On February 29, 2016 after more than two years of negotiations the U.S. Department of Commerce released details of how the new EU-U.S. Privacy Shield Program would operate and the European Commission published a draft Decision on the adequacy of the framework. Across 100+ pages the Privacy Shield documentation ends the uncertainty that many businesses have faced since Safe Harbor was invalidated last October and describes in granular detail the measures that organizations wishing to use the Privacy Shield must implement.
Although the core Privacy Shield Principles are similar to the Safe Harbor Privacy Principles, the new Principles go into much greater depth and include seven distinct categories: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.
They also include a number of “Supplemental Principles,” which offer more detailed requirements for specific circumstances, such as the transfer of sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.
The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.
Some of the new requirements for companies under the framework include:
- Increased Accountability for Onward Transfers: To transfer personal data to third parties acting as a controller or as an agent, organizations must take steps to ensure that the same levels of privacy protections as the Principles are in place. This can be done through contracts with required statements specifying and limiting the purpose of processing. The Principles are clear that the data controller will be liable if the contracted processor violates the Principles,
- Individual Complaints: A company has 45-days to respond to individual complaints after which time the individual has a choice of 3 mechanisms – (1) independent Dispute Resolution at no cost to consumer; (2) local Data Protection Authorities (can be used for customer data, must be used for HR data); (3) arbitration as last resort (when still not resolved and individual invokes). EU citizens are now able to pursue legal remedies through private causes of action including those for misrepresentations and similar types of claims in US state courts.
Timing for Adoption
The Privacy Shield Principles will come into effect on the date of final approval of the European Commission’s adequacy determination.
This draft adequacy decision has been published and now must be approved by comitology procedure, which involves insight from the Article 29 Working Party, a binding opinion from the EU Member State representatives, and a formal adoption of the adequacy decision by the EU College of Commissioners. It is anticipated that this final approval process should take a couple of months.
The Privacy Shield may still be subject to future legal challenge but one of the core goals of the negotiators from both the US Government and the European Commission was to produce a sufficiently robust framework that could survive legal challenge.
While regulatory review of the Privacy Shield is underway, companies can now begin analyzing the Privacy Shield principles in light of their own data flows and data protection practices.
Contact your TRUSTe Account representative for a copy of our latest Client Advisory Note “Implementing the EU-U.S. Privacy Shield Framework” and see further details here.