The new Privacy Shield, the successor to the defunct Safe Harbor, was officially approved by E.U. and U.S. officials today. U.S. businesses may start certifying to the Privacy Shield in just a few short weeks on August 1, 2016.
The Privacy Shield sets forth seven primary privacy principles to which companies must certify. The seven primary principles are: Notice; Choice; Security; Data Integrity and Purpose Limitation; Access, Accountability for Onward Transfer; and Recourse, Enforcement and Liability.
The Privacy Shield also includes detailed supplemental principles that address specific topics and types of data, such as terms regarding Sensitive Data, Journalistic Exceptions, Secondary Liability Performing Due Diligence And Conducting Audits, The Role Of The Data Protection Authorities, Self-Certification, Verification, Access, Human Resources Data, Obligatory Contracts For Onward Transfers, Dispute Resolution And Enforcement, Choice-Timing Of Opt-Out, Travel Information, Pharmaceutical And Medical Products, Public Record And Publicly Available Information, Access Requests By Public Authorities.
The Department of Commerce (DOC) is tasked with conducting regular reviews of companies that have certified under the Privacy Shield. Companies that are found to be out of compliance may face sanctions and exclusion from the Privacy Shield list. With oversight from the DOC, the FTC and a new Privacy Shield Ombudsman, individuals whose privacy rights have been violated under the Privacy Shield will have various access to levels of dispute resolution procedures. An individual may first bring a claim directly with the U.S. entity and provide the entity with an opportunity to resolve the claim. If the claim is not resolved within the proscribed time period of 45 days, the individual may seek redress through the entity’s independent recourse mechanism (without any charge to the individual). We expect that the same companies that provided recourse dispute resolution services under the Safe Harbor to continue to provide dispute resolution services under the Privacy Shield (for example, TRUSTe, JAMS, and BBBOnline).
If the independent recourse mechanism still does not resolve the matter, the individual may raise the matter to the DOC through the individual’s Data Protection Authority and allow the DOC to resolve the matter within 90 days. If the matter is still not resolved as a last resort, then an individual may invoke its rights to binding arbitration with arbitration ruling decisions reviewable and enforceable in the Federal District Court with jurisdiction over the U.S. entity. With respect to human resources data, companies will be required to cooperate with the EU Data Protection Authorities.
Companies that wish to rely on the Privacy Shield should start carefully reviewing their privacy practices and programs against the Privacy Shield framework and principles. While companies may be able to certify on August 1, 2016, we urge companies to take the time to properly review their privacy practices and programs to conform to the Privacy Shield prior to making their certification. The DOC is committed to robust supervision and will verify that companies are registered with their designated independent recourse mechanisms prior to finalizing a company’s certification. The DOC will search for and take action against companies that falsely claim participation under the Privacy Shield and refer them to the FTC, Department of Transportation or other enforcement agency. Companies will be required to annually self-certify their continued compliance with the Privacy Shield. Even if a company leaves the Privacy Shield, the company will be required to annually recertify its commitment to the Privacy Shield Principles with respect to the data collected under the Privacy Shield (if it retains the data) or to provide another means to establish “adequate” protection. The Privacy Shield will be reviewed annually by the EU Commission and will also need to withstand any potential challenges from EU citizens similar to the court challenge that lead to the invalidation of the Safe Harbor. Commentators are already anticipating challenges to be made within months to the Privacy Shield, although a case challenging the Privacy Shield would likely not be heard until late 2017 at the earliest. We expect that some companies may use a belt and suspenders approach by certifying to the Privacy Shield as well as using another adequacy mechanism such as Model Contracts for the transfer of personal data to third countries.
We will continue to analyze the new Privacy Shield and publish further updates and guidance as things progress. We are available to help companies and guide them through the certification process under the Privacy Shield.