With data protection-related activity bustling around the world–from “Brexit” and GDPR enforcement to the approaching CCPA and exciting developments in the APAC region–it’s understandable to lose track of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
What follows are responses to the most frequent Privacy Shield inquiries TrustArc is hearing from our customers.
Is Privacy Shield Still Valid?
Yes – in fact, Privacy Shield is fast approaching its three year anniversary on July 12th. Since its 2016 adoption, Privacy Shield has remained a sound, scalable and steady legal transfer mechanism for U.S. entities seeking to receive personal data from the EU and/or Switzerland (with two successive approvals from the European Commission’s annual review process).
What Happened with the Earlier EU Parliament Rumblings and the Successful Annual Reviews?
While the EU Parliament had indicated concerns with the Privacy Shield arrangement–the Parliament actually does not have the authority to determine the adequacy of the Privacy Shield program. This authority is reserved exclusively for the European Commission (EC).
In July of last year the EC’s Justice Commissioner stated that a Parliament-requested suspension was “not warranted,” and further indicated that Privacy Shield is of “vital importance” to commerce and has “vigorous data protection requirements.”
Moreover, in its December 2018 report to the European Parliament and Council, the EC concluded that “the United States continues to ensure an adequate level of protection for personal data transferred under the Privacy Shield,” while further noting the improvements to Privacy Shield’s functioning since its previous annual review, along with steps it will continue to monitor.
Did the GDPR Replace Privacy Shield?
No – personal data transfers outside of the European Economic Area (EEA) are a key component of GDPR and Privacy Shield provides a way for U.S. organizations to address this, as Privacy Shield represents the European Commission’s determination that the United States provides an acceptable level of data protection essentially equivalent to that of the EU.
Would Brexit Invalidate Privacy Shield?
No – with the deadline for the United Kingdom to exit the European Union having been extended to October 31st, EU law will remain applicable in the U.K. until such an exit takes place–with Privacy Shield continuing to apply to U.K. personal data as it always has.
In the event the U.K. does leave, two scenarios are possible for Privacy Shield participants, as the U.S. Department of Commerce has addressed in a set of FAQs. Either an existing “transition period” will be agreed upon by the U.K. and EU, during which EU data protection law (and Privacy Shield) will continue to apply; or, in the event of a “no-transition period” immediate exit, Privacy Shield participants will need to update their privacy notice(s) to include reference to also relying on Privacy Shield for transfers from the U.K. Regardless of which scenario may ultimately play out, the status of the EU-U.S. Privacy Shield Framework will remain unchanged.
Lastly, where a participant had selected the EU Data Protection Authority panel for dispute resolution purposes, in the event of an exit, the organization would have to instead cooperate with the U.K. ICO for U.K. residents’ complaints.
What Does It Mean that Standard Contractual Clauses Are Being Challenged in Court?
Pre-approved model or standard contractual clauses (SCCs), the existing versions of which pre-date the GDPR, are also recognized under GDPR as a valid data transfer mechanism to non-EEA “third countries.” According to the U.K. ICO, the European Commission plans to update the existing SCCs for GDPR alignment, but until such amendment or replacement the existing SCCs remain in force and usable. However, the validity of current SCCs as a transfer mechanism to the U.S. is currently being challenged in the European Court of Justice in a case brought by Austrian privacy advocate Maximilian Schrems.
The eventual conclusions around questions considered by the Court theoretically could invalidate SCCs as a EU-to-U.S. data transfer mechanism, and could also impact the status of the Privacy Shield Framework.
However, most critically, the Privacy Shield Framework itself was developed in direct response to the requirements outlined by the European Court of Justice in response to a previous case brought by Schrems which invalidated the Safe Harbor program. Compliance with these new requirements was assessed and approved by the European Commission as a condition of its successful adequacy determination, which as noted earlier, has been reaffirmed in two successive reviews by the Commission.
Are There Differences Between Privacy Shield and SCCs?
Yes — whereas Standard Contractual Clauses (SCCs) are transactional-based and apply only as-between the specific parties signing them, an organization’s Privacy Shield self-certification is applicable to the receipt of any EU/Swiss personal data flows. This can save time and cost for businesses (especially for SMEs and start-ups). Privacy Shield also affords individuals an independent recourse mechanism, which is beneficial for consumers, partners and employees.
In light of the above, Privacy Shield continues its status as a Commission-supported option for U.S. businesses seeking an established, cost-effective, scalable and agile means of protecting and receiving personal data from the EU and Switzerland.
For further information, including how your company can undertake a formal verification of its privacy program against the Privacy Shield Frameworks’ Principles, contact TrustArc today.
Last week TRUSTe held a webinar “Privacy Shield Self-Certification – What’s Next?” as part of its Privacy Insight Series. If you missed the webinar you can still sign up to receive the on-demand recording and the slides.
Our speakers, David Fowler, Chief Privacy & Digital Compliance Officer, Act-On Software; Amanda Gratchner, Global Privacy Counsel, NAVEX Global; and K Royal, Senior Privacy Consultant at TRUSTe discussed several different ways to enhance everything from your policies to your Privacy Impact Assessments by leveraging your Privacy Shield Certification. They also discussed how to use the Certification toward compliance with other frameworks, such as the EU General Data Protection Regulation (EU GDPR).
Here are three practical tips our speakers shared:
- Create a Uniform Destruction and Retention Policy.
When conducting your data mapping and inventory exercise, pay special attention to destruction and retention policies so that any replicated data is treated the same.
2. Simplify Privacy Policies.
Eliminate any policies with grandiose language that cannot be enforced. Make re-certifying next year easier by fine tuning your policy as the organization changes.
3. Better Manage Vendors.
Feed subcontractor audit methodology to into your PIAs so that your privacy program becomes an overarching framework covering the entire data lifecycle.
TRUSTe delivers solutions to help your organization meet Privacy Shield requirements, and many others, such as the EU GDPR.
Last month the United States Department of Commerce and Switzerland’s Federal Council declared that the new Swiss-US Privacy Shield Framework will be the successor to the Swiss-US Safe Harbor framework. The Swiss-US Safe Harbor framework was declared invalid in October 2015 following the European Union Court of Justice’s decision that the EU-US Safe Harbor was an inadequate legal mechanism for personal data transfers to the US. Since then, officials have drafted the new framework to ensure that the Swiss-US Privacy Shield Framework improves upon the U.S.- Swiss Safe Harbor framework by including stricter data protection principles. These include enhanced requirements around notice, onward transfers and data retention, improved management of the framework by US authorities, and new mechanisms for individuals to obtain recourse for violations.
While the replacement occurred immediately, the Department of Commerce will begin accepting certifications on April 12, 2017 so that organizations have time to review the new Swiss-US Privacy Shield Principles.
The mechanism for personal data transfers from member countries of the European Economic Area (EEA) is the EU-US Privacy Shield, and because Switzerland is not a member of the EEA, Swiss and US officials developed this separate agreement. Although the two agreements are separate, the Swiss-US Privacy Shield framework parallels the EU-US Privacy Shield framework in many ways. The Federal Council stated that “the fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.”
While the two agreements are similar in many ways, there are still some areas where the two agreements vary. Organizations should not assume that certification for EU-US Privacy Shield translates directly to certification for Swiss-US Privacy Shield. An assessment and verification should be conducted for an organization’s privacy posture against the new Swiss-US framework.
TRUSTe has assessment and verification solutions. As of February 2017, TRUSTe has helped over 350 companies with their EU-US Privacy Shield needs, and plans to provide Swiss-US assessments as well. To find out more, contact us.
Last week we gave you the facts to dispel three common misconceptions about Privacy Shield. This week we are including three more.
1. Model Contractual Clauses (MCCs) & Standard Contractual Clauses (SCCs) are easier than certifying for Privacy Shield.
While your company may have invested in MCCs or SCCs when Safe Harbor was nullified, your work does not stop there. You need to continue updating your contracts on an ongoing basis to ensure continuing compliance. Sabina Jausovec Salinas, Corporate Counsel at Rackspace and Debbie Bromson, Head of Global Privacy at Jazz Pharmaceuticals spoke about why they chose Privacy Shield for their organizations; the webcast recording is available here.
2. MCCs / SCCs are the safest way to go.
The continuing validity of MCCs is now being considered by the European Court of Justice (ECJ). Privacy Shield was drafted by US and European officials specifically to ensure it met the requirements as laid out in the ECJ’s Schrems decision. Many companies who have MCCs / SCCs in place view Privacy Shield as an added layer of protection against new legal action.
3. Privacy Shield Compliance = GDPR Compliance.
While the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance, Privacy Shield only addresses one of the many components of the GDPR (i.e., International Data Transfer) as depicted in this image.
Even with a Privacy Shield certification, you still need to address the remaining components of the GDPR, including DPO Appointment, Consent, PIAs, and many more.
TRUSTe offers several Privacy Shield Compliance Solutions and GDPR Solutions. To schedule a consultation and learn how Privacy Shield Certification can help your organization, contact us.
Here are 3 Misconceptions about Privacy Shield and the facts you should know.
1. I missed the deadline to certify for Privacy Shield.
Although the deadline to qualify for the onward transfer requirements grace period ended September 30th, it is not too late to certify. While there is no deadline to self-certify, if you have clients and/or employees in Europe, you will need to make use of one of the recognized transfer mechanisms to process that data outside of Europe.
In addition to these regulatory obligations, your company may start to face pressure from clients or business partners to get the certification. Just as many companies required their suppliers and partners to be Safe Harbor certified, expectations around Privacy Shield are likely to be the same. Privacy Shield provides a visible way for companies to demonstrate their compliance with EU data transfer rules.
2. The grace period for onward transfer covered the bulk of Privacy Shield requirements.
Onward transfer is only one of many Privacy Shield requirements. Companies still have to ensure all of the other requirements are met, such as: notice, choice, security, data integrity & purpose limitation, access, recourse, and enforcement & liability. So while you missed the grace period, it only addressed one portion of the overall requirements.
3. Privacy Shield is only for my customer data.
If you have employees in the EU, you also need to consider Privacy Shield for your HR data. This is a separate certification which you can add at any time to your existing listing with the Department of Commerce. Currently, over 300 companies are on the Privacy Shield list, many of which are using this approach to facilitate compliance with customer and HR data requirements.
TRUSTe offers a comprehensive Privacy Shield Assessment and Verification program. To schedule a consultation and learn how Privacy Shield can help your organization, contact us.