While many companies located in the US welcomed the announcement of the EU-US Privacy Shield program (or the “Program”) as a replacement to the now defunct Safe Harbor, criticisms regarding the Program details emerged before many had time to digest and evaluate the Program changes. These criticisms highlight that the Program is subject to the same surveillance activities which led to Safe Harbor’s demise. Over the coming weeks, companies will monitor efforts in Europe and in the US to make the Program a reality and evaluate their participation in the Program should it become available. While the EU-US Privacy Shield program is intended to significantly enhance data protection guarantees over Safe Harbor, time will tell whether companies find the Program aligns with their business objectives and compliance management strategies.
The EU-US Privacy Shield program must be approved by the European Parliament before it is available to companies. European Data Protection Authorities are currently reviewing a draft “adequacy” determination for the Program; a critical requirement to ensure “adequate” data protection guarantees for European citizens when their Personal Data is transferred into the United States. Similar preparations are ongoing in the US. The Judicial Redress Act has now been passed into law; providing European citizens with the right to sue the US government for data protection infringements resulting from surveillance activities by US intelligence agencies. Additionally, the State Department will appoint a Privacy Ombudsman to address data protection complaints by European citizens and liaise with European Data protection Authorities in pursuit of such matters. Additionally, letters demonstrating commitments to ensuring Data Protection have been delivered to European regulators from the Office of the Director of National Intelligence, the Departments of State, Commerce and Transportation as well as the Federal Trade Commission.
Evaluating Participation in the EU-US Privacy Shield Program
Ultimately, companies must determine if participating in the Program is advantageous over relying upon other “adequate” cross-border transfer mechanisms; especially in relation to their efforts to address risk since Safe Harbor’s demise and in advance of the European General Data Protection Regulations coming into force. These evaluations will include reviewing the Program details against other lawful cross-border transfer mechanisms, their business objectives and existing compliance strategies. Review efforts will likely also include evaluating the regulatory enforcement risks associated with the public disclosure of their privacy practices and the practical implications of participating in the Program. For example, companies will assess whether they can leverage the Program across their business activities, how readily they can align third parties in accordance with the Program requirements or whether their participation in the Program represents an additional, perhaps even duplicative, compliance burden.
When conducting these evaluations, companies must consider the following changes under the EU-US Privacy Shield, beyond the rights and obligations prescribed under the Safe Harbor principles.
Notice – significant enhancements to the company’s public disclosures regarding their privacy practices; which are subject to scrutiny and enforcement by the Federal Trade Commission. These changes also align the public disclosures in accordance with the General Data Protection Regulations; including: enhanced notice, transparency for processing, supporting redress for Data Subjects and the company’s accountability for its processing operations.
Choice – additional choices are to be made available to Europeans in relation to sharing information to third-parties (other than service providers) and affirmative express consent must be obtained from Data Subjects before sensitive personal data is to be shared with third parties or used for secondary purposes.
Accountability for Onward Transfer – transferring Personal Data to third party agents now includes specific obligations to perform diligence and ensure such parties can reasonably comply with the Program principles before sharing information. Companies must also limit the third party’s use of information to only authorized purposes via contracts and are accountable to take reasonable and appropriate steps to stop and remediate any unauthorized processing by such third parties.
Security – security measures are “appropriately” implemented to address identified risks to the processing and nature of Personal Data involved. Note: Companies in the US are already generally required to implement reasonable security measures based on identified risks.
Data Integrity and Purpose Limitation – Companies are required to take reasonable steps to ensure Personal data is reliable and adhere to the principles for as long as it retains Personal Data obtained under the Program.
Access – Access rights for individuals have been expanded to Data Subjects who believe their Personal Data was processed in violation of the Principles.
Recourse, Enforcement and Liability – Companies must now expeditiously resolve disputes, manage their internal compliance efforts, align with European Data Protection Authority’s when supporting Human Resources data, agree to specific arbitration mechanisms, consider themselves directly liable for third party errors and make their records public during compliance investigations.
9th March 2016
Authored by Chris Field, Corporate Privacy Director at Harte Hanks
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.