Does your U.S. based company communicate with people living in the EU? Does it receive information or data from, or about, people in the EU? Does it have customers, contractors or suppliers in the EU? Does it have employees working in the EU? Is it one of the over 4,000 U.S. companies self-certified under the former US-EU Safe Harbor for data transfers between the EU and U.S.? If your answer to any one of these questions is yes, you have probably been eagerly awaiting new guidance on EU-US data transfers and how to transfer data and information from the EU to the U.S. in compliance with EU privacy laws after the Schrems Decision from the EU Court of Justice (“EU-US Privacy Shield”) in October 2015.
You are probably also overwhelmed by the EU-US Privacy Shield’s 128 pages, am I right? Well luckily, the U.S. Department of Commerce has published an Overview Fact Sheet summarizing the 128-page EU-US Privacy Shield Framework for U.S. companies who are considering self-certifying under the new EU-US Privacy Shield Framework.
The EU Commission has now issued a draft adequacy decision for the EU-US negotiated Privacy Shield Framework which if finalized, the Framework would be deemed adequate to make EU-US data transfers legal under EU law. Review by EU data privacy stakeholders is underway now. According to some commentators, the EU-US Privacy Shield Framework for EU-US data transfers could launch as early as June of this year. Other commentators anticipate the Framework will be strengthened as it goes through the EU adequacy determination review and extend the process.
Once the EU makes the required adequacy determination, the U.S. Department of Commerce has committed to begin accepting self-certifications from U.S. based companies pursuant to the new EU-US Privacy Shield Framework. EU-US Privacy Shield self-certification will require U.S. companies to make a public commitment to comply with the EU-US Privacy Shield’s requirements. While still voluntary like the former US-EU Safe Harbor, once a U.S. company makes the public commitment to comply with the EU-US Privacy Shield Principles, the Principles will become enforceable under U.S. law, so long as the certification is in effect, and will include additional enforcement mechanisms, even private lawsuits.
Here are some of the elements of the EU-US Privacy Shield Framework the Department Commerce views as key for participating U.S. companies:
EU Individuals’ Rights and Legal Remedies
- People in the EU can complain directly to a participating U.S. company about the U.S. company’s handling of the EU person’s data and the company must respond within 45 days.
- Each participating U.S. company must provide, free of charge, a mechanism for expeditious investigation and resolution of complaints from people in the EU.
- People in the EU may also complain to their EU data protection authority (DPA) about a certified U.S. company and the U.S. Department of Commerce has committed to receive, review and make best efforts to facilitate resolution of the complaint and respond to the EU DPA within 90 days.
- The U.S. Federal Trade Commission (FTC) has also committed to prioritize EU DPA complaints and enforcement by working closely with the EU DPAs including information sharing and investigative assistance.
- People in the EU can also sue Privacy Shield certified U.S. companies in U.S. state courts, including private lawsuits for misrepresentation and similar claims.
- Participating U.S. companies must also agree to binding arbitration when requested by a person in the EU to address any data privacy complaint that has not been resolved by other mechanisms.
- The U.S. State Department will also establish an Ombudsperson where people in the EU will be able to submit inquiries regarding U.S. signals intelligence practices.
U.S. Commerce Department Oversight
The U.S. Commerce Department has committed to:
- Verify that participating U.S. companies have provided all required information and registered with their identified independent recourse mechanism, where the provider requires registration;
- Follow up with U.S. companies whose self-certifications lapse or who have voluntarily withdrawn from the EU-US Privacy Shield Framework;
- Search for and address false claims of EU-US Privacy Shield certification by U.S. companies and refer matters to the FTC, Department of Transportation or other appropriate enforcement agency; and
- Conduct periodic company compliance reviews and assessments of the program.
Specific Requirements for Participating U.S. Companies
Informing People in the EU About Data Processing
Participating U.S. companies must:
- State in their privacy policies that they are committed to complying with the EU-US Privacy Shield Principles;
- When company privacy policies are available online, they must include links to the U.S. Commerce Department’s EU-US Privacy Shield website and the website or complaint form of the company’s independent complaint investigation mechanism; and
- Inform people in the EU of their rights to access their personal data, the requirement of the company to disclose personal data in response to lawful requests by authorities, identify the enforcement authority with jurisdiction over the U.S company’s compliance with EU-US Privacy Shield Principles, and the company’s liability for transfer of personal information and data to third parties.
Maintaining EU Data Integrity and Purpose Limitation
- Participating U.S. companies must limit collection of personal information and data about people in the EU to information relevant to the purpose of the company’s data processing.
Ensuring Accountability for Data Transferred to Third Parties
- Participating U.S. companies transferring personal data about a person in the EU to a third party who is acting as a data controller must:
- Comply with the EU-US Privacy Shield Notice and Choice Principles; and
- Enter a contract with the third-party data controller requiring that EU personal data may only be processed consistent with the EU person’s consent and provide the same level of protection as EU-US Privacy Shield Principles.
- To transfer personal data about people in the EU to a third party acting as an agent for the company, a participating U.S. company must:
- Transfer EU personal data only for limited and specified purposes;
- Verify that the agent is obligated to provide at least the same level of privacy protection required by the EU-US Privacy Shield Principles;
- Take reasonable steps to ensure that the company’s agent processes the EU personal data consistent with their obligations under the EU-US Privacy Shield Principles;
- Upon notice, take reasonable steps to stop and remedy unauthorized processing of EU personal data; and
- Upon request, provide a summary or copy of the relevant privacy provisions contained in their contract with the agent company to the U.S. Department of Commerce.
Cooperating with the U.S Department of Commerce
- Participating U.S. companies must respond to inquiries and requests regarding their EU-US Privacy Shield participation from the U.S. Department of Commerce.
Transparency regarding FTC and Court Enforcement Actions
- Participating U.S. companies who become subject to an FTC or court order based on non-compliance, must make public any relevant EU-US Privacy Shield-related sections of compliance or assessment reports submitted to the FTC.
Ensuring Privacy Commitments are kept as Long as EU Personal Data is Held
- If a U.S. company leaves the EU-US Privacy Shield Framework and chooses to keep personal data about people in the EU it received under the Framework, every year it must verify its commitment to apply the EU-US Privacy Shield Principles to that personal data or provide “adequate” protection by other authorized methods.
How the Draft EU-US Privacy Shield Framework Benefits Your U.S. Company
While some commentators have expressed doubt that EU personal information and data privacy stakeholders will approve the current proposed EU-US Privacy Shield Framework, those doubts are not due to a belief that the EU-US negotiated Privacy Shield Framework is overly strict on U.S. companies transferring EU data to the U.S. Rather, just the opposite. Some commentators, including, Max Schrems, the litigant whose case brought down the original Safe Harbor in the EU, and at least one EU data protection authority have said that the proposed EU-US Privacy Shield Framework is not strong enough to protect the privacy of people in the EU and as a result is not expected to be approved by EU privacy authorities without the Framework being strengthened. In particular, they point to the absence of equivalent limits on U.S. government data surveillance and private U.S. companies’ internal use of personal data, as exists under EU laws.
Regardless of whether the current proposed EU-US Privacy Shield Framework will be strengthened as it navigates the EU adequacy determination process, it does set a floor below which future EU-US Privacy Shield Principles are unlikely to go. As a result the proposed EU-US Privacy Shield Principles provide a good starting place for U.S. based companies to get a head start on updating their EU-US data transfer policies and practices and stay a step ahead of increasingly aggressive EU data privacy regulators and potential enforcement actions both in the U.S. and EU.
Linda Priebe is a partner in Culhane Meadows’ Compliance, Employment, and Data Privacy Practice Groups in Washington DC. She provides advice and counsel to employers, social media advertisers and marketers, online retailers, regulated industries, federal contractors, international companies, and law firms regarding compliance with laws governing use of social media in business and data privacy and security. Prior to Culhane Meadows she was Deputy General Counsel and Ethics Official at the White House Office of Drug Policy (ONDCP) from 1999-2013. She can be reached at LPriebe@CulhaneMeadows.com.
This Blog/Web Site is made available by Culhane Meadows, PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.