On July 16, 2016, the European Commission ("Commission") adopted the Privacy Shield adequacy decision, which permits the transfer of EU personal data to Privacy Shield certified entities in the United States. The EU-U.S. Privacy Shield replaces the now-defunct Safe Harbor framework that was invalidated in October, 2015 by the European Court of Justice.
Privacy Shield compliance will likely require adjustments to an organization's policies and practices relating to the collection and use of personal data. Organizations that desire to self-certify under the Privacy Shield, or who have questions about Privacy Shield certification of U.S.-based service providers, are advised to contact us.
EU data protection laws restrict the export of personal data to other countries unless certain requirements are met. One option for legitimizing such exports is to utilize EU-sanctioned data transfer mechanisms. Transfer to a Privacy Shield certified entity is one of these EU-sanctioned data transfer mechanisms. While there are other available methods for legitimizing personal data transfers from the EU to the U.S., the Privacy Shield framework will be a useful solution for many organizations.
Relevance to Israeli Companies
While the Privacy Shield is a mechanism designed to facilitate personal data transfers from the EU to the U.S., it is relevant to Israel-based organizations for the following reasons:
- Organizations that process EU personal data using personnel in the U.S. (whether by means of employees located in the U.S. or U.S. affiliates) will likely be called upon by customers in the EU to demonstrate that such data export complies with the EU data export restrictions described above. These organizations may find it worthwhile to self-certify as Privacy Shield compliant in order to meet the demands of EU-based customers.
- Similarly, organizations that outsource data processing functions to service providers (for example, Amazon Web Services) in the U.S. should examine their relationships with European customers to determine whether customer agreements require these entities to confirm that U.S.-based service providers are Privacy Shield compliant or have otherwise taken steps to legitimize transfer of EU personal data.
- Like EU law, Israeli law also imposes personal data restrictions on the export of personal data from Israeli databases. Under the Israeli Protection of Privacy Regulations (Transfer of Information to Databases outside of the State's Boundaries), 2001, data may be transferred from databases in Israel to countries that are authorized to receive data from EU member countries, subject to compliance with additional regulatory requirements. Under these regulations, the now-defunct U.S. Safe Harbor certification had provided a legal basis for transfers for any data -- not only data originating in Europe -- from Israeli databases to certified entities in the U.S. While, as of the date of this memo, the Israeli Law Information and Technology Authority (ILITA), Israel's data protection authority, has not publicly commented on the Privacy Shield regime, it is expected that Privacy Shield will establish a legal basis under Israeli law for exporting data from Israeli databases to the U.S. Additional requirements must be satisfied to fully legitimize such transfers.
Privacy Shield Requirements
To self-certify as Privacy Shield complaint, organizations must comply with the following seven key principles:
1. Notice: data subjects must receive notice of data processing practices, including what data is collected and how it is used;
2. Choice: data subjects must have the right to opt out of (i) disclosure of personal data to third parties (except those acting as agents on behalf of the original recipient), or (ii) use for a purpose that differs materially from the purpose for which the data was originally collected;
3. Accountability for onward transfers: data transfers to third parties must be pursuant to written contracts requiring specific protections;
4. Security: organizations must take reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alternation and destruction;
5. Data integrity and purpose limitation: data collected must be limited to that which is relevant to the purpose of processing, and the organization must take reasonable steps to ensure that personal data is reliable for intended use and accurate, and may retain data only for as long as it serves the permitted purpose of processing;
6. Access: data subjects have the right to access personal data held about them, correct inaccurate data and delete information that is processed in violation of Privacy Shield requirements; and
7. Recourse, Enforcement and Liability: organizations must implement measures to assure Privacy Shield compliance such as periodic internal or external audits. In addition, organizations must designate an independent recourse mechanism for data subject complaints. Private entities such as the American Arbitration Association (AAA), JAMS, Direct Marketing Association's arbitral body, TRUSTe or the Council of Better Business Bureaus (BBB) offer this service for a fee. As an alternative to utilizing private sector dispute resolution bodies, organizations may choose to cooperate with EU data protection authorities, which will generally be a less expensive alternative but may be accompanied by additional regulatory oversight.
These seven principles are complemented by 16 supplementary principles, including provisions related to human resources data, sensitive information and other data transfer issues.
Procedures for Self-Certifying as Privacy Shield Compliant
Organizations may self-certify that they are compliant with the Privacy Shield Framework; there is no need to be certified by a third party. Self-certification is accomplished by filing on the Department of Commerce's Privacy Shield Website (www.privacyshield.gov ) and paying a certification fee. Maintaining certification requires payment of an annual fee of between USD $250 and $3250 calculated on the basis of the organization's annual revenue.
To join the Privacy Shield Framework, most organizations will need to make changes to their practices in respect of personal data handling. Because Israeli law already imposes many of the Privacy Shield requirements, organizations with privacy practices that comply with Israeli law will generally be better positioned for compliance than many U.S. entities.
While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework's requirements, the commitment will become enforceable under U.S. law.
When to Self-Certify
The U.S. Department of Commerce will begin accepting Privacy Shield applications on August 1, 2016. The general rule is that self-certifying companies must be Privacy Shield compliant prior to certification.
The U.S. Department of Commerce's guide to self-certification, as well as other Privacy Shield materials, are available at the department's Privacy Shield website, https://www.privacyshield.gov .
Special requirements apply to the transfer of European human resources data (employee data) to the U.S., including the mandatory selection of a national EU data protection authority as an independent dispute resolution mechanism.
Privacy Shield remains one of a limited number of alternatives for exporting EU personal data to the U.S.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.