By Thomas Carey. Chair of our Business Practice Group
US companies that rely on seamless receipt of personal data from EU businesses watched in horror as the EU-US Safe Harbor Program was blown up by the EU Court of Justice.
Officials on both sides of the Atlantic have rushed to fill the void. What emerged, the EU-US Privacy Shield, is a stronger, more demanding set of rules that US companies may follow to avoid enforcement actions from the EU’s data protection authorities (DPAs).
Before it becomes operative, the Privacy Shield must clear a gantlet of regulatory processes that includes review by the EU DPA (which wrapped up on April 13, 2016), the consent of the EU Parliament, and adoption by the European Commission. This process may be completed as early as June 2016.
The Privacy Shield has vociferous critics in both the US and Europe who remain mistrustful of US intelligence services and their propensity for snooping. On April 13, 2016, this criticism was echoed by the DPAs, who opined that the Privacy Shield is “not acceptable” because it permits mass surveillance of Europeans. But because several governments have invested substantial resources in the development of the Privacy Shield, it is advisable for US businesses that receive personal data from the EU to seriously consider participating in the program and to plan now for that participation.
The Privacy Shield, like the Safe Harbor program, involves self-certification by companies seeking its protection. It also is based upon the principles agreed by the EU countries in 1995 (the Privacy Principles):
- Notice to the individuals whose data is being transmitted
- Choice affording the individual the opportunity to opt out
- Security based upon reasonable and appropriate measures to protect the data
- Data integrity – the data must be accurate, complete and current
- Limited purpose – the company must state the purposes of the data collection and abide by its stated purposes (or get fresh consent for an expanded purpose)
- Access– individuals must have the right to obtain the data kept about them within a reasonable period of time
- Accountability for further transfers of data to subcontractors, etc.
- Recourse for individuals whose data has been misused.
Companies seeking the benefit of the Privacy Shield will have to publicly declare their commitment to the Privacy Principles, publicly disclose a privacy policy consistent with those principles and fully implement it. Adherence to the Privacy Principles may be limited (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) to the extent that statute, regulation, or case law creates conflicting obligations or (c) to the extent expressly permitted by the EU members state affected by the data transfer.
Participants in the Privacy Shield program will be required to verify their compliance with their privacy commitments. This may be done through self-assessment or outside compliance reviews. Under the self-assessment approach, the verification must indicate that:
- The published privacy policy is accurate, comprehensive, prominently displayed, completely implemented and accessible;
- The privacy policy conforms to the Privacy Shield Principles;
- Individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
- The company has in place procedures for training employees in the implementation of its privacy policy, and disciplining them for failure to follow it; and
- It has in place internal procedures for periodically conducting objective reviews of compliance with the above. (MORE)
