New EU-U.S. Privacy Shield Framework for Data Protection Launches August 1

Written By ESR News Blog Editor Thomas Ahearn

The EU-U.S. Privacy Shield Framework designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic that transfer personal data from the European Union (EU) to the United States (U.S.) with a mechanism to comply with EU data protection requirements in support of transatlantic commerce will officially launch on August 1, 2016. The official EU-U.S. Privacy Shield Framework website is now available online at www.privacyshield.gov.

The new website provides information to help U.S. organizations self-certify to the Privacy Shield Framework and the Department of Commerce will begin accepting certifications at PrivacyShield.gov on August 1, 2016. Although the decision to join Privacy Shield is voluntary, the public commitment by an organization to comply with Privacy Shield Principles through self-certification is enforceable under U.S. law by either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT).

The EU-U.S. Privacy Shield Framework includes seven commonly recognized privacy principles combined with 16 equally binding supplemental principles that explain and augment the first seven principles. The 23 Privacy Shield Principles lay out requirements for the use and treatment of personal data received from the EU by participating organizations as well as access and recourse mechanisms provided to individuals in the EU. The Privacy Shield Framework is at www.privacyshield.gov/EU-US-Framework:

I. Overview

• I. Overview

II. Principles

• 1. Notice
• 2. Choice
• 3. Accountability for Onward Transfer
• 4. Security
• 5. Data Integrity and Purpose Limitation
• 6. Access
• 7. Recourse, Enforcement and Liability

III. Supplemental Principles

• 1. Sensitive Data
• 2. Journalistic Exceptions
• 3. Secondary Liability
• 4. Performing Due Diligence and Conducting Audits
• 5. The Role of the Data Protection Authorities
• 6. Self-Certification
• 7. Verification
• 8. Access
• 9. Human Resources Data
• 10. Obligatory Contracts for Onward Transfers
• 11. Dispute Resolution and Enforcement
• 12. Choice – Timing of Opt Out
• 13. Travel Information
• 14. Pharmaceutical and Medical Products
• 15. Public Record and Publicly Available Information
• 16. Access Requests by Public Authorities

Annex I

• Introduction
• A. Scope
• B. Available Remedies
• C. Pre-Arbitration Requirements
• D. Binding Nature of Decisions
• E. Review and Enforcement
• F. The Arbitration Panel
• G. Arbitration Procedures
• H. Costs

The Privacy Shield provides a number of important benefits for participating to U.S.-based organizations, who will be deemed able to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union. In addition, compliance requirements are clearly laid out and cost-effective, which should particularly benefit small and medium-sized enterprises. Key new requirements for organizations participating in the Privacy Shield Framework will be:

Informing individuals about data processing

• A Privacy Shield participant must include in its privacy policy a declaration of the organization’s commitment to comply with the Privacy Shield Principles, so that the commitment becomes enforceable under U.S. law.
• When a participant’s privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form of the independent recourse mechanisms that is available to investigate individual complaints.
• A participant must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.

Providing free and accessible dispute resolution

• Individuals may bring a complaint directly to a Privacy Shield participant, and the participant must respond to the individual within 45 days.
• Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.
• If an individual submits a complaint to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
• Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.

Cooperating with the Department of Commerce

• Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.

Maintaining data integrity and purpose limitation

• Privacy Shield participants must limit personal information to the information relevant for the purposes of processing.
• Privacy Shield participants must comply with the new data retention principle.

Ensuring accountability for data transferred to third parties

To transfer personal information to a third party acting as a controller, a Privacy Shield participant must:

• Comply with the Notice and Choice Principles; and
• Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:

• Transfer such data only for limited and specified purposes;
• Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
• Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
• Require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
• Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
• Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Transparency related to enforcement actions

• Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.

Ensuring commitments are kept as long as data is held

• If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.

To be assured of Privacy Shield benefits, an organization must self-certify annually to the Department of Commerce via www.privacyshield.gov  that it agrees to adhere to the Privacy Shield Principles. A brief guide to the self-certification process, which should be read in conjunction with the complete set of Privacy Shield Principles and includes steps that the organization must take prior to self-certification, is provided on the Privacy Shield website. To access the guide, click here: Guide to Privacy Shield Self-Certification.

As reported earlier by ESR News, the 15-year-old international agreement called “Safe Harbor” that governed the transfer the digital data of individuals between the EU and U.S. was invalidated by a European Court of Justice ruling on October 6, 2015. The decision to invalidate Safe Harbor stemmed from the case of Maximillian Schrems v. Data Protection Commissioner where an Austrian citizen lodged a privacy complaint about his data being transferred to servers in the U.S. for processing.

Employment Screening Resources® (ESR) – a global provider of fast, accurate, affordable, and compliant background checks – is accredited by the National Association of Professional Background Screeners (NAPBS®) and completes an annual SOC 2® Type 2 Data Audit that confirms ESR meets high standards for protecting the security, confidentiality, and privacy of consumer information used for background checks. For more information about ESR, please call toll free 888.999.4474 or visit www.esrcheck.com.

NOTE: Employment Screening Resources® (ESR) does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2016 Employment Screening Resources® (ESR) – Making copies or using of any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

The post New EU-U.S. Privacy Shield Framework for Data Protection Launches August 1 appeared first on ESR News Blog.