An Overview of the New Privacy Shield Framework for Certifying Organizations
The new Privacy Shield program is now effective for companies that complete the self-certification process with the U.S. Department of Commerce (the “Commerce Department”).
Organizations began certifying as of August 1, 2016. The Commerce has provided a public website for application to the Privacy Shield program: https://www.privacyshield.gov/welcome (the “Privacy Shield Website”). The organizations that have completed self-certification and are posted by the Commerce Department are listed here: https://www.privacyshield.gov/list (the “Privacy Shield List”).
The documentation for the Privacy Shield is formally attached as Annexes to the Commission Implementing Decision of July 7, 2017, which includes the terms of the Privacy Shield program and the commitment letters of the various U.S. executive agencies (the attachments being referred to as the “Privacy Shield documentation,” with the covering Commission Implementing Decision being referred to as the “Commission Implementing Decision”).
The following summary under this “Overview” is based on the express text of the Privacy Shield documentation and in some cases excerpts language therefrom.
The Privacy Shield is based on a system of self-certification through which U.S. organizations commit to a set of privacy principles: the EU-US Privacy Shield Framework Principles (the “Framework Principles”), including the Supplemental Principles (the “Supplemental Principles”)(which together make up the “Principles”).
The Framework Principles are organized in these main categories, each with specific sets of examples and requirements:
- Accountability for Onward Transfer;
- Data Integrity and Purpose Limitation;
- Access; and
- Recourse, Enforcement and Liability.
The complete list of elements comprising the Principles are as set out in Annex II to the Commission Implementing Decision (“Annex II”). The Principles apply solely to the self-certified US companies processing personal data under the Program, and do not supersede any specific EU legislation or member state legislation that may be applicable to it (one example being the context of human resources data transferred in the context of employment relationship).
The following sets forth a summary of such Principles as contained therein, and committed to under the Framework.
An organization must inform individuals about:
- its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List;
- the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles;
- its commitment to subject to the Principles all personal data received from the EU in reliance on the Privacy Shield;
- the purposes for which it collects and uses personal information about them;
- how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU that can respond to such inquiries or complaints;
- the type or identity of third parties to which it discloses personal information, and the purposes for which it does so;
- the right of individuals to access their personal data;
- the choices and means the organization offers individuals for limiting the use and disclosure of their personal data;
- the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States;
- being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body;
- the possibility, under certain conditions, for the individual to invoke binding arbitration;
- the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
- and its liability in cases of onward transfers to third parties.
This notice must be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.
Individuals must be provided with clear, conspicuous and readily available mechanisms to exercise choice under the Principles.
Opt-out. An individual must have the choice (opt-out) whether to permit personal information disclosure or to permit such information to be used for purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individuals.
Opt-in. In the case of the disclosure of sensitive information to a third party, organizations must obtain affirmative express consent (opt-in) from individuals. Sensitive information is personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual. The opt-in requirement also applies if the information will be used for a purpose other than those for which it was originally collected or subsequently authorized by the individual.
The Choice Principle does not supersede the express prohibition on incompatible processing.
Accountability and Onward Transfer Principle
Pursuant to the express terms of the Privacy Shield, organizations must comply with the Notice and Choice Principles in order to transfer personal information to a third party acting as a controller. Organizations must also enter into a contract with the third party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individuals. Further, the transferee will undertake to provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation.
In connection with such transfers to processing agents, certifying organizations must: (1) transfer such data only for a limited and specified purpose; (2) ascertain that the transferee is obligated to provide at least the same level of privacy protection as the Principles; (3) take reasonable and appropriate steps to ensure that the transferee effectively processes the personal information according to the Principles; (4) require the transferee to notify the organization if it makes a determination that it can no longer meet its obligations under the Principles,; (5) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (6) upon request, provide a summary or a representative copy of the relevant privacy provisions of its contract to the Commerce Department.
Under the Privacy Shield, organizations creating, maintaining, using or disseminating personal data must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and nature of the personal data.
Data Integrity and Purpose Limitation Principle
In accordance with the Privacy Shield, the collection of personal data must be limited to the information that is relevant for the purposes of processing. Examples provided in the Annex II include: those that reasonably serve customer relations, compliance and legal considerations, auditing, security and fraud prevention, preserving or defending the organization’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection.
An organization may not process personal data in a way that is incompatible with the original purposes for which it has been collected or subsequently authorized by the individual.
To the extent necessary for these purposes, an organization must take reasonable steps to make sure that personal data is reliable for its intended use, and such data is accurate, complete, and current. Information may be retained in a form identifying or making identifiable the individual only for as long as it serves such a purpose.
As defined under Annex II: “In this context, if, given the means of identification reasonably likely to be used (considering among other things, the costs of and the amount of time required for identification and the available technology at the time of the processing) and the form in which the data is retained, an individual could reasonably be identified by the organization or a third party if it would have access to the data, then the individual is identifiable.”
The obligation does not prevent organizations from processing personal data for longer periods for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis. In these cases the processing shall be subject to the principles and provisions of the framework. Organizations should take reasonable and appropriate measures in complying with this provision.
Individuals must have access to personal information that an organization holds. These individuals have the right to correct, amend or delete that information where it is inaccurate or where such information has been processed in violation of the Principles. An exception to this rule will apply: where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question; or where the rights of persons other than the individual would be violated.
Recourse, Enforcement and Liability Principle
Under the Privacy Shield, Effective privacy protection must include: ”robust mechanisms” for delivering compliance with the Principles; recourse for individuals who are affected by non-compliance with the Principles; and consequences for the organization when the Principles are not followed.
At a minimum such mechanisms shall include, each as so stated in Annex II:
- Readily available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual and by reference to the principles and damages are awarded where the applicable law or private sector initiatives so provide.
- Follow-up procedures for verifying that the attestations and assertions organizations make about privacy practices are true and that privacy practices have been implemented as presented and in particular with regard to cases of non-compliance, and
- Obligations to remedy problems arising out of failure to comply with the Principles by organizations announcing their adherence to them and consequences for such organizations. Sanctions must be sufficiently rigorous to ensure compliance by organizations.
Organizations and their selected independent agents must promptly respond to inquiries and requests by the Commerce Department for information relating to the Privacy Shield. Additionally, all organizations must respond expeditiously to complaints regarding compliance with the principles referred by the EU member state authorities through the Commerce Department.
Organizations that have chosen to cooperate with data protection authorities, including organizations that process human resource data, must respond directly to such authorities with regard to the investigation and resolution of complaints. Organizations are obligated to arbitrate claims and must follow the arbitration terms set forth in the Privacy Shield documentation, provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedure and subject to conditions of the arbitration terms.
In the context of onward transfer, a certifying organization has responsibility for the processing of personal data it receives under the program and subsequently transfers to a third party acting as an agent on its behalf. The organization shall remain liable under the Principles if ts agent processes such personal data in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
When an organization becomes subject to an FTC order or court order based on noncompliance, the organization shall make public any relevant Privacy Shield-related sections of compliance or assessment report submitted to the FTC, to the extent consistent with confidential requirements.
The Commerce Department has established a dedicated point of contact for data protection authorities for any problems of compliance by certifying organizations. The FTC will give priority consideration to referrals of non-compliance with the Principles from the Commerce Department and EU member state data protection authorities on a timely basis, subject to existing confidentiality restrictions.
In addition to the main Framework Principles presented up-front in the prescribed principles, the Privacy Shield includes a set of Supplemental Principles, which in main part provide (with selected text from the original):
- Sensitive Data. In certain defined cases, an organization will not be required to obtain the opt-in with respect to sensitive data, where the following facts are satisfied: (i) in the vital interests of the data subject or another person; (ii) necessary for the establishment of legal claims or defenses; (iii) required to provide medical care or diagnosis; (iv) carried out in the course of legitimate activities by a foundation, association or any other non-profit body with a political, philosophical, religious or trade-union aim and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data are not disclosed to a third party without the consent of the data subjects; (v) necessary to carry out the organization’s obligations in the field of employment law; or (vi) related to data that are manifestly made public by the individual.
- Journalistic Expectations. In recognition of the guarantees of the First Amendment under the U.S. Constitution, a balancing of these interests will be required. Specifically, Privacy Shield Principles will not apply to personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives.
- Secondary Liability. The Privacy Shield does not create secondary liability itself (similar to the Data Protection Directive). Internet Service Providers, telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information.
- Performing Due Diligence and Conducting Audits. The activities of auditors and investment bankers may involve processing personal data without the consent or knowledge of the individual. This is permitted by the Notice, Choice, and Access Principles where the legitimate interests include: the monitoring of organizations’ compliance with their legal obligations and legitimate accounting activities, and the need for confidentiality connected with possible acquisitions, mergers, joint ventures, or other similar transactions carried out by investment bankers or auditors.
- The Role of the Data Protection Authorities. As part of the Privacy Shield self-certification submission to the Department of Commerce, organizations will implement their commitment to cooperate with the EU data protection authorities. In such case, it will agree to comply with certain individual recourse mechanisms and work with data protection authorities to resolve complaints.
- Verification. Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. An organization must verify such attestations and assertions either through self-assessment or outside compliance reviews.
- Access. Under the Privacy Shield Principles, the right of access is fundamental to privacy protection. In particular, it allows individuals to verify the accuracy of information held about them. The Access Principle means that individuals have the right to: (i) obtain from an organization confirmation of whether or not the organization is processing personal data relating to them; (ii) have communicated to them such data so that they could verify its accuracy and the lawfulness of the processing; and (iii) have the data corrected, amended or deleted where it is inaccurate or processed in violation of the Principles.
- Human Resources Data. Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield.
- Obligatory Contracts for Onward Transfer. Three categories of contracts are identified: data processing contracts; transfers within a controlled group of corporations or entities; and transfers between controllers. The Principles adopt specific conditions or considerations tailored to the potential exposure of each of the fact cases. It remains clear that the Privacy Shield organization remains responsible for compliance with the Principles, while establishing a baseline of responsible practices.
- Dispute Resolution and Enforcement. In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Commerce Department. In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Commerce Department by data protection authorities. The response should address whether the complaint has merit and, if so, how the organization will rectify the problem. The Commerce Department will protect the confidentiality of information it receives in accordance with U.S. law. This Principle addresses in further detail: (i) Recourse Mechanisms; (ii) Remedies and Sanctions; (ii) FTC Actions; and (g) Persistent Failure to Comply.
- Choice — Timing of Opt-Out. An individual should be able to exercise “opt out” choice of having personal information used for direct marketing at any time subject to reasonable limits established by the organization, such as giving the organization time to make the opt out effective. An organization may use information for certain direct marketing purposes when it is impracticable to provide the individual with an opportunity to opt out before using the information, if the organization promptly gives the individual such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the organization complies with the individual’s wishes.
- Travel Information. Airline passenger reservation and other travel information may be transferred to organizations located outside the EU in several different circumstances, including pursuant to Article 26 of the Data Protection Directive. In all cases, however, the organization transferring the information has to respect the law in the EU Member State in which it is operating, which may inter alia impose special conditions for the handling of sensitive data.
- Pharmaceutical and Medical Products. EU Member State law applies to the collection of the personal data and to any processing that takes place prior to the transfer to the United States. The Privacy Shield Principles apply to the data once they have been transferred to the United States. Data used for pharmaceutical research and other purposes should be anonymized when appropriate. The Principle includes direction for: future scientific research; withdrawal from a clinical trial; transfers for regulatory and supervision purposes; “blinded” studies; product safety and efficacy monitoring; and key-coded data.
- Public Record and Publicly Available Information. It is not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to public record information, as long as it is not combined with non-public record information, and any conditions for consultation established by the relevant jurisdiction are respected. Also, it is generally not necessary to apply the Notice, Choice, or Accountability for Onward Transfer Principles to publicly available information unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends. Organizations will have no liability for how such information is used by those obtaining such information from published materials.
- Access requests by Public Authorities. In order to provide transparency in respect of lawful requests by public authorities to access personal information, Privacy Shield organizations may voluntarily issue periodic transparency reports on the number of requests for personal information they receive by public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law.
The Supplemental Principles round out the framework to provide robust enforcement mechanisms, categorizing types of data for special treatment, and structures for maintaining controls, systems and dispute tools on a best practices basis.
As part of a new more robust compliance framework, with real transparency and accountability, the Principles work towards focusing the program on information and practices that are relevant to protecting individual rights to privacy and control over personal data.