#2 Data Privacy Best Practice: Self-Certify Compliance with the Privacy Shield
Updated: Aug 21, 2020
Following the Court of Justice of the EU's decision in Schrems II related to the Privacy Shield and the SCCs, the content of this post has been updated in Data Privacy Best Practices 11: Update to Privacy Shield and SCCs.
What is the Privacy Shield and Why should you self-certify?
Privacy Shield is a program administered by the United States Department of Commerce. It provides U.S. companies doing business with European Union customers with a means to comply with EU’s “adequate protections” law.
EU personal data may not be exported to any non-EU country unless it provides adequate protections for such personal data. Some non-EU countries have obtained such certification. The U.S. has not.
There are three mechanisms for U.S. companies to meet the adequacy test:
Self-certify under the U.S. Privacy Shield;
Adopt the EU Model Clauses for all contracts with EU data exporters; and/or
Adopt Binding Corporate Rules for your enterprise.
A future blog post will address the Model Clauses and specifically how the GDPR requires some amendments to the Model Clauses. The Binding Corporate Rules (BCR) make sense for large enterprises rather than small companies. BCRs must be approved by ED Data Protection Authorities (DPAs) and usually take over a year to implement. When I use the term “Model Clauses,” it is interchangeable with the EU approved Standard Contractual Clauses.
You should self-certify because your U.S. business will meet the adequacy test without needing to enter into model clauses with EU customers (acting as data exporters).
Two Words of caution:
1. The Privacy Shield mirrors many aspects of the GDPR but it is not meant to cover all aspects of the GDPR. So simply self-certifying will not mean you are GDPR compliant. For example, the GDPR requires that data processors obtain the prior consent of the data controller before using sub processors.
If you only followed the Privacy Shield, you would not think you needed prior consent. A later post will discuss how to review and update supply chain agreements to be GDPR compliant.
2. This is a self-certification; if it is not done correctly, it is not valid. By self-certifying, you agree that all representations will have the force of law and the FTC may enforce any violations. The FTC has assured the EU that they will take enforcement very seriously.
I have seen companies self-certify, and then post privacy policies not compliant with the Privacy Shield principles. They are setting themselves up for a FTC investigation, which will be very costly and time consuming.
BizConnect, the hypothetical software company introduced in an earlier post, has decided to self-certify for the Privacy Shield. Below are the steps BizConnect needs to go through to self-certify.
Key compliance steps to Privacy Shield:
1) Comply with 7 main principles and 16 supplemental principles detailed below;
2) Update privacy policies to ensure compliance with principles detailed below;
3) Review (and set up if not in existence) contracts with third party data controllers, data processors, and sub processors (if applicable) to include specified terms detailed below;
4) Draft internal policies to support the principles for ensuring data subjects’ access to personal data for certain purposes; following data retention and deletion policies, implementing processes and timetables for responding to internal complaints, audits, and assessment procedures;
5) Conduct training to support #4 above. For example, there is a requirement to respond within 45 days to a user’s complaint. Company needs to be able to demonstrate it has a designated person, and has trained them internally on response protocols;
6) Sign up to a third-party dispute resolution provider or commit to cooperate with the European DPAs; and
7) Annually certify its compliance with Privacy Shield.
Under the verification requirement, organizations will need to ensure they remain certified to the Privacy Shield in years to come and carry out annual assessments of their compliance to the Privacy Shield principles. Annual assessments can be carried out in-house (e.g. a signed evaluation by a corporate officer) or through a third-party compliance review (which might involve audits, random reviews, use of decoys and other technology).
Below is an outline of the Privacy Shield’s seven principles and its requirements.
* Have a link to the Privacy Shield website
* Expressly commit to the Privacy Shield principles and enforcement structure
* Describe what personal data is collected
* Describe how the personal data is it used
* Disclose who else the personal data is disclosed to
* Describe how users can lodge complaints including whether there is an independent dispute resolution body or company is selecting the DPA panels
* Disclose company is subject to jurisdiction of the FTC
* Disclose the possibility under certain circumstances of the data subject to invoke binding arbitration
* Include the requirement to disclose personal data to lawful authorities
* Disclose liability for onward transfers of personal data
* Where personal data will be disclosed to 3rd parties or used for a different purpose than originally collected, there must be a clear and conspicuous opt out mechanism to consent
* If the personal data is classified as sensitive information then either of the above two scenarios requires express opt in consent
3. Onward Transfer
All third party contracts between data controller and data processor as well as data processor and sub processor(s) must include:
* Provide that the processing is restricted to the limited purpose of processing consistent with the original consent
* Provide same level of protection as that under Privacy Shield
* Data processor notifies data controller if the cannot meet these obligations
4. Security protections
* Reasonable and appropriate measures to protect personal data from loss, misuse, or unauthorized access, disclosure, alteration and destruction taking into due account the risks involved in the processing and the nature of the personal data.
This is somewhat flexible and open ended; however, companies are advised to conduct a DPIA to determine gaps and weaknesses and consider encryption for data in transit.
5. Data Integrity and Purpose
* Do not over collect personal data
* Do not keep personal data longer than reasonably necessary for the purposes of processing
* Users need access to amend, correct, or delete personal data
* Some exemption where burden and expense of meeting these requirements would be disproportionate to the risks to the individual’s privacy interests
7. Recovery, enforcement, and liability
* Must respond to data subject complaint within 45 days
* Must provide an independent recourse mechanism to individuals to investigate and resolve complaints (e.g. TRUSTe or BBB). Alternatively, companies can expressly agree to cooperate with the applicable EU DPA for the country where the personal data originated.
* Accept binding arbitration for users who request it
* Verify every year with U.S. Privacy Shield
* Conduct annual assessment of compliance either internally or with outside third party
There are 16 supplemental principles. Many of them are specific to certain types of data or they clarify and augment the principles above. They can be found here.
What information is needed to Self-Certify Under the Privacy Shield:
To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield that contains at least the following information:
1. Name of organization, mailing address, e-mail address, telephone, and fax numbers;
2. Contact information for corporate representative and corporate officer (could be the same);
3. Description of the activities of the organization with respect to personal information received from the EU including: (i) What types of personal data does your organization’s Privacy Shield cover? [Note special attention if HR data is included]; and (ii) a brief description of the purposes for which your organization processes personal data in reliance of the Privacy Shield, including the types of personal data, and if applicable, type of third parties to which it is disclosed.
4. What is the independent recourse mechanism available to investigate unresolved complaints? OR if you do not select a private third party, you can choose to select to cooperate with the applicable DPAs and be subject to a DPA panel.
What is needed in Data Processing Contracts (often referred to as Data Processing Addendums) to meet the onward transfers principle:
1. A written contract. When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield.
2. The purpose of the contract is to make sure that the processor:
Acts only on instructions from the controller;
Provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and
Takes into account the nature of the processing, assists the controller in responding to individuals exercising their rights under the Principles.
3. Provide same level of protection as under Privacy Shield. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.