On February 29th, the European Commission (the “Commission”) published the details of the new EU/US Privacy Shield program (“Privacy Shield”) which is intended to replace the EU/US Safe Harbor (“Safe Harbor”) program that was found to be inadequate by the European Court of Justice (“ECJ”) in October. The Commission also released a draft opinion which, if adopted, would find the new Privacy Shield to be an adequate means of transferring personal data from the EU to companies in the US that elect to participate in the new program. The Privacy Shield will not become effective until the final approval of the Commission’s adequacy determination, which is not expected for several months.
The new Privacy Shield builds upon and “enhances” the requirements of the old Safe Harbor program. Participation in the Privacy Shield, like Safe Harbor before it, will be limited to organizations subject to the investigatory and enforcement authority of the Federal Trade Commission or the Department of Transportation (other US enforcement agencies may be added later). Fees for participating in the Privacy Shield have not yet been announced, nor has the date when the Department of Commerce will begin to accept certifications for participation in the Privacy Shield.
Like Safe Harbor, the Privacy Shield is organized around the seven primary principles: Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability. Of course, under many of the Privacy Shield Principles there are enhanced obligations. The Privacy Shield also includes a series of “supplemental principles” which replace the Frequently Asked Questions that were used in the Safe Harbor program (discussed below).
The Privacy Shield will involve enhanced obligations in a number of areas, including:
- Notice. Organizations will be required to address 13 points laid out in the enhanced notice principle, including information about its participation in the Privacy Shield, its information practices, and information about how the organization’s promises can be enforced and the organization’s potential liability for failures to comply.
- Accountability and Onward Transfer. The Privacy Shield includes significant enhancements to the Safe Harbor’s Onward Transfer Principle, which governs how the personal information may be transferred by a Privacy Shield participating company to other parties.
- Contracts will be required for transfers of personal information by a Privacy Shield participant to third-party controllers.
- In the case of transfers to service providers (referred to as third-party agents in the Privacy Shield documents) contracts will be required and participating companies will be required to take reasonable and appropriate steps to ensure that their agents effectively process the data transferred. Participating companies also will be required to take steps to address unauthorized processing by third-party agents and provide the Department of Commerce, upon request, with a summary or representative copy of the privacy provisions of its contracts with its third-party agents.
- Organizations that self-certify for participation in the Privacy Shield within two months of its effective date will have up to nine months from the date they certify to bring existing relationships with third parties into compliance.
- In addition, a participating company will remain liable under the Principles if its agent processes personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
- Recourse, Enforcement and Liability.
- Participating organizations will continue to have the option to select an independent third-party dispute resolution mechanism, as was the case under Safe Harbor. Third-party dispute resolution providers will have new obligations, such as annual reporting requirements. Human resources data is still subject to mandatory cooperation with the EU DPAs for dispute resolution.
- The FTC has committed to giving priority to Privacy Shield Complaints from the DPAs, third-party independent dispute mechanisms, and the Department of Commerce.
- Participating organizations also must provide information relating to the Privacy Shield when requested by the Department of Commerce and organizations must respond expeditiously to complaints regarding their compliance that are referred through the Department by the DPAs.
- A new binding arbitration program is being created (discussed further below).
- Right to Arbitration. Under the Privacy Shield, an individual has the right to initiate arbitration as a “residual” remedy if other dispute resolution mechanisms fail to resolve the issue.
- The limited purposes of the arbitration are: (a) to determine whether the company has violated its obligations under the principles; and (b) whether any such violation remains fully or partially unremedied.
- The arbitration panel is not authorized to impose monetary relief, but has the authority to impose only individual–specific non-monetary equitable relief.
- Prior to initiating arbitration, an individual is required to file an internal complaint with the implicated company, seek recourse through an independent recourse mechanism (other than arbitration), and file a complaint through the DPAs.
- The ultimate arbitration decision is binding—barring claims for monetary damages otherwise available in the courts. Either party may seek to set aside or enforce the award pursuant to the Federal Arbitration Act. The venue for such action would be in the Federal District Court where the primary place of business of the company is located.
- The Department of Commerce and the European Commission will develop a list of at least 20 arbitrators. The arbitrators must be independent and qualified U.S. lawyers with experience in privacy law. The arbitral rules will be developed by the Department of Commerce and the European Commission based on an existing set of rules (such as AAA or JAMS). The rules must provide that: (1) the individual exhausted his remedies prior to initiating arbitration, (2) there is no duplication of remedies and procedures; (3) FTC action may proceed in parallel; (4) governmental bodies cannot participate in the arbitrations; (5) the location will be in the U.S. but the individual may participate by video or telephone; (6) language of arbitration will be English but a free translation may be available to the individual; (7) arbitration will be confidential; (8) discovery may be available; and (8) arbitration should be completed within 90 days of the notice.
- The cost of arbitration will be covered from a fund financed by contributions from the companies participating in the Privacy Shield. Attorney’s fees are not covered by the fund. The amount of contributions will be based on the size of the company and determined annually by the Department of Commerce and the Commission.
- Pharmaceutical and Medical Products. One of the 16 supplemental principles that supplement the seven primary Privacy Shield principles addresses pharmaceutical and medical products. The Supplemental Principle addresses a range of issues relevant to pharmaceutical and medical products, including when EU law or Privacy Shield requirements apply; conditions for the use of personal data from research studies for future scientific research; what happens when a participant withdraws from a clinical trial; transfers of personal data for regulatory and supervisory purposes; “blinded” studies; product safety and efficacy monitoring; and key-coded data. The substantive content is the same as the frequently asked question set for the original Safe Harbor program on the same topic.
- Enhanced Role for The Department of Commerce. The Department of Commerce will have an enhanced role in administering the Privacy Shield program. Including:
- Verifying information provided as part of the self-certification process;
- Verifying participation in a third party dispute resolution mechanism;
- Expanding follow-up efforts with organizations that cease to participate in the Privacy Shield;
- Searching for and address false claims of participation in the Privacy Shield;
- Conducting periodic compliance reviews and assessments of the program;
- Tailoring its Privacy Shield website for different audiences (EU citizens; EU businesses, and US businesses);
- Increasing cooperation with the DPAs;
- Facilitating resolution of complaints received from the DPAs;
- Establishing the arbitration program (discussed above); and
- Participating in annual reviews of the Privacy Shield with EU officials.
- Government Surveillance. The program also addresses mechanisms for handling complaints from EU citizens about the practices of the National Security Agency and other agencies, including an Ombudsman at the State Department to address complaints from EU citizens that are submitted by EU officials.