EU Data Transfer Plan Requires Stronger Privacy Policies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jimmy H. Koo

Aug. 3 — U.S. companies considering enlisting in the recently opened European Union-U.S. Privacy Shield data transfer program must ensure their privacy policies meet more robust data protection requirements than the predecessor U.S.-EU Safe Harbor program.

The most significant changes are new requirements around onward transfers, notice and novel recourse and verification mechanisms, privacy attorneys and professionals told Bloomberg BNA.

The Privacy Shield—for which the U.S. Department of Commerce began taking applications Aug. 1—may provide cost effective data transfer solutions for some U.S. companies, but it should be part of a larger portfolio of data transfer mechanisms, the privacy pros said.

U.S-E.U.

EU and U.S. officials approved July 12 the new trans-Atlantic data transfer pact (15 PVLR 1478, 7/18/16). The Privacy Shield is the much anticipated replacement for the defunct Safe Harbor Program, which was invalidated by the ECJ in October 2015 on the basis that it failed to sufficiently protect to the privacy of EU data subjects (14 PVLR 1825, 10/12/15).

Unlike the Safe Harbor, the Privacy Shield “has teeth,” Tanya Forsheit, partner and co-chair of the Privacy & Data Security group at Frankfurt Kurnit Klein & Selz in Los Angeles, told Bloomberg BNA.

Self-Certification Requirements

The Privacy Shield requires adherence to seven primary principles:

  •  notice;
  •  choice;
  •  accountability for onward transfers;
  •  access;
  •  security;
  •  data integrity and purpose limitation; and
  •  recourse, enforcement and liability.

The principles aren't different than the Safe Harbor, but now companies should be making “a serious commitment,” Forsheit said. Enforcement authorities will be watching, and companies must have recourse mechanisms built into their privacy framework, she said.

Gabe Maldoff, Westin Fellow at the International Association of Privacy Professionals, told Bloomberg BNA that to obtain Privacy Shield certification, organizations are required to implement processes for handling complaints and verifying adherence to the Privacy Shield Principles. Companies may choose from various independent recourse mechanisms that give consumers access to effective remedies in the case of a violation, including third party dispute resolution bodies located in the U.S. or in the EU, or a panel of EU Data Protection Authorities, Maldoff said.

San Francisco-based data privacy management company TRUSTe, for example, can serve as the independent recourse mechanism, TRUSTe Chief Executive Officer Chris Babel told Bloomberg BNA. “TRUSTe recently updated its certification standards to align with the Privacy Shield Principles, and is helping companies assess their privacy practices and policies in preparation for self-certification with the Department of Commerce,” he said.

Babel said that “broadly speaking, there are two categories of information that a company needs to provide in their privacy statement: information concerning how they handle data and information regarding consumer’s redress and enforcement options.” Companies must identify the types of personal data collected, the purpose for which it was collected, third parities to which the information is disclosed and why, he said.

Maldoff said that “beyond what was required by Safe Harbor, organizations will have to state their commitment to adhere to the Privacy Shield along with the rights and remedies available to consumers, such as rights of access, recourse mechanisms, arbitration and Federal Trade Commission jurisdiction.”

Part of a Portfolio

For companies that participated in the invalidated Safe Harbor program, migration to the Privacy Shield framework shouldn't be difficult and may provide “business flexibility and expediency,” James H. Koenig, of counsel in the Privacy and Cybersecurity practice at Paul Hastings in New York, and Brent Hoard, director in the Privacy & Cybersecurity practice at Paul Hastings in New York, told Bloomberg BNA. The Privacy Shield provides blanket approval of data transfers and acts as a “compliance catch-all,” they said.

However, participation in the Privacy Shield framework isn't a must-do for all companies and organizations, Koenig and Hoard said. Companies should utilize the Privacy Shield framework as a part of their portfolio of data transfer mechanisms, including standard contractual clauses and model contracts, they said.

Following the invalidation of the Safe Harbor and before the finalization of the Privacy Shield, many companies used model contracts and are still using them, Koenig and Hoard said. For many companies, continuing to use model contracts may be “practical,” they said.

Forsheit said that self-certifying under the Privacy Shield is “not a necessity” for all companies as other mechanisms remain legal. Another option for companies is using binding corporate rules, Forsheit said. However, binding corporate rules may be time-intensive to create and companies have to obtain approval from data protection authorities, she said.

Privacy Shield Benefits

Koenig and Hoard said that although the Privacy Shield may have costs, it does have its benefits.

In the long run, using model contracts becomes too expensive to maintain, they said. Privacy Shield is a “cost effective alternative,” Koenig and Hoard said.

Forsheit said that companies that decide to participate in the Privacy Shield should first designate someone to be in charge of ensuring compliance and to “drive the program” before self-certifying.

“You have to implement before verifying,” she said. Although the person or the department in charge may depend on the organization, she said, tapping someone in the c-suite is desirable. “This demonstrates the company's accountability,” Forsheit said.

Babel advised companies to make sure they have “properly inventoried and assessed” their privacy policies and practices. “Once you are confident that your internal practices are in order, making sure that these practices are sufficiently and clearly expressed in your consumer-facing privacy statement will be essential,” Babel said.

To contact the reporter on this story: Jimmy H. Koo in Washington at jkoo@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Daniel R. Stoller at dstoller@bna.com .

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.