American companies are hotfooted to clinch the new requirements of the Privacy Shield. Since the European Commission officially adopted the framework on July 12, organizations have scurried to understand the finalized principles, determine the applicability of each, and develop a plan for implementing any necessary privacy mechanisms and controls. Like most legal texts though, the Privacy Shield can be difficult to digest. Some of the principles have been significantly restructured, are riddled with stipulations and situational exceptions, and are a bit ambiguous. Our firm’s fielded an inpouring of questions looking for perspective and advice on which aspects of the Privacy Shield will be the riskiest and most burdensome. Here is my two cents worth on trying to prioritize and tackle some of the essentials.
Accountability for Onward Transfers
Of all the principles in the Privacy Shield, it seems Accountability for Onward Transfers was augmented the most. Beyond driving the limitation of data transfers for specified purposes like in the doctrine of old, organizations must now contractually bind all third party controllers and agents that receive transfers of personal information to the conditions put forth in the Privacy Shield. This doesn’t mean that all third parties have to be Privacy Shield certified. What it means is that all existing third party contracts need to be updated if they don’t outline applicable requirements already and contracts forged in the future will have to establish accountability for the principles as well. Furthermore, data controllers will have to continually police all third parties to identify instances of noncompliance and cease transfers or terminate relationships when not remediated.
The obvious intent of this revamped principle is to really put all liability on the shoulders of the organization. Those of us that are well acquainted with the common risks to data protection and privacy will agree that there is a serious vulnerability inherent in outsourcing and sharing data, and so this provision is rightful; however, this most likely will prove to be a huge administrative headache for a lot of companies, especially larger enterprises.
Something to note here: As a kind of incentive, it’s been stated in the Privacy Shield package that organizations that certify within two months of its introduction (September 12) will be granted a nine month grace period to get all third party affairs in order. Those organizations that miss that mark will have to have this stipulation already sorted at the point of certification.
Data Integrity and Purpose Limitation
The Data Integrity and Purpose Limitation principle is truly trifurcated into 3 major requirements:
- limit the collection of personal data to only purposes relevant for processing;
- employ data veracity controls to ensure that information collected is complete, accurate, and current; and,
- retain personal information in an identifying form only for as long as it serves the purpose for which it was collected.
The last prong of this principle, albeit an enhancement from the Safe Harbor, is a bit unclear given it doesn’t specifically state how data must be handled after it is no longer of use. Regardless, organizations are going to have to solidify a procedure that will allow them to determine when data is expired for subsequent deletion or anonymization. This may prove to be extremely challenging to companies that have weak data classification and management practices.
Recourse, Enforcement and Liability
In the last of the principles, the Recourse, Enforcement and Liability principle, data subjects have really been given a utilitarian, multi-layered solution for escalating questions and complaints relevant to the Privacy Shield. As it reads in the text of the program, it is advised that data subjects with issues regarding their personal information should firstly try to work directly with organizations to find resolution. After such efforts, individuals can then involve the required independent recourse mechanisms certified Privacy Shield organizations must offer or contact their Member State DPAs. The last attempt at resolution should be through arbitration. I’ll add that although this is how the powers to be recommend individuals escalate their complaints, this advised, gradual, linear approach is not a requirement. There’s still a bit of uncertainty how this principle will really shape up. There’s nothing stopping data subjects from going straight to the FTC or their DPAs off the bat for every problem that comes up.
With that said, from the organization’s point of view, this may seem like an instruction to arrange your own gauntlet. Procedures must be in place to handle claimed violations directly and responses must be delivered within 45 days of receiving such claims. Free of charge independent recourse mechanisms must be installed and operate within specific guidelines hashed out in the framework. Organizations that choose to cooperate with DPAs must comply with delivered advice from such authorities within 25 days of receipt. There will be gripes from all different directions and this principle may really prove to be a confluence of botheration.
This heads up is really put forward under the presumption that your organization is at least familiar with the common covenants of privacy and has some sort of privacy program in place. If you’re not…whoa. You may have a long road ahead of you if you’re looking to certify. I’ll mention too that beyond reaching the initial certification signifying your commitment to the principles, you’ll have to verify your adherence to the framework on an annual basis via self-assessment or outside review. Organizations should really mull over what path would be best.
The self-assessment route is only advisable if you truly have the in-house legal, IT, and business competencies to map out what needs to be implemented as well as the expertise and resources to develop and carry out the verification procedures necessary to adequately document and validate the effectiveness of the control framework that upholds the Privacy Shield principles. On top of that, organizations are going to have to pivot and further invest in compliance measures as these negotiated terms evolve over its course. In the near term, the Article 29 Working Party is set to opine on (and probably challenge) the finalized version of the doctrine soon. Slings and arrows to the Privacy Shield may come from the judicial ranks as well.
In the longer term, the FTC along with the Department of Commerce have arranged an annual review of the principles with the European Commission and representatives from the Working Party to continue to assess its adequacy and ensure it satisfies the privacy initiatives and concerns of the times. This is not going to be a check the box exercise; rather, this most likely will require an organizational culture shift and necessitate enterprise adoption at all levels. Albeit burdensome though, the certification process is definitely achievable and we should all try really to recognize that this new legal doctrine has a lot of good undertones.
The introduction of the Privacy Shield will really promote international accountability, preserve and advance the data rights of all, and ultimately bond the US with its European counterparts.
About the Author
A manager with Schellman, Zach Schmitt has a concentration in IT security and privacy in the Washington D.C. attestation and compliance practice. He is a member of the International Association of Privacy Professionals (IAPP) and endeavors to share his observations and feelings on the certain evolution of data security and privacy. Zach is a graduate of Virginia Tech and has BAs in Accounting & Information Systems and Marketing Management.More Content by Zach Schmitt