applies in the case of principles relevant to the onward transfer of personal data.
In practice it means that businesses can sign up to the Privacy Shield and then retrospectively update contracts with third parties which involve the sharing of personal data so that those contracts correspond with the Privacy Shield requirements.
The Privacy Shield basics
The Privacy Shield is a framework for facilitating EU-US data flows and replaces the Safe Harbour scheme which was invalidated by the Court of Justice of the EU in October 2015.
The substance of the framework was negotiated by the European Commission and US Department of Commerce. It includes a set of privacy principles for businesses with which to self-certify compliance, together with a range of additional commitments from the US government, including with regards to the extent of US authorities' powers of mass surveillance and bulk data collection and in relation to EU citizens' rights to redress.
The European Commission, via a so-called adequacy decision (44-page / 479KB PDF), has deemed that EU-US data transfers handled in line with the Privacy Shield's requirements will comply with the EU's Data Protection Directive.
The Commission's view does not preclude EU data protection authorities from investigating data transfer arrangements set up to accord with the Privacy Shield or from making an infringement finding, or privacy campaigners from raising a challenge against the Commission's adequacy decision before the courts.
The self-certification process
Businesses can self-certify their compliance with the Privacy Shield's privacy principles from 1 August 2016. Privacy Shield businesses must re-certify annually.
The US Department for Commerce (DoC) has published a guide to self-certification under the Privacy Shield (5-page / 299KB PDF).
Only companies that are subject to the jurisdiction of the US Federal Trade Commission (FTC) or the Department of Transportation (DOT) can sign up to the Privacy Shield, meaning many US banks or telecoms companies will be unable to rely on the Privacy Shield for underpinning EU-US data transfers.
To self-certify compliance with the Privacy Shield businesses must make a submission to the DoC. The DoC is responsible for publishing and maintaining a list of all organisations that self-certify.
Prior to self-certifying businesses must develop a privacy policy that conforms to the Privacy Shield privacy principles. The privacy policy must be made publically-available, which in most cases will involve posting the policy on the company website.
The policy itself must explicitly include a statement that confirms that the company adheres to the Privacy Shield privacy principles. It must also include a link through to the Privacy Shield website and a further link to the website or complaint submission form of the EU data protection authority or independent US complaints-handling body appointed to help resolve disputes.
The company must verify that the privacy policy is effective prior to self-certification.
The DoC said that the privacy policy "should reflect your organisation’s information handling practices and the choices your organisation offers individuals with respect to the use and disclosure of their personal information". It said the policy should be "clear, concise, and easy to understand".
The Privacy Shield privacy principles
There are seven main privacy principles (104-page / 1.52MB PDF) and 16 supplemental principles.
Many of the principles that are set out under the Privacy Shield are similar to those that applied under the Safe Harbour framework. Privacy Shield companies have obligations in relation to 'notice' and 'choice', for example.
In practice, this means, among other things, that they need to tell data subjects for what purpose they are collecting and using their personal information, what type of companies they might share that data with and for what purpose, and offer those people the right to opt out of their data being shared with third parties or being used for "materially different" purposes than those notified at the time their data was gathered.
Data security obligations are also set out – measures must be implemented that are commensurate with the security risks involved in the data processing and the nature of the personal data.
Privacy Shield companies must also ensure their personal data records are accurate, that they store the information only for as long as it serves a purpose of processing, and hand over copies of the data they hold about EU citizens when requested to do so by those people.
Among the main changes is a new requirement that Privacy Shield companies have to respond to complaints from EU citizens about their handling of personal data within 45 days. Privacy Shield companies must designate an independent dispute resolution body, either a data protection authority in the EU or an alternative US-based body, to "address complaints and provide appropriate recourse free of charge to the individual".
Onward transfers
Also included in the Privacy Shield are principles relating to the onward transfer of personal data. These principles apply where businesses signed up to the Privacy Shield will pass on data from the EU to third parties.
Where businesses signed up to the Privacy Shield will pass on data from the EU to third party data controllers they must put in place a contract with the organisations with whom they are sharing the data.. The recipient data controller does not need to be signed up to the Privacy Shield. Nor must they have "an independent recourse mechanism", so long as they have "an equivalent mechanism" for complaint handling.
The contracts must provide "for the same level of protection as is available under the Privacy Shield" when data is onward transferred. They must also require the recipients of data only to process the data being shared "for limited and specified purposes consistent with the consent provided" for by data subjects.
In addition, the contract must require the recipient data controllers to inform the Privacy Shield adopters if they "can no longer" provide the same level of protection set out in the Privacy Shield principles, and "provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate".
Contracts are not essential between data controllers within a "controlled group of corporations" when the onward transfer of data is envisaged. In their place the businesses can rely on EU binding corporate rules (BCRs), among other "intra-group instruments", to provide for privacy protections in line with those required under the Privacy Shield.
The application of the Privacy Shield principles
Once businesses self-certify, they are immediately bound by the Privacy Shield privacy principles. However, in the early months after the Privacy Shield framework becomes operational, a grace period for compliance with the onward transfer requirements will apply "where an organisation self-certifying to the Privacy Shield already has pre-existing commercial relationships with third parties".
Companies that sign up to the Privacy Shield between 1 August and 1 October 2016 will have up to nine months from the date of their self-certification to bring existing commercial contracts "into conformity with the [onward transfer] rules".
In its adequacy decision paper the European Commission said: "During this interim period, the organisation must apply the notice and choice Principle (thus allowing the EU data subject an opt-out) and, where personal data is transferred to a third party acting as an agent, must ensure that the latter provides at least the same level of protection as is required by the principles."
"This transitional period provides a reasonable and appropriate balance between the respect for the fundamental right to data protection and the legitimate needs of businesses to have sufficient time to adapt to the new framework where this also depends on their commercial relationships with third parties," it said.
Enforcement
Although participation in the Privacy Shield is voluntary, businesses that self-certify with the framework's privacy principles are bound by US law and subject to potential compliance monitoring and enforcement action by the US Federal Trade Commission (FTC) or Department of Transportation (DoT) or other enforcement body.
In a letter that forms part of the US' commitment to overseeing compliance with the Privacy Shield framework, Edith Ramirez, chair of the FTC, vowed to engage in "vigorous enforcement" of the Privacy Shield.
Among other things, Ramirez committed to tackling "false or deceptive Privacy Shield membership claims" and acting on referrals from EU data protection authorities.
The FTC has powers to fine businesses subject to its jurisdiction that breach US data privacy laws, including the requirements of the Privacy Shield.
Cerys Wyn Davies is a data protection law expert at Pinsent Masons, the law firm behind Out-Law.com.