In the wake of last year’s European Court of Justice’s ruling invalidating the Safe Harbor framework, EU adoption of the Privacy Shield framework is still on schedule for June despite criticisms of the framework from both sides of the pond. This means if your organization intends to rely on the framework as a means of legitimizing personal data transferred from the EU to the US, there is no time like the present to take the necessary actions that will allow you to raise the shield soon after its adoption. If you need extra motivation to roll up your sleeves now, the framework gives organizations a nine-month grace period to bring third party contracts into compliance if they certify their adherence to the Privacy Shield Principles ("Principles") within two months of their adoption.
While all the Principles need to be carefully reviewed to determine what changes your organization must make before it can self-certify its compliance on the U.S. Department of Commerce website, this post focuses on a few of the Principles that warrant careful attention, even if your organization participated in the Safe Harbor framework.
Notice and Choice Principles
- Because the Notice and Choice Principles for Privacy Shield are more robust than that for the invalidated Safe Harbor framework, even if your organization was Safe Harbor certified, you will need to carefully review your organization’s publicly facing privacy statement and make any changes required to conform to the 13 Notice Principle requirements and the Choice Principle.
- If you have not done so already, you will need to establish and implement the underlying procedures necessary to meet these 13 Notice Principle requirements, including procedures for providing individuals with access to their personal data and a means to submit an inquiry or complaint to your organization. For the nuances of the access requirements, you will want to carefully review "The Access Principle in Practice" in the Supplemental Principles.
- It would also be wise to make sure your organization has written procedures for responding to government authority requests for disclosure of personal data and follows such procedures. Although they are not required by the Principles, having them will help you demonstrate a responsible, consistent approach to government requests if such disclosure ever comes into question by a DPA.
- To conform to the Choice Principle, your organization will need to provide "clear, conspicuous, and readily available mechanisms" by which individuals can opt out of their personal data being transferred to a third party (other than an agent under contract) or used for a purpose other than for which it was originally collected or later authorized by the individual. Note that for specified "sensitive" information, affirmative opt-in is required for transfer to a third party or use for a separate purpose.
- To be sure your choice obligations are being met, you will want to sit down with your marketing team and any other parts of your organization that handle personal data in scope to confirm that the necessary opt-outs or opt-ins are in place at personal data collection points and that the personal data is treated consistent with the choices made and purposes consented to by the individual. See the Data Integrity and Purpose Limitation Principle in this regard too.
Recourse, Enforcement and Liability Principle
- To meet the Recourse, Enforcement and Liability Principle you will need to make arrangements for an independent dispute resolution body, such as TRUSTe or the Better Business Bureau (or, if you are so inclined, an EU- based body or a panel of EU DPAs) to handle complaints free of charge to the complaining individuals. Yep, that will be another compliance-related budget item.
- Be sure that your company’s contracts involving the onward transfer of data in scope to third party controllers require the receiving controller:
- (1) to process the data only for limited and specific purposes consistent with data subject’s consent
- (2) to provide same level of protection required by the Privacy Shield.
- For contracts involving onward transfers to third party processors, be sure the contracts oblige the processors to process data in scope in accordance with your company’s obligations under the Privacy Shield.
- Conduct due diligence on service providers before entrusting them with personal data in scope. Does your organization have the right to audit their compliance with the Principles? Did they self-certify under the privacy shield? Better yet, have they been certified for Privacy Shield compliance by a reputable third party?
- Once you have made changes to your policies, processes, and contracts required for compliance with the Principles on your way to self-certification or third party-certification, it would be a good idea to make a written record of the work you have undertaken for compliance so it will be available if requested during the course of an investigation or complaint. This record can also support the detailed compliance Verification required under the Supplemental Principles, especially if you choose to self-verify.
Privacy Shield Commitments Continue
- Make sure your organization’s management team is aware that as long as your organization retains data obtained under the Privacy Shield, it will need to adhere to its Privacy Shield commitments. Just another good reason why your organization should delete any personal data once it has served its purpose.
As you can see, there is lots to consider and do on your way to raising the shield, but hopefully this helps point you in the right direction. If you’d like to learn more about how Janrain is storing and protecting your data, feel free to reach out to your Account Manager or contact us .