As previously described on the TrustArc Blog (“ Privacy Shield Approaching Its 3 Year Anniversary”, the European Union (EU)-U.S. Privacy Shield Framework has received two successive annual approvals from the European Commission (EC) since its July 2016 adoption, and currently serves as an EU-to-U.S. personal data transfer mechanism for more than 4,700 U.S. organizations.
Separately, pre-approved standard contractual clauses (SCCs), the most recent version of which was issued in 2010, are also recognized by the EC as valid transfer mechanisms to non-European Economic Area “third countries.” On June 13th, the European Commissioner for Justice and Consumers confirmed in a speech that SCCs are in the process of being updated for the post-GDPR world: “We are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”
This update to SCCs is occurring concurrently with a legal action challenging the validity of SCCs as a transfer mechanism to the United States, in a case brought against Facebook Ireland by Austrian privacy advocate Maximillian Schrems. The case, dubbed Schrems II?—following the 2015 decision of the European Court of Justice (ECJ) that resulted in the invalidation of the EU-U.S. Safe Harbor Agreement on grounds that it did not provide EU citizens with protections “essentially equivalent” to that of the EU due to U.S. intelligence agencies’ surveillance practices, and thus that any EU-to-U.S. personal data transfers made on that basis were not legal–proceeds to oral arguments before the ECJ on July 9th. In this case, the Irish High Court has referred eleven questions to the ECJ relating to whether entering into SCCs, by itself, provides an adequate level of data protection for EU personal data transferred to the U.S. The Irish Supreme Court recently dismissed Facebook’s appeal of the Irish High Court’s decision to refer these items to the ECJ.
Meanwhile, the EU-U.S. Privacy Shield Framework is similarly undergoing a legal challenge on grounds that the United States does not adequately protect EU citizens’ personal data by virtue of U.S. intelligence agencies’ activities. The case, brought by three French non-governmental organizations, seeks to revoke Privacy Shield as a valid EU-to-U.S. personal data transfer mechanism as occurred with Safe Harbor in Schrems I. On July 1-2, the NGOs will argue before the General Court of the EU that Privacy Shield is not “essentially equivalent” to EU data protection law, even if it is more protective than Safe Harbor was. The losing party in this matter could then appeal to the ECJ for a final determination.
Decisions in both matters are expected within a year or less. It is unclear what effect, if any, the entry into force of new European Commission-approved SCCs would have on the ripeness of the case if introduced prior of the ECJ’s Schrems II ruling. Moreover, in the event the ECJ were to eventually invalidate both SCCs and Privacy Shield–the latter of which was specifically drafted by EU and U.S. officials to withstand judicial scrutiny—it is uncertain what course of action most organizations–small and medium-sized enterprises in particular—would undertake to effectuate their data transfers. With binding corporate rules (BCRs) and reliance on derogations such as explicit consent for cross-border data transfers being expensive, time-consuming or disfavored options for many businesses, it remains to be seen what effect on digital commerce such legal actions would have in practice (including with respect to data transfers to the U.K., in the event of an eventual “Brexit”). TrustArc will continue to follow developments closely and will provide regular updates.
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform. To learn how you can get full access to the daily newsfeed, contact us today!
The U.S. Department of Commerce recently issued a communication highlighting the growing industry interest in participating in both EU-U.S. and Swiss-U.S. Privacy Shield certification programs. There are currently over 3,300 organizations in the program and over 1,000 more who have submitted their first time certification applications in recent months – which will likely bring the number of participants to over 4,000.
Dave Deasy, SVP Marketing at TrustArc, commented “we are continuing to see high interest in Privacy Shield from companies of all sizes to ensure they can demonstrate a high commitment to privacy for international data transfers. This is consistent with the high demand we continue to see for companies looking for help to address the GDPR regulation. The good news is not only does Privacy Shield provide an approved mechanism to legally transfer data from the EU to the U.S., but it also addresses a number of GDPR requirements streamlining the work needed to reach and maintain GDPR compliance.”
This message was highlighted in a recent communication issued by the International Trade Administration’s Privacy Shield Team shown below:
TrustArc offers solutions to help companies verify their privacy program and practices meet Privacy Shield requirements. In addition to providing third party verification, TrustArc offers an independent dispute resolution mechanism helping companies meet Privacy Shield requirements for handling questions and concerns regarding a company’s compliance with Privacy Shield. For more information on TrustArc’s breadth and years of experience in providing Privacy Shield verifications and independent privacy dispute resolution, visit TrustArc Privacy Shield.
The EU-U.S. Privacy Shield international data transfer framework had its first annual review; highlights are included below.
Andrus Ansip, Commission Vice-President for the Digital Single Market, said:
The Commission stands strongly behind the Privacy Shield arrangement with the U.S. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.
Overall, the report shows that European Commission (EC) feels that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. Over 2,400 companies have now been certified by the U.S. Department of Commerce.
In addition to reaffirming their support of Privacy Shield, the EC made several recommendations to further improve the functioning of the Privacy Shield, which include:
- more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce, including regular searches by the US Department of Commerce for companies making false claims about their participation in the Privacy Shield;
- increased awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints;
- closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs);
- enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA); and
- the appointment of a permanent Privacy Shield Ombudsperson, as well as filling empty posts on the Privacy and Civil Liberties Oversight Board (PCLOB).
Read the press release here.
Our Solutions for EU-U.S. Privacy Shield
We offer three separate packages to support companies in preparing for compliance with the EU-U.S. Privacy Shield Principles ahead of self-certification with the U.S. Department of Commerce. We offer Assessment and Verification Packages to help companies assess their policies and practices against the Privacy Shield Principles. These two packages include assessing practices related to non-HR data, HR/employee data or both.
In addition, we provide a Dispute Resolution Package, which helps companies meet the requirements under Privacy Shield for having an independent dispute resolution mechanism in place to efficiently manage privacy inquiries from customers or relating to non-HR data.
The TRUSTe assessment and verification packages for Privacy Shield are delivered and managed by a team of privacy professionals using our proprietary assessment methodology that is powered by TrustArc Assessment Manager. TrustArc’s award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.
To learn more, contact us.
EBSCO Industries, Inc. and its subsidiaries (EBSCO) have completed their certification for EU-US Privacy Shield, which is the international data transfer framework requiring that companies meet rigorous obligations to protect the personal data of Europeans. View EBSCO’s Privacy Shield certification here. It is monitored and enforced by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC).
EBSCO’s certification demonstrates their commitment to consumer privacy and ensures that they transfer data in a safe way, in compliance with the Privacy Shield framework.
TRUSTe reviewed and verified that they comply with the EU-US Privacy Shield Framework; TRUSTe will also provide independent dispute resolution services to address privacy-related questions around customer data from users and ongoing access to privacy guidance.
“By working with TRUSTe, EBSCO is showing its commitment to protecting the privacy of its customers,” said Josh Torres, EBSCO’s Associate Counsel and Compliance Director. “This is one of many privacy and compliance initiatives at EBSCO, all being performed in an effort to ensure that our products and services directly and continually align with our core company values.”
Congratulations to EBSCO on its Privacy Shield Certification!
Find out more about TRUSTe Privacy Shield Solutions here: Privacy Shield
Adding Swiss-US Privacy Shield self-certification.
As part of the TRUSTe Privacy Insight Webinar Series, Nasreen Djouini, Michelle Sylvester-Jose of the U.S. International Trade Administration, and Josh Harris of TRUSTe discussed the rollout of Swiss-US Privacy Shield.
Some examples of where the Swiss-US Privacy Shield framework and the EU-US Privacy Shield framework vary are:
- When covering HR data received from Switzerland, an organization must commit to cooperating with the Swiss Federal Data Protection Information Commissioner authority (FDPIC) as the independent recourse mechanism. However, for non-HR data, an organization can elect to use the Swiss Federal Data Protection Information Commissioner or use another Independent Dispute resolution Provider (IDR).
- The Choice Principle has been modified. The definition of “Sensitive Data” has been expanded upon.
- For the EU-US Privacy Shield, there was a grace period; however, there is no grace period for the Swiss-US Privacy Shield.
- The binding arbitration option will be put in place at the first annual review of the Swiss-US Privacy Shield.
Although there are a few places where these frameworks vary, the Swiss-US Privacy Shield and EU-US Privacy Shield frameworks touch back to the same core principles. Companies should be able to use the work done to become compliant with one framework toward compliance with the other.
While we highlighted one of the webinar topics in this blog post, the webinar covered several additional topics:
- How the Swiss-U.S. Privacy Shield was developed
- What you should do to prepare to self-certify to Privacy Shield for the first time, or to add the Swiss – U.S. Privacy Shield to your EU-U.S. Privacy Shield certification
- How to navigate the self-certification process on privacyshield.gov
- How to re-certify on an annual basis
To view, listen to all topics covered, and share the webinar recording, please find a shareable link here.