Our firm has prepared an overview of the prospective European Union – United States Privacy Shield program. As of today’s date, this program has yet to go into effect. Original projections had this program slated to begin in Summer 2016, as detailed below, but the Privacy Shield was formally adopted as of July 11, 2016.
As our firm receives further information about the approval and implementation of this program, our firm is ready to work with your company to execute the proper procedures for compliance.
Guide to Prospective European Union - United States Privacy Shield Program
1. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
1
July 12, 2016
Guide to the Prospective European Union – United States Privacy Shield Program
Our firm has prepared an overview of the prospective European Union – United States
Privacy Shield program. As of today’s date, this program has yet to go into effect. Original
projections had this program slated to begin in Summer 2016, as detailed below, but the Privacy
Shield was formally adopted as of July 11, 2016.
As our firm receives further information about the approval and implementation of this
program, our firm is ready to work with your company to execute the proper procedures for
compliance.
Sign On to Privacy Shield Self-Certification
All companies should sign on to the Privacy Shield Self-Certification with the Department
of Commerce within the first two (2) months of the program in order to gain the nine (9) month
grace period. The grace period starts from the date the company is placed on the Privacy Shield
list, and the company will have that time to bring its onward transfer obligations in line with the
requirements.
The nine (9) months is especially beneficial because it provides the company time to
implement the more complex and time consuming requirements, such as the contract and process
changes around managing onward data transfers to sub-contractors (controllers and processors).
If a company does not sign on to the Privacy Shield within the first two (2) months, then it
will not gain the nine (9) month advantage and will have to be in full compliance with the
requirements immediately upon submission, meaning all onward transfer obligations attached at the
time of certification. The company will not be placed on the Department of Commerce list as self-
certified until the company has all the required operational changes in place.
We are advising all of our clients to work with our firm to make sure they can avail
themselves of the sign on process and take advantage of the nine (9) month window for further
time to ensure total compliance.
Before the Privacy Shield Program Begins
Although signing on to the Privacy Shield early provides a grace period, companies must still
be in compliance with some requirements prior to that time. Additionally, companies should get
started on operational updates that have significant impact on the business and take the longest to
implement.
The main areas a company should focus on include:
2. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
2
• Getting contracts in place to meet increased accountability obligations for onward
transfers to subcontractors;
• Ensuring audit trail and dispute mechanisms meet stronger oversight and
enforcement requirements; and
• Updating privacy policies for increased transparency obligations.
Once a company signs on to the Privacy Shield, they still must comply with the Notice and Choice
Privacy Principles, and further ensure that third-party recipients can provide the same level of
protection guaranteed by the privacy principles.
Three Main Areas of Focus
First, before the Privacy Shield Program begins, a company must implement contracts and
processes to meet the following obligations during the interim period for all transfers to Third
Parties:
1. For transfers to controllers, companies must ensure that the Notice and Choice
obligations are met.
- The Notice Principle sets forth 13 items that must be addressed by the
company, and it includes a “clear and conspicuous” requirement. The 13
items are listed below.
- The Onward Transfers Principle now requires participating companies to
“provide a summary or a representative copy of the relevant privacy
provisions of its contract with that [service provider] to the Department
upon request.”
2. For transfers to agents (processors), companies must ascertain that an agent is
obligated to provide at least the same level of protection that is required by the
principles
After satisfying those obligations, a company can have the additional nine (9) months to
implement the remaining onward transfer requirements, including:
1. For transfers to Third Parties acting as a controller, companies must ensure:
• The Notice and Choice obligations are met;
• The personal information is processed for limited and specified purposes consistent
with the consent provided; and
3. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
3
• That all personal information will be afforded the same level of protection as the
Principles.
2. For transfers to Third Parties acting as an agent, companies must:
• Ensure the transfer of personal information is for limited and specified purposes;
• Ascertain the agent is obligated to provide at least the same level of privacy
protection as is required by the Principles; and
• Take reasonable and appropriate steps to ensure that the agent effectively
processes the personal information transferred in a manner consistent with the
company’s obligations under the Principles.
Implementing and satisfying these requirements will require contracts be in place to cover
all data transfer parties, with appropriate language to meet obligations, along with processes for
monitoring, reporting, remediation and disclosure.
Moreover, companies will remain responsible for EU personal information, even when it
goes to subcontractors, and will have the burden of proof if liability arises. Therefore, it is critical to
have proper audit trail mechanisms in place to mitigate risk.
Second, a company must retain all records related to Privacy Shield verification and provide
it to the Department of Commerce or Federal Trade Commission upon request. Companies need
to build strong audit trail processes to respond to inquiries in the context of stepped up oversight
and enforcement.
Specifically, companies have two options for dispute resolution. One option is to elect an
independent Dispute Resolution Provider, which must be provided at no cost to the customer.
However, this option is not permitted for employee personal information issues.
The other option is for the company to use local Data Protection Authorities in the EU,
which is the required dispute resolution mechanism option for employee’s personal information. If
a company transfers both customer and employee data, an independent Dispute Resolution
Provider can be used for customer data, and a local Data Protection Authorities can be used for
employee’s personal information as long as it is clear which mechanism applies.
As a last resort, individuals can make use of an arbitration panel. In addition, EU citizens
now can sue in a private cause of action against US companies. Companies should have one of the
two listed mechanisms in place at the time of self-certification, including a designated Dispute
Resolution Provider. Companies should also do what they can to resolve any issue and, in any
event, they must respond within the required forty-five (45) days from the initial complaint.
4. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
4
Third, companies must update their privacy policies for increased transparency obligations.
It is important to plan ahead and allow the necessary time for policy redlining, review and property
technology implementation and testing across all digital properties. The Privacy Shield has amended
and additional disclosure requirements for a company’s privacy policy, including:
- The declaration of compliance with the Privacy Shield and the publishing of privacy
policies that reflect the privacy principles;
- The types of personal data collected and any subsidiaries adhering to the principles;
- The principles apply to all personal data from the EU under the Privacy Shield;
- The purposes for which it collected and uses personal information;
- The Contact information for complaints and inquiries;
- The types of third parties where personal information is disclosed and purposes of
disclosure;
- The right of individuals to access their personal data;
- The choices offered for limiting the use and disclosure of personal data;
- The dispute resolution body designated to address complaints;
- That it is subject to Federal Trade Commission and/or Department of Transportation
jurisdiction;
- The possibility to make use of binding arbitration where appropriate; and
- The disclosure policies in response to lawful requests by public authorities; and
- The liability in cases of onward transfers to third parties.
The Seven Privacy Principles and New Requirements
To complete the certification process, companies must show compliance with the seven
Privacy Principles listed below. A list of new requirements is set out in relation to the Principles of
Notice, Choice, Accountability for onward transfers, Security, Data integrity and Purpose limitation,
Access, Recourse, Enforcement and Liability.
Notice
The notification obligations require companies to notify individuals of new details in their
privacy policy, including:
Compliance
Status
Item
Whether the company is subject to the investigatory and enforcement powers of
the Federal Trade Commission or other US agencies;
Whether the company will adhere to an independent dispute resolution body to
address individual complaints;
The right of individuals to invoke binding arbitration against the company under
certain circumstances;
Its obligation to disclose personal data to public authorities in compliance with lawful
requests; and
5. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
5
Its responsibility and potential liability in cases of onward transfers to third parties.
The notice must be provided in clear and conspicuous language when individuals are first
asked to provide personal information to the company or as soon thereafter as is practicable, but
before the company uses that information for a purpose other than that for which it was originally
collected. Companies must also inform individuals about:
Compliance
Status
Item
Its participation in the Privacy Shield and provide a link to, or the web address for,
the Privacy Shield list;
The types of personal data collected and, where applicable, the entities or
subsidiaries of the organization also adhering to the Principles;
Its commitment to subject to the Principles all personal data received from the EU in
reliance on the Privacy Shield;
The purposes for which it collects and uses personal information about them;
How to contact the organization with any inquiries or complaints, including any
relevant establishment in the EU that can respond to such inquiries or complaints;
The type or identity of third parties to which it discloses personal information, and
the purposes for which it does so;
The right of individuals to access their personal data;
The choices and means the company offers individuals for limiting the use and
disclosure of their personal data;
The independent dispute resolution body designated to address the complaints and
provide appropriate recourse free of charge to the individual, and whether it is (1)
the panel established by DPAs, (2) an alternative dispute resolution provider based
in the EU, or (3) an alternative dispute resolution provider based in the US;
Being subject to the investigatory enforcement powers of the FTC, the Department
of Transportation or any other US authorized statutory body;
The possibility, under certain conditions, for the individual to invoke binding
arbitration;
The requirement to disclose personal information in response to lawful requests by
public authorities, including to meet national security or law enforcement
requirements; and
Its liability in cases of onward transfers to third parties.
In addition to designating a dispute resolution body, the company must establish
mechanisms in order to respond within forty-five (45) days of the initial complaint lodged by the
data subject regarding their personal data.
Choice
Under the Choice Principle, a company must offer data subjects the opportunity to opt out
if the company plans to (1) disclose their personal data to third parties other than
6. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
6
processors/agents acting on the company’s behalf; (2) use their personal data for materially
different purposes than for which it was originally collected; or (3) use their personal data for direct
marketing purposes. Special rules apply to direct marketing, which generally allow data subjects to
opt out at any time from the use of their personal data.
Therefore, the company must ensure they provide clear, conspicuous and readily available
mechanisms that allow individuals this choice. Once a US company receives employee data from
the EU under the Privacy Shield, the participating company may disclose it to a third party or use it
for a different purpose, but only in accordance with the Notice and Choice Privacy Principles.
Before disclosing sensitive data to any third parties, including processors, or using that
sensitive data for a materially different purpose, the company must obtain the individual’s “explicit”
(i.e. opt in) consent. Sensitive data is defined as personal information specifying medical or health
conditions, racial or ethnic original, political opinions, religious or philosophical beliefs, trade union
membership or information specifying the sex life of the individual.
Therefore, a data subject’s affirmative, explicit consent is required when the processing of
sensitive data is in the vital interest of the data subject or another person, necessary to establish
legal claims or defenses, or required to provide medical care or carry out a company’s employment
law obligations.
Accountability for Onward Transfers
The rules around onward transfers of data to third parties due to the Privacy Shield,
whether a data controller or data processor, have tightened.
For onward transfers, the tightened personal conditions apply to any third party and hold
the self-certified company responsible for the conduct of their third-party processors/agents. If
compliance problems arise in a sub-processing chain, the Privacy Shield company acting as data
controller of the data will face liability unless it can prove that it was not responsible for the event
causing the damage. Additionally, companies can face potential liability for the processing actions of
their processors. Therefore, companies should also be prepared to make available summaries or
copies of the relevant privacy provisions in their contracts to the data subjects or the Department
of Commerce upon request.
Companies must execute contracts with third-party data recipients – whether the party is a
separate data controller or data processor (vendor) – obligating them to process data only for
limited and specified purposes and to provide the same level of protections guaranteed by the
Privacy Principles. The Onward Transfers Principle also effectively requires mechanisms for
oversight of third-party processors requiring participating companies to: (1) take steps to ensure
the processor handles the data in accordance with the Privacy Principles; and (2) remediate any
unauthorized processing by the processor.
7. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
7
Security
The company must demonstrate that they have “reasonable and appropriate” data security
measures in place that take into account the relevant risk and nature of the data. These measures
must protect the data from loss, misuse and unauthorized access, disclosure, alteration and
destruction.
Data Integrity and Purpose Limitation
The company must ensure the data is relevant and reliable for its intended purpose, and it
is accurate, complete and current. Without consent, the company cannot process personal data in
a way that is incompatible with the purpose for which it was originally collected or subsequently
authorized by an individual.
Access
The company must implement mechanisms that provide data subjects with access to the
personal data about them, and the ability to correct, amend, or delete their personal data where it
is inaccurate or has been processed in violation of the Privacy Principles. In the employment
context, EU employers will usually provide such access as is required by the law in their home
countries, regardless of the location of data. However, the Privacy Shield nonetheless requires
participating US companies processing such data to cooperate with the EU employers in providing
employees with access to their data.
Recourse, Enforcement and Liability
Not only must companies have effective privacy protection, they must include robust
mechanisms for assuring compliance with the Principles, recourse for individuals who are affected
by non-compliance with the Principles and consequences for the organization when the Principles
are not followed. The necessary mechanisms, at a minimum, must include:
Compliance
Status
Item
Readily available independent recourse mechanisms by which each individual’s
complaints and disputes are investigated and expeditiously resolved at no cost to
the individual (company must respond within forty-five (45) days of receiving
complaint and provide assessment of the merits of the complaint and the actions
taken);
Follow up procedures for verifying that the statements made by the company about
their privacy practices are true and that the privacy practices have been
implemented; and
Obligations to remedy problems arising out of non-compliance with the Principles
by the company announcing their adherence to them and consequences for such
companies.
8. 224 Townsend Street
San Francisco, CA 94107
T: 415.795.1572
F: 909.972.1639
gamallp.com
8
Companies and their selected independent recourse mechanisms must respond promptly
to inquiries and requests by the Department for information relating to the Privacy Shield.
Additionally, companies must respond expeditiously to complaints regarding compliance with the
Principles referred by EU Member State authorities through the Department.
Companies are obligated to arbitrate claims provided that an individual has invoked binding
arbitration by delivering notice to the company at issue and following the procedures.
In the context of an onward transfer, a Privacy Shield company has responsibility for the
processing of personal information it receives under the Privacy Shield and subsequently transfers
to a third party acting as an agent on its behalf. The Privacy Shield company will remain liable under
the Principles if its agent processes such personal information in a manner inconsistent with the
Principles, unless the company can prove that it is not responsible for the event giving rise to the
damage.
In addition, the company must not only self-certify their compliance with these Privacy
Principles, but must also meet annual verification requirements either through self-assessment or
outside compliance reviews. No matter what the company chooses, they must be prepared to
submit written verification statements to the Department of Commerce or EU data subjects upon
request.
Contact Gagnier Margossian today to discuss how we can help
with your international privacy compliance.
Christina Gagnier
Managing Partner, Internet. Intellectual Property & Technology
gagnier@gamallp.com
909.493.6447