What is the EU-U.S. Privacy Shield?
The EU-U.S. Privacy Shield (the “Privacy Shield”) is a framework designed by the U.S. Department of Commerce and the European Commission to provide companies in the U.S. and in the EU with a means to comply with data protection laws and regulations when transferring personal data between the U.S. and EU member countries. In July 2016, following an earlier EU Court of Justice decision that struck down the previous EU-U.S. Safe Harbor Framework, the European Commission determined that the Privacy Shield was adequate to permit data transfers to the U.S. under EU law.
How does it work?
The Privacy Shield program is administered by the International Trade Administration within the U.S. Department of Commerce. U.S.-based organizations must join the Privacy Shield framework to take advantage of the European Commission’s adequacy determination with respect to covered data transfers. To join the Privacy Shield, the U.S. organization must self-certify to the Department of Commerce via www.privacyshield.gov and commit to comply with the requirements of the Privacy Shield. Once an organization publicly commits to comply with these requirements, the commitment is enforceable under U.S. law.
What are the requirements of the Privacy Shield?
It consists of seven (7) main principles and sixteen (16) supplemental principles, for a total twenty-three (23) principles (the “Privacy Shield Principles”), all of which are equally binding on participating organizations. The Principles set forth the requirements governing participating organizations’ use and treatment of personal data received from the EU through the Privacy Shield and the access and recourse mechanisms that participating organizations must provide to individuals in the EU.
The seven (7) main principles are:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement, and Liability
The sixteen (16) supplemental principles are:
- Sensitive Data
- Journalistic Exceptions
- Secondary Liability
- Performing Due Diligence and Conducting Audits
- The Role of the Data Protection Authorities
- Human Resources Data
- Obligatory Contracts for Onward Transfers
- Dispute Resolution and Enforcement
- Choice – Timing of Opt-Out
- Travel Information
- Pharmaceutical and Medical Products
- Public Record and Publicly Available Information
- Access Requests by Public Authorities
What does the self-certification process entail?
To self-certify an organization’s compliance with the Privacy Shield, an organization must provide the following:
Organization name, address, city, state and zip code.
A contact office and the name, title, e-mail address, phone number and fax number of a contact individual within the organization responsible for the handling of complaints, access requests, and any other issues concerning the organization’s compliance with the Privacy Shield.
Identification of all U.S. entities or U.S. subsidiaries of the organization also adhering to the Principles and covered under the organization’s self-certification.
The name, title, e-mail, phone number and fax number of the individual corporate officer certifying the organization’s compliance with the Privacy Shield.
A description of the organization’s activities with respect to all personal data received from the EU in reliance on the Privacy Shield. Note that all affiliated entities of the organization also adhering to the Privacy Shield principles must be listed as well.
If the organization desires for its Privacy Shield commitments to cover personal data other than human resources data, the organization must designate a private sector independent recourse mechanism on an annual basis or may choose to cooperate with the EU Data Protection Authorities (the “DPA”) under the EU-U.S. Privacy Shield framework and have the DPA serve as its independent recourse mechanism. If the organization wishes for its Privacy Shield commitments to cover human resources data, the organization must declare its commitment to cooperate with the EU authority or authorities concerned under the framework in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities and that the organization will comply with the advice given by such authorities.
An indication whether the organization has annual revenue under $5 million, between $5 million – $25 million, between $25 million – $500 million, between $500 million – $5 billion, or over $5 billion. This indication will determine the organization’s self-certification fee.
How is it enforced?
The Privacy Shield is intended to be enforced by both the private sector and the government. One of the requirements of the Privacy Shield is that participating organizations must have an independent recourse mechanism in place that is available to investigate and resolve individual complaints and disputes at no cost to the individual. Participating organizations must also have procedures for verifying their compliance with the Privacy Shield Principles. The independent recourse mechanism may impose sanctions such as publicity for findings of non-compliance and deletion of data in appropriate circumstances, suspension and removal of a seal, compensation for individuals for losses incurred as a result of non-compliance and injunctive awards. If a participating organization fails to comply with the rulings of its independent recourse mechanism, the independent recourse mechanism must notify the governmental body with applicable jurisdiction or the courts, as appropriate, and the Department of Commerce.
The Federal Trade Commission has expressed its commitment to enforce the EU-U.S. Privacy Shield to the European Commission. Under the Federal Trade Commission Act, an organization’s failure to abide by commitments to implement the Privacy Shield Principles may be challenged as a deceptive trade practice. The Federal Trade Commission has the power to prohibit such misrepresentations through administrative orders or by seeking court orders. Violations of such administrative orders can lead to civil penalties of up to $40,000 per violation or $40,000 per day for continuing violations as of August 1, 2016.
If a participating organization repeatedly fails to comply with the Privacy Shield Principles, it is not entitled to benefit from the Privacy Shield. Repeated failure to comply with the Privacy Shield Principles arises when an organization that has self-certified to the Department of Commerce refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution, or governmental body, or where such a body determines that an organization frequently fails to comply with the Privacy Shield Principles to the point where its claim to comply is no longer credible. Such organizations will be removed from the Privacy Shield list by the Department of Commerce and must return or delete the personal information they received under the Privacy Shield.
For more information on this topic, contact your Cybersecurity & Data Privacy counsel at Smith, Gambrell & Russell, LLP.