US companies that rely on seamless receipt of personal data from EU businesses watched in horror as the EU-US Safe Harbor Program was blown up by the EU Court of Justice.
Officials on both sides of the Atlantic have rushed to fill the void. What emerged, the EU-US Privacy Shield, is a stronger, more demanding set of rules that US companies may follow to avoid enforcement actions from the EU’s data protection authorities (DPAs).
Before it becomes operative, the Privacy Shield must clear a gantlet of regulatory processes that includes review by the EU DPA (which wrapped up on April 13, 2016), the consent of the EU Parliament, and adoption by the European Commission. This process may be completed as early as June 2016.
The Privacy Shield has vociferous critics in both the US and Europe who remain mistrustful of US intelligence services and their propensity for snooping. On April 13, 2016, this criticism was echoed by the DPAs, who opined that the Privacy Shield is “not acceptable” because it permits mass surveillance of Europeans. But because several governments have invested substantial resources in the development of the Privacy Shield, it is advisable for US businesses that receive personal data from the EU to seriously consider participating in the program and to plan now for that participation.
The Privacy Shield, like the Safe Harbor program, involves self-certification by companies seeking its protection. It also is based upon the principles agreed by the EU countries in 1995 (the Privacy Principles):
- Notice to the individuals whose data is being transmitted
- Choice affording the individual the opportunity to opt out
- Security based upon reasonable and appropriate measures to protect the data
- Data integrity – the data must be accurate, complete and current
- Limited purpose – the company must state the purposes of the data collection and abide by its stated purposes (or get fresh consent for an expanded purpose)
- Access– individuals must have the right to obtain the data kept about them within a reasonable period of time
- Accountability for further transfers of data to subcontractors, etc.
- Recourse for individuals whose data has been misused.
Participants in the Privacy Shield program will be required to verify their compliance with their privacy commitments. This may be done through self-assessment or outside compliance reviews. Under the self-assessment approach, the verification must indicate that:
- Individuals are informed of any in-house arrangements for handling complaints and of the independent mechanisms through which they may pursue complaints;
- It has in place internal procedures for periodically conducting objective reviews of compliance with the above.
A statement verifying the self-assessment must be signed by a corporate officer at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance.
The Expanded Role of the DPAs
In General. EU law requires the appointment of DPAs to administer privacy regulations. Most EU countries have a single DPA, but each of the 16 German states has its own. The potential for inconsistent determinations or overlapping investigations is considerable. The EU proposes to develop an informal panel of DPAs to ensure a coherent approach to problems that arise. The DPAs will have the authority to terminate ongoing data transfers if they are not satisfied with a company’s compliance.
The Safe Harbor program effectively insulated US companies from the jurisdiction of the DPAs but the Privacy Shield does not. US companies that don’t receive human resource (HR) data from Europe do not need to expressly subject themselves to the jurisdiction of the DPAs, but even if they don’t, EU citizens may nonetheless direct complaints to their local DPA. The DPA may then work with the Department of Commerce and the FTC to ensure that unresolved complaints are investigated and resolved expeditiously.
Handling Requests and Complaints
Under the Privacy Principles, individuals have a right to verify the accuracy of information held about them and to have inaccuracies corrected. Individuals do not have to justify their requests for information and generally do not have to pay for obtaining it. However, companies may charge a fee if the request is manifestly excessive or repetitive.
All companies must put in place internal mechanisms for responding to such requests and resolving complaints. They must describe their procedures in their privacy policies and include the contact details of the members of the complaint-handling team. Within 45 days of the receipt of a request or complaint, a company must provide an assessment and information on how (if at all) the request will be honored or the problem rectified.
Individuals may appeal a decision of the company’s internal process. If the company has appointed the DPAs to hear the appeal (as it must do in the case of HR data), then the appeal goes to the DPAs. If the company has not appointed the DPAs, it must identify an independent dispute resolution body designed to address appeals and provide appropriate recourse free of charge to the individual complainant. Companies choosing this path must register in advance with the dispute resolution body and identify it in its Privacy Shield certification.
The Commerce Department will be establishing an arbitration body to hear complaints that remain unresolved after an individual has sought relief both directly from the US company and the independent body to which the matter was referred. The arbitration will be binding on the US company and the individual and may result in compensatory damages. The FTC will also accept complaints from individuals, dispute resolution bodies, the Department of Commerce and DPAs. If necessary, the FTC can seek to enforce compliance through the issuance of administrative orders. If these are subsequently ignored, civil penalties against the organization may be sought, along with preliminary and/or permanent injunctions from a federal court.
Onward Data Transfers
The Privacy Shield imposes a new requirement regarding onward transfers of personal data that has been received by a US company. Under the Safe Harbor program, the US company was required only to provide adequate notice to the individuals that the onward transfer would occur and provide them the opportunity to opt out of it. Under the Privacy Shield, US companies must also have contracts in place with the transferees that offer the same level of protection as the Privacy Principles. The Commerce Department, recognizing the administrative difficulties involved, has proposed a nine-month grace period for the requirement to put these contracts in place.
The Department of Commerce has undertaken to conduct compliance reviews of self-certified organizations, including verification of their registration with independent recourse mechanisms. When it finds persistent failure to adhere to the Privacy Principles, it will remove the company from the Privacy Shield list and put that company on a list of organizations that are no longer part of the framework, setting out the reason for removal.
Participants in the Privacy Shield that are facing a merger or takeover must notify the Commerce Department in advance as to whether the successor entity will adhere to the Privacy Principles by operation of law governing the takeover or merger, or will self-certify on its own. If neither is the case, personal data acquired under the Privacy Shield must be deleted.
Pharma Research Data
Research data are usually uniquely key-coded at the origin by the principal investigator so as not to reveal the identity of individual data subjects. Pharmaceutical companies sponsoring such research typically do not receive the key, which is held by the researcher so that he or she can identify the research subject under special circumstances (e.g., if follow-up medical attention is required). A transfer from the EU to the United States of data coded in this way does not constitute a transfer of personal data that would be subject to the Privacy Shield Principles.
Companies that rely on transfers of data involving EU individuals should decide now whether they intend to participate in the Privacy Shield program. If they wish to participate, they should take the following steps:
- Determine whether ongoing compliance will be measured by means of an external or internal audit
- Identify the internal or external auditor and, in the case of an internal audit, develop audit procedures so that the self-assessment process can be completed promptly and accurately
- Decide whether to refer appeals to the DPAs or to an dispute resolution body
- Identify the organizations that may receive onward transfer of data about EU residents and start the process of preparing and executing contracts by which they agree to offer the same level of protection as is required by the Privacy Principles.
With these preliminary measures in place, self-certification and participation in the Privacy Shield program should be a quick process.