As reported previously, the European Court of Justice struck down the European Commission’s Safe Harbor Decision (“Safe Harbor”) in October 2015.1 Until its invalidation, Safe Harbor formed the framework that facilitated transfers of personal data from EU citizens to US companies for over 15 years. Fortunately for US companies faced with the daunting task of complying with the EU’s stringent data-protection laws, a new framework has been approved, the EU-US Privacy Shield (“Privacy Shield”). The US Department of Commerce began accepting applications for self-certification under Privacy Shield on August 1, 2016.2
Privacy Shield differs from its predecessor by imposing both stronger compliance obligations on US companies and stricter monitoring and enforcement requirements on the US government.3 US companies that do business in the EU or with its citizens, including companies with a website accessible by EU citizens, should strongly consider self-certification, but only after gaining a full understanding of Privacy Shield’s requirements and the consequences of noncompliance.
The Principles
Privacy Shield consists of seven “Principles” and 16 “Supplemental Principles,” some of which may be familiar to companies that operated under Safe Harbor. Despite some overlap, companies will need to carefully review the multitude of new and different obligations under Privacy Shield as they prepare for self-certification, and operation thereunder, since many of Safe Harbor’s general guidelines are now specific affirmative obligations with severe penalties for noncompliance. While a few of the more notable requirements and differences are outlined below, any company considering self-certification should first consult with an attorney well-versed in not only Privacy Shield, but data protection and privacy laws generally.
Notice (Principle 1)
“Notice” was also a Safe Harbor principle, but its updated Privacy Shield counterpart includes 11 new items that must be disclosed to individuals in clear and conspicuous language when they are first asked to provide personal information. New items include information about Privacy Shield and the company’s commitment thereto, the individual’s right to access their personal data (as set forth in Principle 6 (Access) and Supplemental Principle 8 (Access)), the types of data collected by the company and that such data may be disclosed to public authorities (as set forth in Supplemental Principle 16 (Access by Public Authorities)). The Notice Principle also requires companies to provide individuals with significantly more information about dispute resolution and enforcement than Safe Harbor required, including the identity of the independent dispute resolution provider for addressing consumer complaints, the availability of binding arbitration in certain instances, the company’s own liability for transferring information to third parties and the fact that the company is subject to the investigatory and enforcement powers of the Federal Trade Commission (the “FTC”) or the Department of Transportation, as applicable.
Self-Certification (Supplemental Principle 6)
A company seeking the benefits of Privacy Shield must annually self-certify to the US Department of Commerce its public commitment to comply with the Principles. The “Self-Certification” Supplemental Principle sets forth the minimum information that must be provided in a self-certification submission, which includes, among other things, a description of the company’s activities involving personal information received from the EU, a detailed description of the company’s privacy policy, including the web address where it may be viewed, the company’s method of verifying the efficacy of its privacy policy and information regarding its independent recourse mechanism.
Prior to submitting its self-certification, a company will need to develop a new privacy policy or update its existing privacy policy to conform to Privacy Shield, which must include an express declaration that the company has committed to complying with the Principles. If accessible online, the privacy policy must also include links to both the Privacy Shield website and the website or complaint form for the company’s independent recourse mechanism. Once updated to accurately and comprehensively reflect the Principles, a company must still verify the effectiveness of its privacy policy prior to self-certification and annually thereafter, with the procedures for doing so outlined in Supplemental Principle 7 (Verification).
This Supplemental Principle also offers a useful illustration of how Safe Harbor has been updated by Privacy Shield. Both frameworks provide that a company must continue to apply their respective principles to covered data for so long as the data is retained; however, Privacy Shield requires a company to take affirmative steps if it withdraws from or falls out of compliance with Privacy Shield. Now, a company that withdraws or falls out of compliance with Privacy Shield is obligated to return or delete all relevant data unless it either annually re-affirms its commitment to apply the Principles or provides “adequate” protection by another authorized means.
Accountability for Onward Transfer (Principle 3)
This Principle contains several differences from Safe Harbor. It distinguishes not between agents and third parties generally, but between agents and controllers, and outlines very specific requirements for transferring data to either. Supplemental Principle 10 (Obligatory Contracts for Onward Transfers) discusses data-processing contracts and other transfer methods in greater detail. Additionally, Principle 7, discussed below, eliminates the third-party-liability protection afforded under Safe Harbor; now, unless a company can prove it is not responsible, the company will be liable for its third-party agent’s actions if the agent processes personal information “in a manner inconsistent with the Principles.”
Recourse, Enforcement and Liability (Principle 7)
Like its predecessor, Privacy Shield requires a self-certified company to choose either to (a) maintain a third-party dispute resolution provider for processing, investigating and resolving consumer disputes or (b) cooperate and communicate directly with EU data protection authorities, as set forth in Supplemental Principle 5 (The Role of the Data Protection Authorities), with the exception of human-resources data, which must be handled in cooperation with EU data protection authorities consistent with Supplemental Principle 9 (Human Resources Data). Notable differences in this Principle include a new requirement that the independent recourse mechanism be available at no cost to individuals and a new obligation to participate in binding arbitration in certain circumstances (as detailed in Annex I to the framework).
Dispute Resolution and Enforcement (Supplemental Principle 11)
This Supplemental Principle elaborates on the recourse methods companies must offer to individuals, including a new rule requiring a company to respond to consumer complaints within 45 days. This Supplemental Principle also discusses the means for enforcing Privacy Shield obligations and the consequences for failing to comply. It bears emphasizing that self-certification under Privacy Shield constitutes an enforceable commitment under US law to comply with Privacy Shield requirements and obligations. Failure to comply is enforced under the FTC Act’s prohibition of unfair and deceptive practices via administrative or court orders. Violation of a court order is punishable by a finding of contempt, with appropriate sanctions, while an administrative order can result in penalties of up to $40,000 (per violation or per day for continuing violations). Persistent failure to comply, which is broadly defined and includes refusal to comply with a final determination made by the independent dispute resolution provider, will result in the company’s removal from the Privacy Shield list, thereby forfeiting Privacy Shield’s benefits and protections as well as exposing the company to potential liability under the False Statements Act. In addition to the above, a company must make available to the public all administrative and court orders issued against it for failure to comply with Privacy Shield.
The Remaining Principles and Supplemental Principles
The remaining Principles and Supplemental Principles cover a variety of information and set forth many additional obligations, exceptions and illustrative examples of Privacy Shield’s requirements in practice. Of those that have not been previously mentioned, some are identical to or essentially the same as their Safe Harbor counterparts (e.g., Principles 2 and 4 and Supplemental Principles 1 through 4 and 12 through 14), while others contain entirely new information (e.g., Principle 5’s new rule for how long information may be retained in an identifiable form and Supplemental Principle 15’s clarifications regarding which Principles should or should not be applied to public record and other publicly available information).
Conclusion
Where Safe Harbor allowed for some flexibility in how a company implemented its principles, Privacy Shield creates affirmative and often very specific commitments that the FTC has pledged to vigorously enforce. Despite the administrative burden inevitably accompanying many of the new requirements, if your company does any business in the EU or with EU citizens or operates a website accessible by EU citizens, you should strongly consider (a) revising your privacy policy to comport with the Principles of Privacy Shield and (b) self-certifying with the US Department of Commerce in order to take advantage of the benefits and protections afforded to Privacy Shield’s participants.
1. Kyle Wood, et al., US No Longer Safe Harbor for European Data, Insights: Andrews Kurth (Oct. 19, 2015).
2. Self-certification submissions under the EU-US Privacy Shield may be submitted online at https://www.privacyshield.gov/PrivacyShield/ApplyNow.
3. The full text of the EU-US Privacy Shield framework may be accessed online and downloaded in PDF format at https://www.privacyshield.gov/EU-US-Framework.