[Things don’t stand still in the world of data privacy. Check out our updates: https://www.techcontracts.com/2023/07/21/personal-data-transfers-schrems/, Spring Cleaning: Fix Contract Terms for Data Transfers From The UK; The Clock is Ticking: Are Your Contract Terms Out-of-Date for Transfers of Personal Data Subject to the GDPR?; Third Time Lucky? Personal Data Transfers between the U.S., EU, UK; Draft EU “Adequacy Decision” for Data Transfers to U.S. Now What?]

By Jennifer L. Sheridan, Esq.

My last post on Data Privacy discussed the best practice of adopting a US and EU law compliant privacy policy in the context of BizConnect, a hypothetical startup software company. This post examines self-certifying as compliant with the U.S. Privacy Shield.

What is the Privacy Shield and Why should you self-certify?

Privacy Shield is a program administered by the United States Department of Commerce. It provides U.S. companies doing business with European Union customers with a means to comply with EU’s “adequate protections” law.

EU personal data may not be exported to any non-EU country unless that country provides adequate protections. Some non-EU countries have obtained certification that they’re adequate. The U.S. has not. So U.S. companies have to certify that their own data protection systems are adequate.

There are three mechanisms for U.S. companies to meet the adequacy test:

1. Self-certify under the U.S. Privacy Shield;
2. Adopt the EU Model Clauses for all contracts with EU data exporters; and/or
3. Adopt Binding Corporate Rules for your enterprise.

A future post will address the Model Clauses — and specifically how the GDPR requires amendments to the Model Clauses. As for the Binding Corporate Rules (BCR), they make sense for large enterprises, rather than small companies. BCRs must be approved by ED Data Protection Authorities (DPAs) and usually take over a year to implement. When I use the term “Model Clauses,” it is interchangeable with the EU approved Standard Contractual Clauses.

You should self-certify because then your U.S. business will meet the adequacy test without needing to enter into model clauses with EU customers (acting as data exporters).

Two Words of caution:

1. The Privacy Shield mirrors many aspects of the GDPR, but it is not meant to cover all the GDPR. So simply self-certifying will not mean that you’re GDPR compliant. For example, the GDPR requires that data processors obtain the prior consent of the data controller before using sub processors. If you only followed the Privacy Shield, you would not think you need that prior consent. A later post will discuss how to review and update supply chain agreements to be GDPR compliant.
2. This is a self-certification; if it is not done correctly, it is not valid. By self-certifying, you agree that all representations will have the force of law and the FTC may enforce any violations. The FTC has assured the EU that they will take enforcement very seriously.

I have seen companies self-certify and then post privacy policies that don’t comply with the Privacy Shield principles. They’re setting themselves up for an FTC investigation, which will be very costly and time consuming.

BizConnect, the hypothetical software company introduced in an earlier post, has decided to self-certify for the Privacy Shield. Below are the steps BizConnect needs to go through to self-certify.

Key compliance steps to Privacy Shield

1. Comply with 7 main principles and 16 supplemental principles detailed below.
2. Update privacy policies to ensure compliance with principles detailed below.
3. Review (and set up if not in existence) contracts with third party data controllers, data processors, and sub processors (if applicable) to include specified terms detailed below;
4. Draft internal policies to support the principles for ensuring data subjects’ access to personal data (for certain purposes). Follow data retention and deletion policies, implementing processes and timetables for responding to internal complaints, audits, and assessment procedures.
5. Conduct training to support #4 above. For example, there is a requirement to respond within 45 days to a user’s complaint. Company needs to be able to demonstrate it has a designated person, and has trained them internally on response protocols.
6. Sign up to a third-party dispute resolution provider or commit to cooperate with the European DPA’s.
7. Annually certify compliance with the Privacy Shield.

Under the verification requirement, organizations will need to ensure they remain certified to the Privacy Shield in years to come, and they will need to carry out annual assessments of their compliance with Privacy Shield principles. Annual assessments can be carried out in-house (e.g. a signed evaluation by a corporate officer) or through a third-party compliance review (which might involve audits, random reviews, use of decoys, and other technology).

The Privacy Shield’s seven principles

Below is an outline of the Privacy Shield’s seven principles and its requirements.

1. Notice

• Have a link to the Privacy Shield website.
• Expressly commit to the Privacy Shield principles and enforcement structure.
• Describe what personal data is collected.
• Describe how the personal data is it used.
• Disclose who else gets disclosure of the personal data.
• Describe how users can lodge complaints including whether there is an independent dispute resolution body or company is selecting the DPA panels.
• Disclose company is subject to jurisdiction of the FTC.
• Disclose the possibility under certain circumstances of the data subject to invoke binding arbitration.
• Include the requirement to disclose personal data to lawful authorities.
• Disclose liability for onward transfers of personal data.

2. Choice

• Where personal data will be disclosed to 3rd parties or used for a different purpose than originally collected, there must be a clear and conspicuous opt out mechanism to consent.
• If the personal data is classified as sensitive information, then either of the above two scenarios requires express opt in consent.

3. Onward Transfer

All third party contracts between data controller and data processor as well as data processor and sub processor(s) must:

• Provide that the processing is restricted to the limited purpose of processing consistent with the original consent.
• Provide same level of protection as under Privacy Shield.
• Provide that data processor notifies data controller if it cannot meet these obligations.

4. Security protections

• Reasonable and appropriate measures to protect personal data from loss, misuse, or unauthorized access, disclosure, alteration and destruction taking into due account the risks involved in the processing and the nature of the personal data.

This is somewhat flexible and open-ended; however, companies are advised to conduct a DPIA to determine gaps and weaknesses and consider encryption for data in transit.

5. Data Integrity and Purpose

• Do not over-collect personal data.
• Do not keep personal data longer than reasonably necessary for the purposes of processing.

6. Access

• Users need access to amend, correct, or delete personal data.
• Some exemptions where burden and expense of meeting these requirements would be disproportionate to the risks to the individual’s privacy interests.

7. Recovery, enforcement, and liability

• Must respond to data subject complaint within 45 days.
• Must provide an independent recourse mechanism to individuals to investigate and resolve complaints (e.g. TRUSTe or BBB). Alternatively, companies can expressly agree to cooperate with the applicable EU DPA for the country where the personal data originated.
• Accept binding arbitration for users who request it.
• Verify every year with U.S. Privacy Shield.
• Conduct annual assessment of compliance either internally or with outside third party.

Many of the above requirements will be contained in BizConnect’s privacy policy, such as the notice, access, and enforcement obligations. However, many requirements need to be reflected in its internal policies and practices such as a) appropriate security controls; or b) data integrity practices. Others, such as the onward transfers obligations, mean BizConnect needs to audit its contracts and ensure that it has the appropriate contracts in place.

There are 16 supplemental principles. Many of them are specific to certain types of data or they clarify and augment the principles above. They can be found here.

Below is some helpful information about preparing to complete the Privacy Shield application, what is needed in the onward transfer contracts, and sample language to include in your privacy policy AFTER you have completed the self-certification process.

Information needed to Self-Certify Under the Privacy Shield

To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield that contains at least the following information:

1. Name of organization, mailing address, e-mail address, telephone, and fax numbers.
2. Contact information for corporate representative and corporate officer (could be the same).
3. Description of the activities of the organization with respect to personal information received from the EU, including: (a) what types of personal data does your organization’s Privacy Shield cover? [Note special attention if HR data is included]; and (b) a brief description of the purposes for which your organization processes personal data in reliance of the Privacy Shield, including the types of personal data, and if applicable, type of third parties to whom it is disclosed.
4. What is the independent recourse mechanism available to investigate unresolved complaints? Or if you do not select a private third party, you can choose to select to cooperate with the applicable DPAs and be subject to a DPA panel.
5. Description of the organization’s privacy policy for such personal information, including: (a) if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; (b) its effective date of implementation; (c)  a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield; (d) the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy either FTC or Dept of Transportation; (e) the name of any privacy program in which the organization is a member; f)  the method of verification (e.g., in-house, third party); and (g)  the independent recourse mechanism that is available to investigate unresolved complaints or the selection of DPA panels.

What is needed in Data Processing Contracts (often referred to as Data Processing Addendums) to meet the onward transfers principle

1. A written contract. When personal data is transferred from the EU to the United States only for processing purposes, a contract will be required, regardless of participation by the processor in the Privacy Shield.

2. The purpose of the contract is to make sure that the processor: 

• Acts only on instructions from the controller; 
• Provides appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alternation, unauthorized disclosure or access, and understands whether onward transfer is allowed; and 
• Takes into account the nature of the processing and assists the controller in responding to individuals exercising their rights under the Principles. 

3. Provide same level of protection as under Privacy Shield. Because adequate protection is provided by Privacy Shield participants, contracts with Privacy Shield participants for mere processing do not require prior authorization (or such authorization will be granted automatically by the EU Member States), as would be required for contracts with recipients not participating in the Privacy Shield or otherwise not providing adequate protection.

Sample language to include in your privacy policy regarding notice of US Privacy Shield

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield  Framework(s), as applicable) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and/or Switzerland, as applicable) to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

This post was originally published here and has been republished with permission.

Jennifer Sheridan is an attorney. She serves as Of Counsel with Sycamore Legal, P.C., a San Francisco IT and IP boutique law firm founded by David Tollen, who also founded Tech Contracts Academy. Jenny specializes in technology contracts and privacy.

© 2019 by Tech Contracts Academy, LLC. All rights reserved.

Thank you to Pixabay.com for great, free stock images!