How to Comply with the EU – US Privacy Shield
The newly announced EU-U.S. Privacy Shield is a set of 7 principles (rules) for the protection and transfer of data between companies based in the United States and the European Union. It is fairly well-known that the EU (and many other countries) have stronger privacy protections for their citizens than does the U.S., and so U.S.-based businesses wishing to do business with companies and individuals based in EU countries need to have data protection mechanisms and policies in place which provide a level of protection for personally identifiable information (PII) that measure up to the EU’s requirements. They also need to be able to demonstrate that they have these measures in place.
(Note: Whether you choose to comply with and certify as being compliant with the EU-US Privacy Shield, you must comply with international email marketing and anti-spam laws.)
As the European Commission explains in discussing the new EU-US Privacy Shield, “The EU-U.S. Privacy Shield imposes stronger obligations on U.S. companies to protect Europeans’ personal data. It reflects the requirements of the European Court of Justice, which ruled the previous Safe Harbour framework invalid. The Privacy Shield requires the U.S. to monitor and enforce more robustly , and cooperate more with European Data Protection Authorities. It includes, for the first time, written commitments and assurance regarding access to data by public authorities.”
In theory, if not yet in practice, EU-based organizations will only transfer personal data to U.S.-based companies that are certified as being compliant with the Privacy Shield, and who are on the list of Privacy Shield-certified organizations being maintained by the U.S. Department of Commerce (more on that below).
The new Privacy Shield is based on 7 guiding principles. The 7 guiding principles of the EU-US Privacy shield are:
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
- Accountability of Onward Transfer
U.S.-based companies that meet all of the requirement of the 7 principles of the Privacy Shield can be certified as being compliant with the EU-U.S. Privacy Shield. You must self-certify through the Department of Commerce’s PrivacyShield.gov website, at which time you will be added to the list of companies that are compliant with the Privacy Shield.
ISIPP can also help you ensure that you are compliant, and certify you in addition to the self-certification that you will do with the government. (For information about how and why to have us certify you as being compliant with the EU-U.S. Privacy shield, contact us here.)
It is critical to understand that the act of self-certifying that you are Privacy Shield compliant brings you and your company under a legal obligation to be compliant and you and your company can be prosecuted under U.S. law for failure to be and continue to be compliant.
Here is the bottom line of what you need to do to comply with the directives of the EU/US Privacy Shield. Note that this is a baseline, simplified list, and that each item may have (and in fact almost certainly does have) additional requirements that need to be reviewed in order to ensure that you are fully compliant (again, we can help you with that). Also note that we are an Internet and email policy organization, so this “how to comply” list is from the perspective of compliance for the email addresses and associated data that you collect, and to which you send email. The points are the same if you collect other data, but what you will need to do to be in compliance with these points may be different.
Below this “How to comply with the Privacy Shield” section is more detailed information from both the U.S. Department of Commerce and the European Commission.
How to Comply with the EU-US Privacy Shield
Notice Principle Requirement
Data Integrity and Purpose Limitation Principle Requirement
Limit the collection of personal information to only what you actually need.
Choice Principle Requirement
Under CAN-SPAM it is never ok to repurpose someone’s email address (i.e. to take it from one mailing list and put it on another), but under the Privacy Shield this concept also applies more generally and broadly to the altering of the purpose for which you are using someone’s data. If you are going to use their data for any purpose not substantially similar to the purpose for which they originally gave you their data, you must inform them and provide them with the choice of opting out.
Security Principle Requirement
You must provide reasonable and appropriate security measures for the personal data, including in terms of storage security and transmission security.
Access Principle Requirement
If someone asks you whether you have their personal data, or asks to see their personal data which you have, you must provide them with access – without making them jump through unnecessary hoops or paying unreasonable fees – to allow them to confirm, modify, or delete that data.
Recourse, Enforcement and Liability Principle Requirement
You must disclose on your site, with links to the relevant information, any Privacy Shield enforcement actions to which you are a party.
Accountability of Onward Transfer Principle Requirement
Ensure that you do not transfer any personal information data to any third-party without first ensuring that the third-party is also obligated to adhere to the Privacy Shield principles, and if that third-party is acting as a ‘controller’, such as processing or storing the data for you, you must have a contract in place with that third-party obligating them to adhere to the principles of the Privacy Shield and spelling out that the data can only be used for limited, specific purposes.
Again, EU-US Privacy Shield certification is a self-certification system; if you choose to be EU-U.S. Privacy Shield certified, you must self-certify with the Department of Commerce that you are compliant, and from that moment forward you will be legally liable, and subject to U.S. law, if you become non-compliant.
Here is how the U.S. Department of Commerce explains what a company must do to adhere some of the principles:
1. Informing individuals about data processing
A participant must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organizations compliance with the Framework, and the organizations liability in cases of onward transfer of data to third parties.
2. Providing free and accessible dispute resolution
Individuals may bring a complaint directly to a Privacy Shield participant, and the participant must respond to the individual within 45 days.
Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.
If an individual submits a complaint to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
3. Cooperating with the Department of Commerce
Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.
4. Maintaining Data Integrity and Purpose Limitation
Privacy Shield participants must limit personal information to the information relevant for the purposes of processing. Privacy Shield participants must comply with the new data retention principle.
5. Ensuring accountability for data transferred to third parties
To transfer personal information to a third party acting as a controller, a Privacy Shield participant must:
o Comply with the Notice and Choice Principles; and
o Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.
To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:
o Transfer such data only for limited and specified purposes;
o Ascertain that the agent is obligated to provide at least the same level
of privacy protection as is required by the Principles;
o Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organizations obligations under the Principles;
o require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
o Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
o Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
6. Transparency related to enforcement actions
Privacy Shield participants must make public any relevant Privacy Shield- related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
7. Ensuring commitments are kept as long as data is held
If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide adequate protection for the information by another authorized means.
Here is what the European Commission has to say about these 7 principles. You can read the full details from which the below has been excerpted at the EU Commission Privacy Shield Adequacy Decision.
1. Notice Principle
Under the Notice Principle, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular the requirement for organisations to make public their privacy policies (reflecting the Principles) and to provide links to the Department of Commerce’s website (with further details on self-certification, the rights of data subjects and available recourse mechanisms), the Privacy Shield List, and the website of an appropriate alternative dispute settlement provider.
2. Data Integrity and Purpose Limitation Principle
Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject. Organisations must ensure that personal data is reliable for its intended use, accurate, complete and current.
3. Choice Principle
Where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt out). The Choice Principle does not supersede the express prohibition on incompatible processing. Special rules generally allowing for the opt-out “at any time” from the use of personal data apply for direct marketing.
In the case of sensitive data, organisations must normally obtain the data subject’s affirmative express consent (opt in).
Still under the Data Integrity and Purpose Limitation Principle, personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently author ised. This obligation does not prevent Privacy Shield organisations to continue processing personal information for longer periods, but only for the time and to the extent such processing reasonably serves one of the following specific purposes: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. Longer retention of personal data for one of these purposes will be subject to the safeguards provided by the Principles.
4. Security Principle
Under the Security Principle, organisations creating, maintaining, using or disseminating personal data must take “reasonable and appropriate” security measures, taking into account the risks involved in the processing and the nature of the data. In the case of sub-processing, organisations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.
5. Access Principle
Under the Access Principle, data subjects have the right, without need for justification and only against a non-excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within reasonable time. This right may only be restricted in exceptional circumstances; any denial of, or limitation to the right of access has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled. Data subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles. In areas where companies most likely resort to the automated processing of personal data to take decisions affecting the individual (e.g. credit lending, mortgage offers, employment), U.S. law offers specific protections against adverse decisions.
These acts typically provide that individuals have the right to be informed of the specific reasons underlying the decision (e.g. the rejection of a credit), to dispute incomplete or inaccurate information (as well as reliance on unlawful factors), and to seek redress. These rules offer protections in the likely rather limited number of cases where automated decisions would be taken by the Privacy Shield organisation itself.
Nevertheless, given the increasing use of automated processing (including profiling) as a basis for taking decisions affecting individuals in the modern digital economy, this is an area that needs to be closely monitored. In order to facilitate this monitoring, it has been agreed with the U.S. authorities that a dialogue on automated decision-making, including an exchange on the similarities and differences in the EU and U.S. approach in this regard, will be part of the first annual review as well as subsequent reviews as appropriate.
6. Recourse, Enforcement and Liability Principle
Under the Recourse, Enforcement and Liability Principle, participating organisations must provide robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Once an organisation has voluntarily decided to self-certify under the EU-U.S. Privacy Shield, its effective compliance with the Principles is compulsory. To be allowed to continue to rely on the Privacy Shield to receive personal data from the Union, such organisation must annually re-certify its participation in the framework. Organisations must also take measures to verify that their published privacy policies conform to the Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organisation’s privacy policies and that compliance is periodically reviewed in an objective manner, or outside compliance reviews, the methods of which may include auditing or random checks. In addition, the organisation must put in place an effective redress mechanism to deal with any complaints, and be subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or another U.S. authorised statutory body that will effectively ensure compliance with the Principles.
Special rules apply for so-called “onward transfers”, i.e. transfers of personal data from an organisation to a third party controller or processor, irrespective of whether the latter is located in the United States or a third country outside the United States (and the Union). The purpose of these rules is to ensure that the protections guaranteed to the personal data of EU data subjects will not be undermined, and cannot be circumvented, by passing them on to third parties. This is particularly relevant in more complex processing chains which are typical for today’s digital economy.
7. Accountability of Onward Transfer Principle
Under the Accountability for Onward Transfer Principle, any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group ) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles, which includes the requirement that the application of the Principles may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes. This should be read in conjunction with the Notice and, in the case of an onward transfer to a third party controller, with the Choice Principle, according to which data subjects must be informed (among others) about the type/identity of any third party recipient, the purpose of the onward transfer as well as the choice offered and can object (opt out) or, in the case of sensitive data, have to give “affirmative express consent” (opt in) for onward transfers. In the light of the Data Integrity and Purpose Limitation Principle , the obligation to provide the same level of protection as guaranteed by the Principles presupposes that the third party may only process the personal information transmitted to it for purposes that are not incompatible with the purposes for which it was originally collected or subsequently authorised by the individual.