[BreachExchange] EU-U.S. Privacy Shield Framework Text Published: Imposes New Obligations on U.S. Entities that Seek Data Transfers from the EU

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 9 20:29:32 EST 2016 

http://www.jdsupra.com/legalnews/eu-u-s-privacy-shield-framework-text-95548/

The European Commission (EC) has released
<http://www.ec.europa.eu/justice/newsroom/data-protection/news/160229_en.htm>
details of the EU-U.S. Privacy Shield, a new framework under which personal
data may be transferred from the European Union (EU) to the United States.
The Privacy Shield replaces the Safe Harbor framework, which was invalidated
<http://www.ballardspahr.com/alertspublications/legalalerts/2015-10-07-court-of-justice-of-the-european-union-invalidates-us-safe-harbor-framework.aspx>
by the Court of Justice of the European Union in October 2015. To join the
Privacy Shield framework, U.S. companies must self-certify that they are
compliant with a set of privacy principles. These principles are more
granular than the principles set forth in the Safe Harbor and, for many
companies, will require significant work to ensure compliance.

Under the Privacy Shield, participating U.S. companies must provide a
detailed disclosure of their collection and use of information collected
from individuals, including:

   - The purposes for which personal information is disclosed to third
   parties
   - The right of individuals to access their personal data
   - The independent dispute resolution body designated to address
   complaints
   - The fact that the company is subject to the investigatory and
   enforcement powers of the FTC or any other U.S. authorized statutory body
   - The fact that the company is required to disclose personal information
   in response to lawful requests by public authorities and the company's
   liability in cases of onward transfers to third parties
   - The possibility for individuals to invoke binding arbitration.

If requested in the course of a regulatory investigation, U.S. companies
will be required to make available their records on the implementation and
compliance with Privacy Shield requirements. U.S. companies transferring
data to a third-party processor must have contracts in place that protect
personal data of EU citizens. The Privacy Shield also includes provisions
to ensure continuity of privacy protections in the event of a corporate
merger or takeover.

In addition to being more granular than the Safe Harbor, the Privacy Shield
includes increased mechanisms for ensuring compliance. More specifically:

   - Under the Privacy Shield, companies are obligated to respond to
   individuals’ complaints within 45 days and to comply with advice from the
   relevant EU data protection authorities (DPAs)
   - Companies must also provide free-of-charge alternative dispute
   resolution mechanism for resolving individuals' complaints
   - The Federal Trade Commission (FTC) will make enforcement of the
   Privacy Shield a high priority and will enforce violations of the Privacy
   Shield requirements as an "unfair or deceptive act or practice" under
   Section 5 of the FTC Act
   - The Department of Commerce (DOC) will monitor false claims regarding
   participation in the Privacy Shield and issue warnings and other corrective
   actions, including pursuing legal recourse and referring matters to the
   FTC, Department of Transportation, or other enforcement agencies;
   - DOC will conduct periodic compliance reviews and assessments of the
   Privacy Shield program
   - DOC will establish a dedicated contact for EU DPA complaints, and must
   respond to such complaints within 90 days
   - DOC will also establish an arbitration mechanism to be conducted by a
   Privacy Shield Panel whose decisions will be binding against certified
   companies
   - DOC, FTC, and other agencies will hold annual meetings with the
   European Commission and DPAs to discuss the Privacy Shield
   - The Department of State will appoint an independent ombudsman to
   address complaints and inquiries regarding any access of personal data for
   national security purposes.

Before it goes into effect, the Privacy Shield will need to be approved by
the Article 29 Working party (expected to occur in mid-April) and by the EU
College of Commissioners, which will likely not occur until at least summer
of 2016. Companies that transfer personal information from the EU to the
United States and intend to use the Privacy Shield should consider taking
steps now to comply with the framework, as such steps may require
significant work. One such step is amending existing privacy policies to
comply with the enhanced notice requirement. In addition, companies that do
not have written policies and procedures that could be used to attest
compliance with the Privacy Shield principles should consider drafting such
policies now, or amending existing policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160309/f97f31ed/attachment.html>

More information about the BreachExchange mailing list