October 15, 2021

Volume XI, Number 288

Advertisement
Advertisement

October 15, 2021

Subscribe to Latest Legal News and Analysis

October 14, 2021

Subscribe to Latest Legal News and Analysis

October 13, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Privacy Shield Details Released

As we previously reported, EU and US officials have reached an agreement to implement a program known as the EU-US Privacy Shield.  The Privacy Shield is a successor to the US-EU Safe Harbor program, which was invalidated last year, and is the culmination of more than two years of negotiations between the EU and US to strengthen the protections afforded to individuals whose personal data is transferred from the EU to the US.

On Monday, the European Commission released the documents that will constitute the Privacy Shield, along with a draft adequacy decision.  Key features of the new program include the following:

  • Privacy Principles:  As under the Safe Harbor program, Privacy Shield organizations (i.e., organizations that have self certified under the Privacy Shield) must comply with specified privacy principles (the “Principles”) when transferring and processing data originating in the EU.  These principles are:  Notice; Choice; Security; Data Integrity and Purpose Limitation; Access; Accountability for Onward Transfer; and Recourse, Enforcement and Liability.

  • Choice:  Individuals must be given the choice to opt out of having their personal information disclosed to a third party (except an agent of the Privacy Shield organization) or used for a purpose that is materially different from the purposes for which it was originally collected or which were subsequently authorized by the individual.  For sensitive information, with limited exceptions, individuals must expressly opt in in order for such information to be so disclosed or used.

  • Onward Transfer:  Any transfers of data to a third party must be pursuant to a contract that provides, inter alia, that the recipient will provide the same level of protection as the Principles.  In the case of contracts with agents, an organization must, upon request, provide a summary or copy of the relevant privacy provisions to the Department of Commerce.

  • Redress of Rights:

    • Privacy Shield organizations must have in place an effective internal mechanism to deal with complaints of non-compliance with the Privacy Principles and must commit to responding to complaints within 45 days.

    • An independent Alternative Dispute Resolution mechanism also must be designated and available, free of charge, for individuals to pursue claims of non-compliance.

    • Individuals can bring claims to their national DPA which will, in turn, work with the US Department of Commerce to ensure that the Privacy Shield organization addresses the complaint.

    • Privacy Shield organizations remain liable if an agent to whom it transfers information processes such information in violation of the Principles, unless the Privacy Shield organization can prove that it is not responsible for the event giving rise to the damage.

    • Privacy Shield organizations that wish for Privacy Shield benefits to cover HR data are required to commit to cooperate with the European Data Protection Authorities (“DPAs”) in the investigation and resolution of complaints, which would include an agreement to comply with any advice from the DPAs that the organization needs to take specific action to comply with the Principles.  Privacy Shield organizations that are not seeking to cover HR data have the option whether or not to commit to cooperate with the DPAs in investigating and resolving complaints.

    • The Privacy Shield framework also establishes a binding arbitration option for redress of certain complaints.

  • Limits on US Government Access:  The released documents include letters from the Office of the Director of National Intelligence and the U.S. Department of Justice outlining the legal restrictions and safeguards in place to limit access by the U.S. government to personal data transferred pursuant to the Privacy Shield.  The U.S. Secretary of State also has appointed a Privacy Shield Ombusperson, whose responsibility it will be to serve as a point of contact for foreign governments who wish to raise concerns regarding U.S. intelligence activities.

  • Periodic Review:  The draft adequacy decision provides for ongoing review of the Privacy Shield Framework to ensure its continued adequacy.  This continued review shall include an “Annual Joint Review” among the EU Commission, the US Department of Commerce and Federal Trade Commission, and other US agencies as appropriate.  This meeting will be open to DPAs and representatives of the Article 29 Working Party.

© 2021 Proskauer Rose LLP. National Law Review, Volume VI, Number 62
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

As innovations in technology make it easier to track, collect and process personal information about individuals, companies of all kinds are challenged to manage the way that they use data to both comply with U.S. and non-U.S. laws and to protect such data from unauthorized access. In addition to maintaining compliance in a continuously evolving legal landscape, companies must also contend with industry standards promulgated by a wide array of diverse and sometimes overlapping industry groups. Yet, on a daily basis we hear reports of companies having suffered data...

212.969.3265
Advertisement
Advertisement
Advertisement