Recently, the data world has been full of chatter about replacing Safe Harbor with a new and improved program called Privacy Shield. This handshake agreement has yet to be approved, but here is the timeline to get you up-to-speed:
- 2015: The ECJ (European Court of Justice) agrees to invalidate and replace Safe Harbor.
- 29, 2016: Privacy Shield draft text is released.
- July 2016: European Commission to vote for Privacy Shield approval.
The DOC (Department of Commerce) has been working closely with EU officials to address concerns regarding sections of the text and the guidance material, and it is confident that Privacy Shield will ultimately receive approval.
You may be wondering what is new in Privacy Shield, so we have compiled a table for a side-by-side comparison to Safe Harbor:
| Privacy Principles | Safe Harbor | Shield |
| Notice | An organization must disclose that it adheres to principles/framework and states what information collection, sharing, access, opt-out, enforcement and security measures and in place | New: Requires links to DOC Shield participant list and dispute provider website Disclose upon consumer request new ability for individuals to pursue binding arbitration if other mechanisms fail Disclose that may share personal information with lawful requests or for national security; and liability in onward transfers to third parties |
| Choice | Provide consumer with the opportunity to opt-out or opt-in (sensitive information) depending on the nature of the data. Setup appropriate procedures to respect consumers’ opt-out/opt-in requests, particularly regarding consumers’ requests to not be approached for direct marketing. Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or phone call. Opt-in for sensitive information: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual. |
Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. An organization must offer the opportunity to choose to opt-outof their PI disclosure to a third party or for use with a materially different purpose. Choice is not required when disclosure is made to a third party that is acting as an agent to perform task/s on behalf of organization. However, an organization shall always enter into contract with agent. Definition of sensitive information is the same as Safe Harbor |
| Security | Organization must take reasonable and appropriate measures to protect data from loss, misuse,unauthorized access, disclosure, alteration, and destruction. | Same as Safe Harbor |
| Accountability for Onward Transfer |
Determine the need for contracts with respect to the transfer of information to third parties. You must ensure that if information is disclosed to agents or subcontractors, they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers Any agent of yours who handles or processes your data must themselves either be subject to the EU Directive or be members of the Safe Harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data. |
Same overall themes but participation company now has liability in cases of onward transfer of data to third parties. Agent is obligated to provide at least the same level of privacy protection as is required by the principles. Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing. Additionally, upon request by DOC, must provide a summary or a copy of relevant contract privacy provisions entered into with its agent. |
| Data Integrity and Purpose Limitation |
Ensure that the customer’s personal information is reliable, accurate, complete, current, and used for intended purpose. Your company should not process data that is irrelevant to the purpose for which it was collected, unless subsequently authorized by the consumer. |
Same as Safe Harbor |
| Access | You must provide customers with the ability to access PI (personal information) being maintained by the company and the ability to correct, amend, or delete it where it is inaccurate or processed in violation of the principles. | Same as Safe Harbor |
| Recourse, Enforcement and Liability |
Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house resolution program; (2) subscribing to a third party dispute resolution mechanism to address any unresolved in-house data privacy complaint; and (3) having appropriate monitoring, verification, and remedy procedures in place. |
The independent dispute resolution service should be readily available and at no cost to consumer. New available remedy for EU individuals is binding arbitration – individuals must pursue other mechanisms first, such as directly contacting the company. No monetary damages allowed under binding arbitration. Binding arbitration seeks to resolve an individual complaint. A separate complaint process: consumers may also contact appropriate DPA and then DPA resolves complaint or works with DOC to resolve it. No binding arbitration required under this scenario. |
Now that you know what’s coming, there are a few things you can do to prepare yourself and your company for these changes:
- Review and audit your data sources.
- Start updating for Shield’s new requirement. You must post a new policy statement immediately, prior to self-certifying to DOC’s Shield Framework.
- Review and start updating contract language with third parties.
- All companies that join Shield within two months of enactment will have a nine month grace period to update contracts.
Information is power, so make sure to stay alert and pay attention to all changes happening in the data world!
