On July 27, 2016, the Department of Commerce released its Privacy Shield Website for US-organizations seeking to avail themselves of benefits and protections similar to those previously available pursuant to the Safe Harbor program for EU-US data transfers.
Although a number of key policy considerations and requirements from the Safe Harbor program have been carried over to the Privacy Shield Program (the “Program”), best practices dictate that companies should consult with an information governance and data privacy law attorney prior to applying in order fully assess the new regulatory requirements governing participating organizations’ use and treatment of personal data received from the EU, including, but not limited to, overarching Program principles, as well as the access and recourse mechanisms that participants must provide to individuals in the EU.
Program principles include, without limitation, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. Supplemental principles include, without limitation, sensitive data, secondary liability, performing due diligence and conducting audits, the role of the data protection authorities, self-certification, verification, obligatory contracts for onward transfers, dispute resolution and enforcement, choice, publicly available information and access requests by public authorities.
Organizations should immediately consider: (i) designating a corporate representative with data privacy experience for any/all issues related to the Program; (ii) making transparent disclosures regarding who personal information is disclosed to and how, procedurally, it is so disclosed; (iii) the broader definition of “sensitive personal information” and a less liberal requirement for “affirmative express consent;” (iv) more robust accountability and documentation requirements (e.g., obligatory contracts); (v) providing individuals easy access to their own data and a no-cost method by which they can amend it; (vi) ensuring that in-house or outside audits are executed in order to “verify that the attestations and assertions they make about their Privacy Shield privacy practices are true and those practices have been implemented as represented;” (vii) designing, documenting and implementing a dispute process; (viii) committing to cooperating with EU data processing authorities; (ix) implementing notice and chose principles (first and third-party); and (x) additional requirements for certain types of information and industries.
Organizations may begin self-certifying as of August 1, 2016. There is a nine-month “step-up” incentive for those that self-certify by September 30, 2016, for compliance with regard to third-party contracts. Note that compliance will become exponentially more burdensome with the European Union’s recent ratification of the General Data Protection Regulation (Regulation EU 2016/679), which is to be fully implemented by no later than mid-2018.
Organizations that do not presently have procedures in place from previous certification pursuant to the Safe Harbor are well-advised to get a head-start on implementing Program requirements.
Once an organization publicly commits to comply with the Program principles, that commitment is enforceable under U.S. law. It is anticipated that the U.S. Department of Commerce and the Federal Trade Commission will police the Program aggressively.
The new Privacy Shield Website can be accessed, here.
HINCH NEWMAN LLP. ADVERTISING MATERIAL. These materials are provided for informational purposes only and are not to be considered legal advice, nor do they create a lawyer-client relationship. No person should act or rely on any information in this article without seeking the advice of an attorney. Information on previous case results does not guarantee a similar future result.