«Houston, we have a problem.» This is the most likely first reaction of many EU-US Safe Harbor certified organizations when on October 6, 2015, the European Court of Justice (ECJ) struck down the Safe Harbor Program. Many organizations, including NGA Human Resources, had relied on this to safely transfer data between the EU to the US.
On July 12, 2016, after three years of working with the US Department of Commerce, the European Commission announced the EU-US Privacy Shield program, the official replacement for Safe Harbor.
1. Strong Obligations for Companies’ Handling of EU Citizens’ Data
2. Clear Safeguards and Transparency Obligations for US Government Agency Access
3. New Redress and Complaint Resolution Mechanisms for EU Citizens
Effective in Europe as of July 12, the Privacy Shield became fully operational in the US as of August 1, when all US organizations were invited to sign-up to its Principles.
In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU to the US, an organization must self-certify adherence to the Principles to the Department of Commerce.
3. Accountability for Onward Transfer
5. Data Integrity and Purpose Limitation
7. Recourse, Enforcement & Liability
2. Sensitive Data
3. Journalistic Exceptions
4. Secondary Liability
5. Performing Due Diligence and Conducting Audits
6. The Role of the Data Protection Authorities
9. Human Resources Data
10. Obligatory Contracts for Onward Transfers
11. Dispute Resolution and Enforcement
12. Choice – Timing of Opt-Out
13. Travel Information
14. Pharmaceutical and Medical Products
15. Public Record and Publicly Available Information
16. Access Requests by Public Authorities
These supplemental principles apply depending on an organization’s background and market.
Privacy Shield is not a data transfer program built from scratch. It extends the body of Safe Harbor. There are significant differences that make the Privacy Shield more adequate to meet the needs of ever more complex data security.
If you are Safe Harbor certified, it is straightforward to certify under the Privacy Shield framework. It is based on reviewed and re-enforced principles.
The main steps to be followed include:
Under this principle, organizations are obliged to provide information to the individuals whose data is being sent from the EU and processed in the US.
Information provided includes the type of data collected, the purpose of processing, the right of access and choice, conditions for onward transfer of data and liability.
2 Data Integrity and Purpose Limitation
Under this principle, data must be limited to what is relevant for the purpose of processing. An organization may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.
Data may be retained in a form identifying or rendering an individual identifiable only for as long as it serves the purpose(s) for which it was initially collected or authorized.
This principle has some special interpretation when it comes to the context of processing it for archiving purposes in the public interest, journalism, literature and art, scientific and historical research and statistical analysis.
Where a new (changed) purpose is materially different, but still compatible with the original purpose, this principle gives the data subjects the right to object (opt-out).
This does not supersede the express prohibition on incompatible processing. There are special rules on opt-out “at any time” for personal data used for direct marketing.
In case of sensitive personal data, the organization must obtain the affirmative express consent (opt-in).
Creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures under this principle, taking into account the risks involved in the processing and the nature of the data (in the context of likability and impact).
When sub-processing the data, organizations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.
Under this principle, the individual has the right, without need for justification, and only against a non-excessive fee, to obtain confirmation of whether an organization is processing personal data related to him/her and have it communicated within reasonable time.
Organizations should answer these requests concerning the purpose of processing, categories of data processed, and the recipients or categories of recipients to whom the data is disclosed.
Individuals must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles.
6 Recourse, Enforcement and Liability
Organizations must provide a robust mechanism to ensure compliance with the other Principles and recourse for EU data subjects whose personal data is being, or has been, processed in a non-compliant manner, including effective remedies.
An organization must annually re-certify and take measures that their privacy policies conform to the Principles and are in fact compliant.
This can be achieved either through a system of self-assessment (incl. internal procedures and employee training) and periodic compliance reviews or an outside compliance review.
An organization must put into place an effective redress mechanism to dealt with any complaints and be subject to the investigatory and enforcement powers or the FTC or another authorized statutory body.
7 Accountability for Onward Transfers
Any onward transfer can only take place;
(i) for limited and specified purposes
(ii) on the basis of a contract (or comparable arrangement within a corporate group like intra-group compliance program that ensures the protection of personal information under the Principles)
(iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.
This may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes.
The obligation to provide the same level of protection as required by the Principles applies as well as when the original third party recipient itself transfers those data to another third party recipient.
If the third party cannot longer ensure compliance with the Privacy Shield Principles, this must be notified to the Privacy Shield organization.
An official fact sheet can be found here: Learn More About the EU-U.S. Privacy Shield
Disclaimer: This article is purely of informative nature and does not constitute legal advice. You should always seek independent legal advice for more information on the EU-US Privacy Shield Framework and the impact it has on your organization.