As we previously reported, on August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. Several hundred companies, including Microsoft, Salesforce, Panasonic Avionics, and Workday, have already self-certified and many others have submitted their applications and are awaiting DOC’s approval. Those companies who submitted their applications before September 30, 2016 were granted a nine-month grace period to conform their existing contracts with third-party processors to the new onward transfer requirements under the Privacy Shield, thereby being allowed to achieve compliance sooner.
For those considering participating in the framework, the Privacy Shield website offers factual information about the framework, including instructions and details on how to join Privacy Shield, requirements of Privacy Shield participation, and administration of Privacy Shield Program. Likewise, amidst some continued criticism of the framework in the EU, the European Commission published a Guide for citizens, outlining how the Privacy Shield guarantees individuals’ data-protection rights and what remedies are available for individuals who believe their personal data was misused in violation of the framework.
Specifically, the Guide provides detailed information on the following.
- Individual’s right to be informed. This includes a Privacy Shield company’s obligation to inform consumers about the types of personal data it processes and the reasons for processing, whether and why the company intends to transfer the individual’s personal data to another company, and “opt-out” and “opt-in” rights with respect to disclosure of collected data.
- Limitations on the use of individual’s data for different purposes. This includes blanket prohibition on using individual’s data for a purpose that is “incompatible with the original purpose.” The guide explains that if the new purpose is “different but related to the original one” (i.e., “materially different”), the Privacy Shield company may only use individual’s data if the individual does not object (opt-out) or, in the case of sensitive data, if the individual consents (opt-in). The guide further states that while individuals can choose whether to allow a Privacy Shield company to pass on the individual’s personal data to another company, the individual does not have a choice when his or her data is sent to a controller’s “agent” for processing. However, in this situation, the Privacy Shield company will have to contractually obligate its agent to provide the same data protection safeguards as contained in the Privacy Shield framework, and may be held liable for its agent’s actions in case on noncompliance.
- Data minimization and obligation to keep individual’s data only for the time needed. The guide explains that a Privacy Shield company may only receive and process personal data to the extent they are relevant to the purpose of processing, and it must ensure that the data is accurate, reliable, complete, and, where necessary, up to date. Subject to limited exceptions, the data must be deleted when no longer necessary for the purpose of processing.
- Obligation to secure individual’s data. A Privacy Shield company must ensure that personal data are kept “in a safe environment and secured against loss, misuse, unauthorized access, disclosure, alteration or destruction.” At the same time, the Privacy Shield allows for a risk-benefit analysis by qualifying that security measures should take into account “the nature of the data and the risks involved” in the processing.
- Obligation to protect individual’s data if transferred to another company. A Privacy Shield company is required to contractually obligate onward transferees to comply with the Privacy Shield Principles. The contract must set forth the conditions under which the third party can use individual’s personal data and its responsibilities to protect that data.
- Individuals’ right to access and correct their data. This includes individuals’ right to have their data communicated to them and also to obtain information about the purpose for which the data are processed, the categories of personal data concerned and the recipients to whom the data are disclosed. Even where the company does not hold or process the individual’s data, it is still required to respond to the request and confirm that it does not possess and/or process the data.
The Guide also provides detailed explanation of how individuals can lodge complaints and obtain a remedy against Privacy Shield violators. Specifically, individuals have several avenues for pursuing a complaint.
- U.S. Privacy Shield company itself. The company must respond within 45 days of receiving the complaint and state whether the complaint has merit and, if so, the remedy the company will provide.
- Independent recourse mechanisms, such as alternative dispute resolution (ADR) or a national Data Protection Authority (DPA). A Privacy Shield company may choose ADR as its independent recourse mechanism. Participation in the ADR process must be provided to individuals free of charge. A Privacy Shield company may also opt for an EU DPA to act as its independent recourse mechanism. However, where a company handles human resources data, submission to DPA oversight is mandatory. This means that employees can always contact their local DPA if they have any complaints with respect to employment-related data transferred to a Privacy Shield company.
- U.S. Department of Commerce (through a DPA). Even when lacking direct oversight, a DPA can refer individual complaints to the Department of Commerce, which, in turn, can forward complaints to the Federal Trade Commission or the Department of Transportation, as appropriate. A response will be provided within 90 days.
- U.S. Federal Trade Commission (or the U.S. Department of Transportation if complaint relates to an airline or ticket agent). Individuals can complain directly to the FTC, using the same complaint system used by U.S. citizens.
- Privacy Shield (Arbitral) Panel, but only after certain other redress options have failed. The arbitration procedure will be finished within 90 days from the day the individual sends his or her notice to the company; and decisions by the Privacy Shield Panel are binding. The arbitration will take place in the U.S., but complainants are not required to be physically present in the U.S. and are permitted to join the proceedings by telephone or video-conference. Individuals also have a right to ask for their DPA’s assistance to prepare their claim and to obtain free-of-charge translation of documents from English into another language. Arbitral costs, except for attorney fees, will be offset from a fund specifically set up by the Department of Commerce and funded from the Privacy Shield companies’ annual contributions.
The Guide also explains how individuals can obtain redress in case of access to their personal data by U.S. public authorities. The Guide assures that such access will only occur “to the extent necessary for pursuing a public interest objective such as national security or law enforcement.” To handle complaints related to national security access, the Privacy Shield framework has created a special instrument, the so-called Ombudsperson.
The Privacy Shield Ombudsperson is a senior official within the U.S. Department of State who is independent from U.S. intelligence agencies. The office of Ombudsperson is tasked with ensuring that complaints are properly investigated and addressed in a timely manner, and that individuals receive confirmation that the relevant U.S. laws have been complied with or, if the laws have been violated, how the situation has been remedied.
It is important to note that the Ombudsperson mechanism is not Privacy Shield specific. It has the power to investigate all complaints relating to all personal data and all types of commercial transfers from the EU to companies in the U.S., including data transferred on the basis of alternative transfer tools, such as Standard Contractual Clauses or Binding Corporate Rules.