Finally, after several months of ambiguity, it seems like there might be some clarity on how data transfers between European Union Member States and the United States might be able to proceed under auspices of Privacy Shield.
When the Safe Harbor Framework that had governed data transfers for most of the last twenty years was invalidated last fall, organizations engaging in cross-border matters were left without many options to transfer data containing personally identifiable information. To complicate the situation further several local data protection authorities within Germany imposed even tighter requirements that if pressed would undermine the ad hoc and customary workarounds.
This week however, the EU and US released a preliminary draft of new data transfer regulations. While the regulations still need to be approved by all 28 members of the European Union, they provide insight into the current thinking on data privacy within the EU after the Schrems decision. The team at Foley Lardner has collated information on the new regulations to begin to guide the internal and external stakeholder education process on a new era of data transfers.
According the guidance from Foley Lardner that appeared on Law Fuel US companies will be required to re-certify annually and demonstrate compliance with the following:
- “Complaints: In the event of any complaint by an individual regarding the handling of his or her personal data by a company, whether the complaint is received directly from the individual or through the Department of Commerce, the company must respond to the individual within 45 days.
- Dispute Resolution: Companies must provide individuals with access to a free, independent alternative dispute resolution body to resolve disputes regarding the handling of personal data. As such, companies will be required to pay for the alternative dispute resolution proceedings, such as non-binding mediation and mandatory binding arbitration. The Department of Commerce will verify the company’s registration with its publicized dispute resolution body. Additionally, companies must agree to submit a recourse mechanism of “last resort” of binding arbitration by the “Privacy Shield Panel,” consisting of a pool of arbitrators designated by the Department of Commerce and the European Commission.
- Human Resources Data: Companies that handle human resources data from EU citizens must also commit to compliance with advice from the applicable national Data Protection Authority (DPA). This will result in U.S. companies, in effect, being regulated by EU DPAs. As discussed further below, disputes not resolved through negotiation will be subject to resolution through a no-cost mandatory binding arbitration process.
- Onward (Further) Transfers to Third-Party Service Providers. In the event a company engages in onward transfers of personal data to third-party service providers, the company will remain fully liable and responsible for the personal data in the hands of subcontractors, regardless of contractual obligations. A company may only participate in onward transfers where such transfers are appropriately limited and when contractual or other mechanisms provide the same level of protection guaranteed by the Privacy Principles. The Privacy Shield framework further requires companies to conduct due diligence to ensure contractors process personal data in a manner that is consistent with the Privacy Principles; take steps to stop and remediate unauthorized processing of personal data by contractors upon notice; and provide the Department of Commerce with a summary or copy of its contractual privacy protections with a contractor upon request.”
In the end model contracts and binding corporate rules are “still the only EU approved methods of data transfers” at present. And, with quite stark differences between DPAs within Member States, it could still be sometime before the final Privacy Shield plan can be presented to the European Union for final approval and adoption. Foley Lardner’s advice is for U.S. companies that need to transfer data is to engage in a process of continual education in order to keep abreast of DPA perspectives and keep a read on the current state of Privacy Shield.