Transatlantic Personal Data Processing: Complying with the new EU-US Privacy Shield
0 likes1,492 views
In July 2016, the European Commission introduced the EU-US Privacy Shield, establishing a new framework for transferring EU citizens' personal data to the US, requiring organizations to adapt their privacy policies accordingly. Key principles include enhanced privacy measures, citizen rights for data access and complaints, and specific obligations for US public authorities regarding data collections. Businesses are urged to review their privacy policies, ensure compliance with the Privacy Shield principles, and take necessary actions to mitigate risks associated with data processing.
Transatlantic Personal Data Processing: Complying with the new EU-US Privacy Shield
- 1. In July 2016, the European Commission adopted its highly anticipated EU-US “Privacy Shield,” setting up a new data protection framework for organisations that transfer EU citizens’ personal data to the US. More than 4,000 organisations are expected to have to adapt their privacy policies and practices accordingly, and sign up to the new statutory requirements. Key Elements of the Privacy-Shield I. Enhanced Privacy Shield Principles In compliance with the new Privacy-Shield Agreement, organisations processing personal data from EU countries will have to self-certify their adherence to the following principles: The Notice principle - Companies will have to inform European citizens about the type of data they are collecting, including the purpose of their processing. Companies will also provide the links to the relevant data protection authorities and to the provider of an appropriate alternative dispute settlement on their website. The Choice principle - Individuals will have the right to object to the disclosure of their personal data to third parties and opt out, if desired. In the case of more sensitive data, companies will have to obtain express affirmative consent from individuals. The Security principle - The processing of personal data will have to be guaranteed under “reasonable and appropriate” security measures. The Purpose Limitation Principle - The collection of data will be limited to the sole purpose of its original intended use. The only exceptions are archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. The Integrity Principle - The processing of personal data will be limited to what is relevant for its intended use. It will have to be accurate, complete and current. The Access Principle - Individuals will be granted the right to access the information collected about them without need for justification and only against a non-excessive fee. Individuals will have the right to correct, amend or delete personal information that is inaccurate or has been processed in violation of the Privacy Shield Principles. The Accountability for Onward Transfer Principle - Any onward transfer of personal data from a company to controllers or processors will only be possible for limited and specified purposes. The Recourse, Enforcement and Liability Principle - Companies will have to provide robust mechanisms to ensure compliance and effective remedies. II. Reinforced citizens’ rights The US Department of Commerce will monitor and verify that the affected companies apply policies in line with the relevant Privacy Shield Principles. It will keep up-to-date a list of organisations which have signed up to the privacy shield and be responsible for removing those organisations that have either left the arrangement or failed to comply with the principles. Under the new agreement, any individual who considers that his or her data has been misused will have the right to lodge a complaint either with: the company itself, which will have to reply within 45 days; its national Data Protection Authority, which will refer the complaint to the US Department of Commerce, who in turn will have to respond within 90 days, or; any Alternative Dispute Resolution Mechanism, to which US companies will have to sign up at no cost to the individual. The whole functioning of the Privacy Shield in the US will also be subject to an annual joint review to be carried out by the European Commission and the US Department of Commerce, bringing together national intelligence experts from the US and the European Data Protection Authorities.
- 2. III. Obligations of US public authorities The Privacy-Shield also sets a certain number of limitations and safeguard mechanisms in the case of US intelligence services accessing EU citizens’ personal data for national security purposes. Most notably, these include the following: The collection of personal data for intelligence purposes will be authorised by statute or Presidential approval and in accordance with the US Constitution and Law. Individual data collection will be prioritised over bulk data collection – i.e. data collection affecting all individuals. Bulk collection will only be allowed where targeted collection via the use of discriminants is not possible and only in six very specific situations (such as the fight against terrorism or opposition to activities of foreign intelligence services which could damage US interests). The treatment of personal data will have to take into consideration the fundamental principles of dignity and respect for legitimate privacy interests. To complement these safeguards, the US authorities will establish a specific redress path for EU citizens via an Ombudsperson who will be independent from national security services. The Ombudsperson will follow up complaints and enquiries by EU individuals with respect to national security access, and confirm to the individual that the relevant laws have been complied with or, in case of non-compliance, that any non-compliance gap has been remedied. Suggested Actions for Businesses The principles-based statutory framework entails an obligation of results in terms of compliance. It reduces the uncertainty that has surrounded data-processing between the EU and US since the abolition by the European Court of Justice last October 2015 of the previous legal framework known as the EU-US “safe harbor” agreement, but does not immunize organisations processing personal data across the Atlantic against possible legal actions for alleged non- compliance, with direct repercussions on company reputation and the exposure vis-à-vis markets, stakeholders and public opinion in general to negative communication campaigns. To reduce such risk, and given the high sensitivity of the Europeans to data privacy, organisations wishing to begin or start processing European citizens’ personal data in the US, should consider the following actions with a view to assessing and adapting their privacy policies and practices throughout the whole organisation and in the context of third-party service providers. Action for Business Assess the adequacy of your current privacy policies with the above-mentioned Privacy-Shield Principles and adapt them accordingly. Assess and, if necessary, review external contractual clauses with third parties that receive personal data collected by your organisation to ensure that they provide the same level of protection as stipulated by the Privacy Shield Principles. Review and set up the appropriate internal governance to ensure that replies to potential complaints from EU citizens are answered within the time limit of 45 days, as well as inquiries and requests by the US Department of Commerce. Identify and register with an Alternative Dispute Resolution Provider which will have to be made available to European citizens at no cost. Register your organisation to the Privacy Shield list on the US Department of Commerce website, providing a declaration of the organisation’s commitment to comply with the Privacy Shield Principles. Publicize on your own website the link to your Alternative Dispute Resolution Provider, together with a link to the US Department of Commerce’s Privacy Shield website. Monitor implementation and renew the registration every year. Brussels, 20 July For more specific advice on EU developments and on possible actions to be taken within your organisation, please contact Leonardo Sforza Managing Director and Head EU Affairs, Brussels Leonardo.sforza@mslgroup.com +32 (0)2 737 92 00