In the digital era, EU data protection law may apply to U.S.-based companies with significant consequences. The EU law generally prohibits the transfer of personal data from the EU to the U.S., unless the transfer is made in accordance with one of a very few of authorized data transfer mechanisms or otherwise falls within one of the its even fewer exceptions. This transfer restriction significantly impacts U.S. multinational companies’ everyday business activities, such as processing employees’ payroll data, as well as their ability to implement enterprise-wide initiatives, such as compiling internet marketing information.
As one of the few data transfer mechanisms that allowed transatlantic data transfer, the Safe Harbor framework was fairly popular among U.S. companies[1] because of its flexibility and low cost. Unfortunately for these businesses, the Safe Harbor arrangement was declared invalid by the Court of Justice of European Union last October. After months of negotiation between the U.S. and the EU, as of Aug. 1, 2016, U.S. companies can self-certify to the Department of Commerce and join the EU-US Privacy Shield program – the functional successor to Safe Harbor. Like the Safe Harbor, the Privacy Shield is expected to be the most popular way for businesses to carry out business while complying with transatlantic data transfer regulations. If your U.S.-based company employs EU citizens, or does business in the EU or with EU citizens (even by operating a website accessible by EU citizens), you should strongly consider self-certifying in order to take advantage of the benefits and protections afforded to Privacy Shield participants. The purpose of this post is to outline five key steps companies can follow to prepare themselves to take advantage of this new program.
Develop and Post a Privacy Policy that Comports with Privacy Shield Principles
Adopting a clear, concise and easy-to-understand privacy policy that conforms to the Privacy Shield Principles is an essential step to successfully obtaining this new certification. Among other things, this privacy policy must include:
- a link to the Privacy Shield website;
- a statement that your company adheres to the Privacy Shield Principles;[2]
- your company’s information handling practices and the choices your company offers individuals with respect to the use and disclosure of their personal information; and
- a hyperlink to the website of your independent recourse mechanism (see below).
Choose an Independent Recourse Mechanism
Adherence to the Privacy Shield Principles includes having a readily available independent recourse mechanism – that is, a process for investigating individuals’ complaints regarding the organization’s compliance with the Privacy Shield, at no cost to those individuals. Organizations may use private dispute resolution programs such as those offered by the Council of Better Business Bureaus, TRUSTe, the American Arbitration Association, JAMS, and the Direct Marketing Association, or may instead choose to cooperate and comply with the EU data protection authorities (DPAs). It’s worth noting that if your organization’s self-certification will cover human resources data, your organization must agree to cooperate and comply with the EU DPAs with respect to such data.
Establish a Mechanism for Verifying Compliance
Companies are required to establish and maintain follow-up procedures to ensure the representations they make in the privacy policy are true, and to verify that their internal privacy practices comply with the Privacy Shield Principles. Your company may use either a self-assessment or an outside/third-party assessment program.
Designate a Privacy Shield Contact Person
Companies are required to provide a contact for the handling of questions, complaints, access requests, and any other issues arising under the Privacy Shield. According to the Privacy Shield Principles, organizations must respond to a consumer within 45 days of receiving a complaint. If your company does not have at least one officer dedicated to handling privacy issues, it is a good time to retain one.
Assess third-party data sharing practice and contracts
If you use third-party vendors to process data from the EU, it is important to take time to assess your vendor management practices to ensure compliance with the Privacy Shield Principles, including by reviewing all your vendor contracts. Among the other things, these contracts must provide that the data will be transferred only for limited and specified purposes, and will be provided at least the same level of protection as is required by the Privacy Shield Principles. Organizations that join the Privacy Shield before October 2016 will have a nine-month grace period, starting from their certification date, to bring existing third-party contracts into conformity.
After these steps are followed, a U.S. company is ready to self-certify to the Department of Commerce by submitting certain information and paying an annual fee. Those that have self-certified will be able to rely on the Privacy Shield to transfer personal data from EU to U.S. while compliance with the EU data protections laws in a reliable, convenient and cost effective way.
[1] More than 4,000 businesses relied on the safe harbor to receive personal data of EU residents in compliance with EU cross-border data transfer rules.
[2] In their shortest form, Privacy Shield’s Principles include: notice; choice; accountability for onward transfer; security; data integrity and purpose limitation; access; and recourse, enforcement and liability.