When a US organization decides to self-certify under the EU-U.S. Privacy Shield, compliance with Privacy Shield principles becomes compulsory.
This may be a problem for many US organizations because certain processing activities that they perform – which are perfectly lawful under American law — are unlawful under a Privacy Shield’s perspective.
Why? And what to do?
Let’s step back for a moment.
What is the Privacy Shield? Following the decision of the European court of Justice striking down the Safe Harbor Framework, the EU and the US — after several months of negotiations- adopted the “EU-US Privacy Shield”, a self-certification system by which US organizations commit to a set of privacy principles that – according to the EU Commission – ensure an adequate level of protection for the transfer of EU personal data to the USA. [1] Once Privacy Shield certified, US organizations can be transferred data from Europe.
There are 7 principles (“Principles”) with which organizations must comply in order to self-certify under the EU-U.S. Privacy Shield:
1. Notice principle. Organizations must “provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, purpose of processing, right of access and choice, conditions for onward transfers and liability)”. Further safeguards apply, such as “the requirement for organisations to make public their privacy policies” and to provide links to the Department of Commerce’s website, the Privacy Shield List and the website of an appropriate alternative dispute settlement provider;
2. Choice principle. Individuals must be able to opt out from the processing of their information when information is to (i) be disclosed to a third party or (ii) used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals;
3. Accountability for onward transfer principle. To transfer personal information to a third party acting as a controller, organizations must comply with the notice and choice principles, as well as enter into a contract with the third-party controller. That contract must provide that data may only be processed for limited and specified purposes consistent with the provided consent. The recipient shall provide the same level of protection set forth by the Privacy Shield;
4. Security principle. Organizations must take “reasonable and appropriate” security measures, “taking into account the risks involved in the processing and the nature of the data”. The same level of protection must be guaranteed by the organization that sub-processes the personal data, if any.
5. Data integrity and purpose limitation principle. The Privacy Shield provides that
[p]ersonal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject.
That means organizations must ensure that personal data is reliable for its intended use, accurate, complete and current.
Under this principle, where a new (i.e., changed) purpose is materially different from the original purpose, the data subjects have the right to object (opt out).
Personal information may be retained “in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected”, or subsequently authorized. Organizations may process personal information for longer periods, but only to the extent such processing reasonably serves specific purposes of (i) archiving in the public interest, (ii) journalism, (iii) literature and art, and (iv) scientific and historical research;
6. Access principle. Data subjects have the right, without justification and for a non-excessive fee, to obtain confirmation of whether the organization is pro.cessing their personal data and have the data communicated within reasonable time. Any denial of, or limitation to the right of access “has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled”. Data subjects must be able to amend their personal information;
7. Recourse, enforcement and liability principle. US organizations
must provide robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a noncompliant manner, including effective remedies.
Organizations must put in place an effective redress mechanism to deal with complaints and be subject to the investigatory powers of the authorized statutory bodies.
The Principles are complemented and clarified by 16 Supplemental Principles, which are also binding.
Do these Principles apply to ALL the data that the organization proceeds?
Not necessarily. However, if the organization does not specify that they don’t, the organization is bound to apply those Principles to all its data. And this, as said above, is likely to be a problem for many organization, . Indeed, many US organizations – including those that certify themselves under the Privacy Shield – generally perform some activities that are likely to be impermissible under the Principle.
Think of the creation of databases which are sold to third parties, or the extrapolation of secondary information by aggregation of the results into lists, or the collection of transactional data (like information on purchases, used accounts), of descriptive data (like location and computers used), and/or incidental data (like search history and browser history.) Or think of the situation in which data is used for advertising and other purpose) that may supersede the purpose for which data was originally collected (hence, for which the organization receives data subject’s consent).
After a Privacy Shield self-certification, activities as the above would likely to be unlawful under the Privacy Shield; in particularly, in violation of the purpose limitation principle.Considering that no US legislation imposes a similar purpose restriction, absent the Privacy Shiel certification, the organization would not be in breach of the law.
Transfers of personal data to a third party controller or processor (“onward transfers”) are also unlawful if they do not take place for specified purposes and on the basis of a contract that provides the same level of protection guaranteed by the Principles.
Once an organization self-certifies compliance with the Privacy Shield Principles, activities like the above (and other activities that violate the Privacy Shield Principles) subject the organization to enforcement actions by the Federal Trade Commission (FTC). And this is true for ALL its data.
Is this really inevitable? Not at all. To avoid a blanket application of the Principles to all their data, US organizations that certify under the Privacy Shield may want to clearly state that only EU data (moved to the US for storage, use or processing) is subject to the EU-US Privacy Shield while the other data is not. If they do so, the other data collected may be processed without the limitation imposed by the Privacy Shield and without a risk of enforcement by the FTC.
For more information on compliance with the EU-US Privacy Shield, contact:
Francesca Giannoni-Crystal Federica Romanelli
[1] Under European privacy law, the transfer of EU personal data to a third countries may take place only if the third country in question ensures an “adequate level of protection”, according to Article 25(1) of Directive 95/46/EC (now Article 44 and following of Regulation EU 2016/679, GDPR).