Regular readers know I've been writing recently (here and here) about the collapse of the EU/US data privacy Safe Harbor framework and the efforts to negotiate a trans-Atlantic resolution. This is a major issue for U.S. organizations that do business in Europe or with Europeans.
On Monday (February 29), the U.S. Department of Commerce released a proposal (the "Privacy Shield") designed to "provide[] a set of robust and enforceable protections for the personal data of EU individuals." The Privacy Shield release is *just* 132 pages, which you can read here.
To rely upon the Privacy Shield framework, a U.S. based organization would be required to self-certify to the Department of Commerce and publicly commit to comply with the Privacy Shield's requirements. While joining the Privacy Shield framework will be voluntary, once an organization undertakes to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. Key elements are outlined in a "fact sheet" here, including the following:
- The Privacy Shield contains seven distinct categories of "principles" including notice, choice, accountability for onward transfer, purpose limitation, recourse, enforcement and liability among others. (These should sound familiar to those who previously complied with the Data Protection Directive.)
- U.S. entities will continue to self-certify.
- U.S. entities will adopt a privacy policy statement which will become legally enforceable.
- When a U.S. entity's privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form to investigate individual complaints.
- A U.S. entity must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance , and the organization’s liability in cases of onward transfer of data to third parties.
- Privacy Shield participants must limit personal information to the information relevant for the purposes of processing. Additional personal information may not be collected and retained.
- To transfer personal information to a third party acting as a data controller, a Privacy Shield participant must:
- Comply with the Notice and Choice Principles.
- Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles.
- To transfer personal data to a third party acting as an agent, a Privacy Shield participant must:
- Transfer such data only for limited and specified purposes;
- Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
- Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
- Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
- Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework.
- Privacy Shield participants must make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.
- If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means.
