This note is intended to be a practical guide for US companies who are considering registering for the EU-U.S. Privacy Shield, but is not a full guide to the Privacy Shield. Before self-certifying it is important that any organisation reads the Privacy Shield Principles in full.
Following the invalidation of the Safe Harbour framework by the Schrems decision, a new framework for EU-U.S. personal data transfers was needed. The Privacy Shield Principles were developed as a replacement to Safe Harbour by the US Department of Commerce in consultation with the European Commission and industry and other stakeholders. Compliance with the Privacy Shield Principles is one of a limited range of legal options for US organisations to justify the receipt and processing of personal data from the EU.
Who can join the Privacy Shield?
US organisations which are under the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transport (DOT) and which process personal data for commercial purposes are allowed to join the Privacy Shield. Note that banks, federal credit unions, telecommunications and most non-profit organisations are currently not allowed to join, although this may change in future.
It is important to note that although it is entirely voluntary to join the Privacy Shield, once an organisation has joined their compliance is enforceable under US law.
How do you join the Privacy Shield?
All organisations wishing to join the Privacy Shield must comply with the Privacy Shield Principles found here. Each participating organisation will be required to self-certify annually that they still comply with these requirements.
Before self-certifying with the Privacy Shield each organisation must update or put in place the following:
- the type of personal data processed, the purpose for which the personal data is processed and the third parties to which the personal data is disclosed;
- a statement that the organisation adheres to the Privacy Shield Principles;
- a link to the Privacy Shield website (https://www.privacyshield.gov);
- a link to the website or complaint submission form of the independent recourse mechanism that the organisation is involved with (see below for details);
- the organisation’s data handling practices and the choices which individuals are offered with respect to the processing of their personal data.
2. User choice
To ensure compliance with Principle 2 (Choice) organisations will need to provide users with a clear way of opting out of (1) disclosures of their personal data to independent third parties and (2) when data is used in a way that is “materially different” from the purpose it was collected. If the data collected is sensitive personal data (e.g. information relating to medical conditions or health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership the sex life of the individual) then the consent needs to be opt-in rather than opt-out.
3. Other policies
It would also be prudent for organisations to update or introduce policies that deal with the following points required by the Privacy Shield:
- Subject access requests. The organisation will need to ensure that all employees know the appropriate way to respond;
- Complaints handling. The organisation will need to ensure complaints are dealt with effectively and quickly. Any complaint received by an organisation will need to be responded to within 45 days of receipt. Organisations should have a particular person to deal with direct complaints; and
- Data handling. The organisation will need to ensure their data handling policies are up to date, properly implemented and enforced.
4. Recourse mechanism
Under Principle 7 (Recourse, Enforcement and Liability) all participating organisations must provide to all individuals an independent recourse mechanism to investigate complaints, at no cost to the individual. Organisations can choose the following types of mechanisms:
- Private sector dispute resolution programs such as the Council of Better Business Bureaus, American Arbitration Association, JAMS and Direct Marketing Association; or
- The EU data protection authorities’ panel (DPA Panel).
Note that if an organisation is going to be processing HR data transferred from the EU they will have to have the DPA Panel as their independent recourse mechanism in relation to the HR data. If an organisation chooses or needs to comply with the DPA Panel they must pay an annual fee of US$50 for the running costs of the DPA Panel.
All organisations wishing to join the Privacy Shield will also need to commit to a binding arbitration service in relation to any complaints that cannot be adequately resolved by the independent recourse mechanism. The binding arbitration service will be the “Privacy Shield Panel”, which will consist of one to three arbitrators as agreed between the parties to the complaint.
5. Verification Mechanism
An organisation must have procedures in place to verify compliance with the Privacy Shield Principles. This can include a self-assessment or third party assessment program. This will have to be repeated on a yearly basis to ensure compliance with the Privacy Shield Principles.
6. Designate a Privacy Shield contact within the organisation
All organisations must have a designated individual contact for the handling of questions, complaints, access requests or any other issues relating to the Privacy Shield.
7. Self-certification process
Self-certification applications can be submitted here.
The applicable fee depends on the organisation’s annual revenue, and ranges from US$250 a year (for up to US$5 million revenue) to US$3,250 a year (for over US$5 billion revenue).
The following information will need to be provided in the application form:
- Corporate information relating to the organisation, including: (1) name and address of the company; (2) the name, job title and contact details of the designated Privacy Shield contact; (3) the name, title and contact details of the corporate officer who has certified the application; and (4) a list of all entities or subsidiaries which the organisation’s self-certification will apply to;
- A description of the organisation’s activities with respect to all personal data received from the EU;
- Which independent recourse mechanism the organisation is involved with;
- Whether the organisation falls under FTC or DOT jurisdiction;
- A list of any privacy programs the organisation is a member of;
- Whether the organisation self-verified or had an third party compliance review; and
- The organisation’s annual revenue.
Benefits of early registration
The Department of Commerce has recognised that the new Privacy Shield Principles will impact organisations’ existing relationships with third parties. If an organisation self-certifies before 30 September 2016 they will have a nine month grace period to comply with Principle 3 (Accountability for Onward Transfer) and solve any issues arising with third parties they deal with.