Mason Hayes & Curran looks at the key points US organisations should bear in mind if considering participation in the EU-US Privacy Shield.
Earlier this month, the European Commission adopted the Privacy Shield, the new EU-approved mechanism for the transatlantic transfer of personal data, replacing the now defunct Safe Harbour scheme.
US organisations considering self-certifying under the new framework will require practical guidance, and there are eight key questions an organisation should have answers to before participating in Privacy Shield.
Is your organisation eligible to join Privacy Shield?
In order for a US organisation to be eligible to participate in the Privacy Shield, it must be subject to the jurisdiction of either the US Federal Trade Commission (FTC) or the Department of Transportation (DoT).
Banks, financial institutions and non-profit organisations are generally not subject to the jurisdiction of the FTC and so are not eligible for participation in the Shield.
Both the FTC and the DoT will play major roles in the enforcement of the Privacy Shield framework. These limitations on eligibility demonstrate the continuing importance of other means to legitimise ex-EEA data exports such as Standard Contractual Clauses.
When will the Privacy Shield come into effect?
Similar to Safe Harbour, the Shield operates by way of voluntary self-certification. The US Department of Commerce (DoC) will begin accepting self-certifications from participating organisations from 1 August 2016. The principles laid down under the Shield will apply to organisations immediately upon certification. Participating organisations must subsequently self-certify on an annual basis to the DoC.
For organisations that are organised in terms of certification requirements and processes, nothing prevents them from being able to rely on the Shield in a matter of weeks from now.
Are there any benefits for US organisations that join the Privacy Shield early?
Yes. While the Privacy Shield principles apply to organisations immediately upon certification, there is one exception available for organisations with respect to the new onward transfer rules under the Shield, which are stricter than those that existed under Safe Harbour.
The European Commission recognises that organisations need time to bring existing business relationships with third parties into line with the new framework. Accordingly, transitional arrangements are available to organisations that join the Shield within two months of the Shield coming into force. If an organisation joins within this time, it will have nine months from the date of sign-up to negotiate contract amendments with third parties to ensure compliance with the onward transfer rules. This creates a real incentive and benefit for early joiners.
What is the independent recourse mechanism?
The Privacy Shield requires self-certifying organisations to provide an independent recourse mechanism to individuals to investigate and resolve complaints. This must be made available at no cost to the individual.
This alternative dispute resolution mechanism must be put in place prior to self-certification. Private sector dispute resolution programmes such as the Council of Better Business Bureau, TRUSTe, the American Arbitration Association, JAMS and the Direct Marketing Association may be used.
Alternatively, organisations may choose, as a recourse mechanism, to co-operate with EU data protection authorities (DPAs). Organisations that transfer human resources data as part of their self-certification, however, must use this mechanism and comply with advice given by EU DPAs regarding such data.
How do organisations verify compliance with the Privacy Shield?
Under the Shield, organisations are required to put procedures in place to demonstrate that assertions made about compliance with the Privacy Shield principles are true, and that stated privacy practices have been implemented. This can be done by way of self-assessment –which may be burdensome for many organisations – or by way of external compliance reviews.
Organisations must ensure they document all privacy practices and retain such records in the event that the records are required further to a complaint by an individual or an investigation by one of the US authorities.
Does our organisation need to appoint a designated contact for Privacy Shield queries?
Again, the short answer is yes. Each organisation self-certifying under the Shield must provide details of a contact for the handling of Privacy Shield-related complaints and queries.
Discretion is afforded as to who can be appointed within the organisation as the contact. For many, the most natural fit for this role may be the person who is certifying the organisation’s compliance with the Privacy Shield or the chief privacy officer.
What fees are payable under the Privacy Shield?
Aside from the costs an organisation will incur prior to self-certification in ensuring that the organisation is Privacy Shield-ready, there are a number of additional costs set out under the Privacy Shield framework that should be considered. These are:
- Alternative Dispute Resolution (ADR) fees: Under the Shield, organisations must designate an independent organisation to investigate and resolve complaints from individuals. This redress mechanism must be provided to individuals free of charge and organisations will be required to cover the costs of the ADR body.
- Arbitration fees: Arbitration is available as a last resort resolution to individuals under the Shield. Arbitration will be carried out by the Privacy Shield panel, which is a panel composed from a pool of at least 20 arbitrators chosen by the DoC and the European Commission. Organisations will be required to pay an annual contribution up to a maximum cap to cover the costs of arbitration.
- EU DPA panel fees: Organisations that commit to co-operate with and comply with advice provided by an informal panel of European DPAs will be required to pay an annual fee, up to a maximum cap of $500, to pay for the operating costs of the panel. As mentioned above, organisations that transfer human resources data as part of their self-certification under the Shield will incur this cost – these organisations must agree to comply with advice given by European DPAs regarding this data.
Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie, or contact a member of the Technology team for more information.
Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.
Number 8 image via Shutterstock