The European Commission published on February 29, 2016 the legal instruments needed to put in place the “EU-U.S. Privacy Shield” (Privacy Shield) for transfers of personal information from Europe to the United States. Before the Privacy Shield becomes operational, it must be reviewed by both the Article 29 Working Party of national DPAs and a panel of EU Member State representatives, and it must then be formally approved by the Commission. In the meantime, organizations may want to evaluate whether the Privacy Shield represents a viable mechanism to legitimize their transfers of data from the European Union. This summary highlights key features and requirements of the Privacy Shield.
Key Features and Requirements:
Notice - Privacy policies must be validated to ensure they cover thirteen specific notice requirements about the information collected under the Privacy Shield and the individual’s rights and choices with respect to that information.
Redress Mechanisms - Organizations participating in the Privacy Shield must address any complaints directly from individuals in the EU within 45 days and also provide a cost-free independent recourse mechanism for investigating and resolving complaints.
Onward Transfers- Personal information collected under the Privacy Shield may only be transferred to third party controllers pursuant to contracts that provide for processing for limited and specific purposes consistent with the consent provided by the individual, and that require those third parties to maintain the same level of protection required by the Privacy Shield.
Service Provider Management – Transfers to service providers must also be made pursuant to contracts, and organizations must take reasonable and appropriate steps to verify that its service providers process personal information consistent with the organization’s obligations under the Privacy Shield (e.g., via due diligence and audit of its service providers).
Self-certification - As part of self-certification, an organization must confirm how it verified its compliance with the Privacy Shield (i.e., through self-assessment or outside review). Evidence must be made available upon request in the context of an investigation or complaint, failure to verify could subject the organization to unfair and deceptive practice enforcement action.
Enhanced DOC Enforcement - The DOC will proactively look for false claims of Privacy Shield certification via spot checks, confirming that an organization displaying Privacy Shield certifications is currently on the certified list and promptly reviewing complaints of false certification.
Ongoing Obligations -If an organization no longer maintains its Privacy Shield certification, it must nevertheless continue to treat any personal information received under the Privacy Shield in accordance with its requirements or delete the data.
Consequences of Non-compliance - Persistent failure to comply with the privacy principles will mean removal from the public list of Privacy Shield organizations, and the organization must return or destroy personal information collected under the Privacy Shield. The FTC can enforce compliance through administrative orders, and may obtain civil penalties and injunctions from the federal courts if its orders are not followed.
“Naming and Shaming” - The DOC will maintain a list of organizations that have been removed from the Privacy Shield list and provide a link to Privacy Shield-related FTC cases that are maintained on the FTC’s website.
Annual Joint Review – The DOC and FTC will annually review the Privacy Shield with the European Commission and interested DPAs. These reviews may result in changes to Privacy Shield requirements and require organizations to adjust their policies and practices accordingly.
Our Privacy & Information Security Team is compiling a detailed checklist to help corporations identify the specific requirements to certify for the Privacy Shield.