MediaTech Law

By MIRSKY & COMPANY, PLLC

Dataveillance Protection: The E.U.-U.S. Privacy Shield

For many years, technology outpaced policy when it came to standards and protections around ownership of and access to personal data. Privacy policies are not set by governments but rather by technology companies that created the digital world as it is experienced today. Many if not all of the dominant players in this space are American technology companies that include Alphabet (i.e. Google), Apple, Amazon, Facebook and Microsoft. These companies have more say about a user’s online life than any individual local, state or national government.

Increasingly, the only way a government can control the web is to block it entirely or block access to a specific channel. For example, in June, Algeria blocked access to Facebook, Twitter, and other social media sites because high school exam papers were being posted online. European governments have actively tried limit the reach of tech companies through antitrust legislation and privacy regulations. European attitudes and policy quickly became adversarial following revelations from Edward Snowden that United States intelligence agencies were actively spying on people worldwide, including leaders of other countries.

European Privacy Protection

Europe and America approach privacy differently. While privacy, in America, is desired but not guaranteed, in Europe it is a fundamental right, similar to our freedom of expression. So strong are European privacy protections that even when newsworthy, after a period of time, a European citizen can petition a tech company to be removed from its service under the “right to be forgotten and to erasure” legislation.

From “Safe Harbor” to E.U.-U.S. Privacy Shield

On July 12, 2016, Europe and America signed a treaty establishing a mechanism that permits digital information to move freely between the European Union and the United States, known as the E.U.-U.S. Privacy Shield. The new Privacy Shield replaces the “Safe Harbor” program invalidated by the European Court of Justice last fall because, according to the ECJ, the Safe Harbor did not fully adequately safeguard the privacy rights of EU citizens with respect to US government surveillance.

The “Safe Harbor” program was born out of a data protection directive issued by the European Union in 1998 where US companies would self-certify that they would comply with EU data protection standards in order to permit data to transfer between the EU and US. The “Safe Harbor” program did not apply to the US government.

The principles of the E.U.-U.S. Privacy Shield are more stringent than those required by the Safe Harbor provisions, and align closely with the heightened requirements of the EU’s new General Data Protection Regulation (GDPR).

The Privacy Shield only governs data as to individuals living in European Union countries and does not apply to individuals living in the United States or anywhere else in the world.

The key components of the Privacy Shield are:

A. Self-certifying as Privacy Shield compliant with the US Department of Commerce (DOC);
This self-certification process of the new Privacy Shield framework is similar to that of the Safe Harbor provision. To assist companies with the certification process, the US Department of Commerce (DOC) has released a “Guide to Self-Certification”.

B. Develop a privacy policy that conforms to the Privacy Shield;
Among other things, the privacy policy should reflect the organization’s information handling practices and the choices the organization offers individuals with respect to the use and disclosure of their personal information.

C. Publicly commit to the Privacy Shield Principles;
This public declaration may be made in the company’s privacy policy or elsewhere if appropriate (such as within the company’s “Legal” section on the website) – so long as the attestation is available to the general public. Doing so enables the same enforcement principles that existed in the Safe Harbor provision, allowing the Federal Trade Commission to take enforcement action under its Section 5 authority over unfair and deceptive acts and practices.

The Privacy Shield Principles consist of seven principles for assuring the adequate protection of personal data. These principles mirror those set out in the Safe Harbor framework, but extend beyond what was previously required, and align closely with the heightened requirements of the GDPR.

  • Notice
  • Choice
  • Accountability for onward transfer/vendor agreements
  • Security
  • Data integrity and purpose limitation
  • Access
  • Recourse, enforcement and liability

D. Annually re-certify compliance with the DOC;

E. Provide free independent dispute resolution to EU individuals; and

F. Be subject to the authority of the US Federal Trade Commission (FTC), US Department of Transportation (DOT) or other enforcement agency.

G. Yearly review of the agreement.

Conclusion and Criticism of New Agreement

The new Privacy Shield framework imposes greater obligations upon organizations and their vendors than existed under the Safe Harbor framework. In the context of the rights accorded to individuals, these new requirements mirror those set out in the GDPR. The Privacy Shield also includes detailed mechanisms for resolving disputes and providing recourse for individuals whose rights have been violated. Based on these increased obligations, organizations intending to certify to the Privacy Shield will want to update their policies around notice, choice, access, onward transfers, and recourse, as well as reviewing their standard vendor agreements, even if they have already met the Safe Harbor Principles.

The European Court of Justice struck down the original “Safe Harbor” program following a legal challenge in 2015 over concerns that the U.S. mass surveillance program meant that European data was not being protected. Many people, including Max Schrems, the original plaintiff in the “Safe Harbor” challenge case, still believe the new agreement does not protect EU citizen’s privacy and continues to create an unstable business environment for companies doing business in Europe. For now, at least, the Privacy Shield is in place.

* * *

Reference Chart: How does the Privacy Shield differ from the Safe Harbor provisions?

Principle What has not changed: What is new:
1. Notice Data subjects must be informed when their personal data is collected and notified of, amongst other things:

  • Purposes for which it will be used.
  • Types of third parties to which it will be disclosed.
  • Rights of the data subject to access and restrict the use of their data.
Several new notice requirements including:

  • Providing details regarding the independent dispute resolution body designated to address complaints and to provide appropriate recourse free of charge (see “Recourse, enforcement and liability” below).
  • Disclosure of the organization’s liability for onward transfers to third parties (see “Accountability for onward transfers” below).
  • Increased transparency requirements for Privacy Shield organizations, including:
    • Making their participation in the framework clear.
    • Providing a hyperlink to the Privacy Shield List on their own website.
    • Providing hyperlinks to the Privacy Shield website and the website or complaint submission form of the independent recourse mechanism within their published privacy policy.
2. Choice
  • Data subjects must be allowed to opt-out of their data (a) being shared with third parties or (b) being used for a purpose that is “materially different” from the purpose for which it was collected.
  • Data subjects’ express consent (opt in) is required if “sensitive” personal data (e.g., information specifying medical or health conditions, race, or political opinions) is to be shared with a third party.
No material changes
3. Accountability for onward transfer/vendor agreements
  • To disclose information to a third party, Organizations must apply the Notice and Choice Privacy Principles.
  • Onward transfers to agents (i.e., a sub-processor) will only be permitted in relation to “limited and specific purposes.”
  • Any transfer must be made on the basis of a contract or comparable arrangement, which offers the same level of protection as the Privacy Principles.
  • Organizations must take “reasonable and appropriate steps” to verify their agent’s compliance (i.e., due diligence and audit).
  • Unless they can prove that they are not responsible for the event giving rise to the damage, Organizations will be liable for the acts of their agents who fail to adhere to the Privacy Principles.
4. Security
  • Organizations must take “reasonable and appropriate measures” to safeguard the personal data transferred to them.
No material changes
5. Data integrity and purpose limitation
  • Collection of personal data must be limited to what is relevant for the purpose and the data must be reliable for its intended use, accurate, and current.
No material changes
6. Access
  • Subject to limited exceptions, data subjects must be furnished on request with confirmation of whether or not the Organization holds personal data relating to them and must be able to correct, amend or delete inaccurate information or information processed in violation of the Privacy Principles.
No material changes
7. Recourse, enforcement and liability Organizations must have mechanisms in place to:

  • Ensure compliance with the Privacy Principles.
  • Ensure that recourse is available to EU citizens whose personal data has been processed in a non-compliant manner, including readily available independent mechanisms for investigating and resolving complaints and disputes.
Under the Privacy Shield, Organizations will be required to:

  • Publicize the contact details of members of their complaints-handling team.
  • Within 45 days of the receipt of a complaint, provide an assessment and information on how (if at all) the problem will be rectified.
  • Designate an independent dispute resolution body to investigate and resolve individual complaints. While Organizations are encouraged to use an EU data protection authority (DPA) as their independent dispute resolution body, a US provider is also acceptable. The DOC and the FTC will be notified of any Organization that fails to comply with the finding of an independent dispute resolution body.
Share this article: Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Email this to someone
email