Raise your privacy shield. Your EU-US data is no longer in a safe harbor

by Sascha Schneider CIPP/E

“Houston, we have a problem.” This is the most likely first reaction of many EU-US Safe Harbor certified organizations when on October 6, 2015, the European Court of Justice (ECJ) struck down the Safe Harbor Program. Many organizations, including NGA Human Resources, had relied on this to safely transfer data between the EU to the US.

On July 12, 2016, after three years of working with the US Department of Commerce, the European Commission announced the EU-US Privacy Shield program, the official replacement for Safe Harbor.

The agreement contains three main features:

1. Strong Obligations for Companies’ Handling of EU Citizens’ Data
2. Clear Safeguards and Transparency Obligations for US Government Agency Access
3. New Redress and Complaint Resolution Mechanisms for EU Citizens

Self Certification Required

Effective in Europe as of July 12, the Privacy Shield became fully operational in the US as of August 1, when all US organizations were invited to sign-up to its Principles.

The Privacy Shield consists of the Adequacy Decision of the European Commission, and its pertinent Annexes.

In order to rely on the Privacy Shield to effectuate transfers of personal data from the EU to the US, an organization must self-certify adherence to the Principles to the Department of Commerce.

The Privacy Shield 7 mandatory principles (see more detail further on):

1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement & Liability

Additional 16 supplemental principles:

1. Access
2. Sensitive Data
3. Journalistic Exceptions
4. Secondary Liability
5. Performing Due Diligence and Conducting Audits
6. The Role of the Data Protection Authorities
7. Self-Certification
8. Verification
9. Human Resources Data
10. Obligatory Contracts for Onward Transfers
11. Dispute Resolution and Enforcement
12. Choice – Timing of Opt-Out
13. Travel Information
14. Pharmaceutical and Medical Products
15. Public Record and Publicly Available Information
16. Access Requests by Public Authorities

These supplemental principles apply depending on an organization’s background and market.

Privacy Shield vs Safe Harbor

Privacy Shield is not a data transfer program built from scratch. It extends the body of Safe Harbor. There are significant differences that make the Privacy Shield more adequate to meet the needs of ever more complex data security.

  • Strong obligations put on organizations that decide to sign-up, and a robust enforcement mechanism of the supervisory authority in the case of non-compliance including sanctions and exclusion from the program
  • Safeguards and transparency obligations on access to US Government data that was transferred from the Privacy Shield. The US government has provided written assurance from the Director of the National Intelligence, assuring that any access by public authorities for national security purposes will be subject to clear limitations, safeguards and review mechanisms
  • The Secretary of State has committed to the creation of an Ombudsman to facilitate redress for European citizens. This Ombudsman will be independent
  • Complaints from European citizens must be resolved within 45 days, and free of charge for the individuals
  • Alternative Dispute Resolution mechanisms (which can be EU or US based) are available for individuals, who can go directly to relevant national EU Data Protection Authority.
  • An annual joint review mechanism between the US and the EU has been established to ensure the ongoing relevance of the Privacy Shield.

What do you do Next?

If you are Safe Harbor certified, it is straightforward to certify under the Privacy Shield framework. It is based on reviewed and re-enforced principles.

The main steps to be followed include:

  • Review and Update your Privacy Policy. If you’ve signed up to Privacy Shield, this must be reflected in you organization’s Privacy Policy
  • Set-up Opt-In / Opt-Out. Opt-out solution applies to personal data; opt-in solution must be put in place for sensitive personal data processing
  • Third party contracts must reflect the Privacy Shield Principles
  • Alternative Dispute Resolution (ADR) when signed up to the Privacy Shield, you must have an independent third-party recourse mechanism, or commit to cooperate with the EU DPAs. The ADR needs to be clearly identified to all individuals on the company website, with the relevant links including to the Privacy Shield website.
  • When signing up to Privacy Shield, you must detail if; only customer data is send under the Privacy Shield; both customer and HR data is send to the US. The Privacy Shield has a supplemental principle for Human Resources data within the context of an employer-employee relationship.
  • Determine if the Federal Trade Commission or the Department of Transportation is the regulating authority of the US organization, having the jurisdiction to hear any claims against the organization.

The 7 Privacy Shield Principles in more detail

1 Notice
Under this principle, organizations are obliged to provide information to the individuals whose data is being sent from the EU and processed in the US.

Information provided includes the type of data collected, the purpose of processing, the right of access and choice, conditions for onward transfer of data and liability.

Organizations must make public their privacy policy (reflecting the Principles) and provide links to the Department of Commerce’s website, the Privacy Shield List and the Alternative Dispute Resolution Provider.

2 Data Integrity and Purpose Limitation
Under this principle, data must be limited to what is relevant for the purpose of processing. An organization may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorized by the individual.

Data may be retained in a form identifying or rendering an individual identifiable only for as long as it serves the purpose(s) for which it was initially collected or authorized.

This principle has some special interpretation when it comes to the context of processing it for archiving purposes in the public interest, journalism, literature and art, scientific and historical research and statistical analysis.

3 Choice
Where a new (changed) purpose is materially different, but still compatible with the original purpose, this principle gives the data subjects the right to object (opt-out).

This does not supersede the express prohibition on incompatible processing. There are special rules on opt-out “at any time” for personal data used for direct marketing.

In case of sensitive personal data, the organization must obtain the affirmative express consent (opt-in).

4 Security
Creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures under this principle, taking into account the risks involved in the processing and the nature of the data (in the context of likability and impact).

When sub-processing the data, organizations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.

5 Access
Under this principle, the individual has the right, without need for justification, and only against a non-excessive fee, to obtain confirmation of whether an organization is processing personal data related to him/her and have it communicated within reasonable time.

Organizations should answer these requests concerning the purpose of processing, categories of data processed, and the recipients or categories of recipients to whom the data is disclosed.

Individuals must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles.

6 Recourse, Enforcement and Liability
Organizations must provide a robust mechanism to ensure compliance with the other Principles and recourse for EU data subjects whose personal data is being, or has been, processed in a non-compliant manner, including effective remedies.

An organization must annually re-certify and take measures that their privacy policies conform to the Principles and are in fact compliant.

This can be achieved either through a system of self-assessment (incl. internal procedures and employee training) and periodic compliance reviews or an outside compliance review.

An organization must put into place an effective redress mechanism to dealt with any complaints and be subject to the investigatory and enforcement powers or the FTC or another authorized statutory body.

7 Accountability for Onward Transfers
Any onward transfer can only take place;

(i) for limited and specified purposes

(ii) on the basis of a contract (or comparable arrangement within a corporate group like intra-group compliance program that ensures the protection of personal information under the Principles)

(iii) only if that contract provides the same level of protection as the one guaranteed by the Principles.
This may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes.

The obligation to provide the same level of protection as required by the Principles applies as well as when the original third party recipient itself transfers those data to another third party recipient.

If the third party cannot longer ensure compliance with the Privacy Shield Principles, this must be notified to the Privacy Shield organization.

An official fact sheet can be found here: Learn More About the EU-U.S. Privacy Shield

Disclaimer: This article is purely of informative nature and does not constitute legal advice. You should always seek independent legal advice for more information on the EU-US Privacy Shield Framework and the impact it has on your organization.