Overview of the EU - U.S. Privacy Shield Framework

May 2018By Terry Ahearn & Stuart BartowCyber Security & Data Protection

CLIENT GUIDE

4300 Bohannon DriveSuite 230Menlo Park, CA 94025650.391.1395

The privacy shield lays-out 7 privacy principles combined with 16 supplemental principles. The supplemental principles explain and supplement the seven principles. This framework has cleared the first review by E.U. leadership, but significant potential hurdles remain.

1. Purpose – the privacy shield framework was designed to provide both US and EU companies with a mechanism to comply with data protection requirements when transferring personal data from the EU to the United States. The privacy shield replaces the former EU-US Safe Harbor promulgated in support of the former EU Directive on data transfers.

2. Administration – the privacy shield is administered by the International Trade Administration (ITA) of the Department of Commerce.

3. Self-Certifying – to join the privacy shield, a US company must self-certify to the Department of Commerce and publicly commit to comply with the framework. Once a US company has self-certified, the certification is enforceable under US law.

4. Enforcement – US companies are required to implement “independent recourse mechanisms,” distinct from the Federal Trade Commission’s authority to bring enforcement under Section 5, that are empowered to provide remedies. For example, PrivacyTrust provides a dispute resolution service.

5. Principles – the privacy shield lays-out 7 privacy principles combined with 16 supplemental principles. The supplemental principles explain and supplement the seven principles.

The EU - U.S. Privacy Shield Framework

• Notice – must provide data subjects, in clear and conspicuous language, with: (1) notice of the US organization’s participation in the privacy shield; (2) the type of data collected; and (3) the purposes for which the data is collected. Data subjects must be: (1) informed of any third parties to whom their data will be transferred; (2) their right to access their data; and (3) the means for limiting the use and disclosure of their personal data. The US organization must describe available recourse mechanisms and acknowledge the FTC’s (or other statutory body’s) enforcement authority.

• Choice – US organizations must provide “clear, conspicuous, and readily available mechanisms” by which data subjects can opt-out of any disclosure of personal data to a third party or the use of personal data for a purpose other than the one for which it was initially collected. For sensitive personal data, including data related to health, racial or ethnic origin, political and religious opinions, trade union membership, or information revealing an individual’s sex life, the data subject must affirmatively opt-in to allowing the US organization to disclose the information to a third party or use the information for a separate purpose.

• Accountability for Onward Transfer – expands regulation of and accountability for third party personal data transfers. A certified US company must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. Third parties must agree to “provide the same level of protection as the principles.” Where the third party is acting as an agent, such as a vendor, the organization must in addition “take reasonable and appropriate steps” to ensure the agent upholds the principles, including to stop and remediate any unauthorized processing. This downstream data protection accountability puts significant pressure on vendor selection and monitoring practices. A certified US company organization must provide the DOC with relevant third party contractual provisions, which place some restrictions on contractual confidentiality. Regardless of contractual language, moreover, a certified US company remains liable to the data subject for its vendor’s violation of the principles, unless it “proves that it is not responsible for the event giving rise to the damage.”

Supplemental Principles

1. Sensitive Data – in certain situations, express consent (i.e. opt-in) is not required for the processing of sensitive data. But must meet an exception (e.g. necessary to legal claims or defenses).

2. Journalistic Exceptions – personal data gathered for a journalistic purpose is not subject to the privacy shield principles.

3. Secondary Liability – privacy shield does not create secondary liability. If an organization is merely a conduit for data transmitted by a third party, it would not be liable (e.g. ISPs).

• Security – participating US companies “must take reasonable and appropriate measures to protect [data] from loss, misuse and unauthorized access, disclosure, alteration and destruction.” These measures must be appropriate to the “risks involved and the nature of the personal data.”

• Data Integrity and Purpose Limitation – requires that the personal data must be “relevant for the purposes of processing” and collection must be limited to only the relevant data. US companies must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.” Even if certification has lapsed, a certified US company remains bound by the principles when processing data collected. This presents significant data management issues for long-term data processing, including risk disclosures in merger and acquisition transactions.

• Access – certified US companies must provide data subjects with access to their personal data as well as the opportunity to correct, amend, or delete information that is inaccurate or processed in violation of the principles. Sets out detailed rules for how US companies should comply with the access principle. US companies must provide data subjects the opportunity to confirm whether their personal data is being processed, as well as whether the data is accurate and whether the certified US company is processing it lawfully. US companies may charge a fee for access as long as it is “not excessive,” and US companies’ must respond to requests for access within a reasonable time and in a reasonable manner. A certified US company may restrict access to data “in exceptional circumstances where the legitimate rights of persons other than the data subject would be violated or where the burden or expense of providing access would be disproportionate to the risks to the data subject’s privacy.” A US company may deny access where it could reveal confidential commercial information, such as trade secrets. US companies need not retain data merely to comply with access requests. Access may be restricted in a number of situations, including where disclosure would interfere with national security, defense, public security, or research.

• Recourse/Enforcement/Liability – the privacy shield sets out three requirements for effective enforcement: (1) recourse for individuals to whom the data relates; (2) follow up procedures for verifying that the attestations and assertions they have made about their privacy practices are true; and (3) obligations to remedy problems arising out of failure to comply with the principles and consequences for such failures. US companies are required to implement “independent recourse mechanisms,” distinct from the FTC’s authority to bring enforcement under Section 5, that are empowered to provide remedies. Privacy shield requires the use of third party dispute resolution bodies, based either in the US or the EU, to investigate and resolve complaints. US companies must respond to complaints within 45 days and provide resolution free of charge to data subjects. Alternatively, a US company may elect to appoint a panel of Data Protection Authorities (DPAs) from the EU Member States as the independent recourse mechanism.

4. Due Diligence and Audits – activities of auditors and bankers may involve processing of data without the knowledge of the data subject. This is allowed under specific circumstances, specifically, when a public company is being audited or any company is engaged in a due diligence related to a merger and disclosure would threaten the purpose or possibly violate legal requirements.

5. Data Protection Authorities (DPAs) – US companies must employ effective mechanisms for assuring compliance with the privacy shield. A US company can satisfy this requirement by adhering to the requirements set-forth in the privacy shield for cooperating with DPAs. This is done in the self-certification and a US$500 fee is required.

6. Self-Certification – see above under “principles.” To join the privacy shield, a US company must self-certify to the Department of Commerce and publicly commit to comply with the framework. There is specific information to be provided under the self-certification. Once a US company has self-certified, the certification is enforceable under US law.

7. Verification – US companies must have procedures in place to verify that the attestations and assertions they make about their privacy shield practices are true and those privacy practices have been implemented as represented and in accordance with the privacy shield.

8. Access – see above under “principles.” Certified US companies must provide data subjects with access to their personal data as well as the opportunity to correct, amend, or delete information that is inaccurate or processed in violation of the principles.

9. Human Resources Data – privacy shield creates separate rules for transferring human resources data in order to ensure compliance with labor laws in the Member States. Employers generally must comply with the privacy shield’s notice and choice requirements, but they may be exempt from the access requirement in the case of employee security investigations, grievance proceedings, corporate reorganizations, or where it may prejudice “sound management.” The employer may transfer human resources data only where a U.S. agency has jurisdiction to hear claims against the organization arising out of the processing of employee data. Finally, the employer must provide the Department of Commerce with a copy of its human resources privacy policy.

10. Obligatory Contracts for Onward Transfers – see above “principles.” A certified US company must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. Third parties must agree to “provide the same level of protection as the principles.”

11. Dispute Resolution Enforcement – privacy shield requires the use of third party dispute resolution bodies, based either in the US or the EU, to investigate and resolve complaints. US companies must respond to complaints within 45 days and provide resolution free of charge to data subjects. Alternatively, a US company may elect to appoint a panel of Data Protection Authorities (DPAs) from the EU Member States as the independent recourse mechanism.

12. Choice/Timing of Opt-Out – see above under “principles.” A data subject should be able to exercise an “opt out” choice of having personal data used for direct marketing at any time subject to reasonable limits established by the US company, such as giving the US company time to make the opt out effective. In the United States, individuals may be able to exercise this option through the use of a central “opt out” program (e.g. Direct Marketing Association’s Mail Preference Service). Data subjects should be given a readily available and affordable mechanism to exercise this option. A US company may use information for certain direct marketing purposes when it is impracticable to provide the data subject with an opportunity to opt out before using the information, if the US company promptly gives the data subject such opportunity at the same time (and upon request at any time) to decline (at no cost to the individual) to receive any further direct marketing communications and the US company complies with the data subject’s wishes.

13. Travel Information – travel information, such as frequent flyer or hotel reservation information and special handling needs, such as meals to meet religious requirements or physical assistance, may be transferred to US companies located outside the EU in several different circumstances. US companies subscribing to the privacy shield provide adequate protection for personal data and may therefore receive data transfers from the EU without meeting the circumstances laid-out in the GDPR.

14. Pharmaceutical and Medical Products – data used for pharmaceutical research and other purposes should be anonymized where appropriate. Specific requirements and exceptions apply to personal data used: (1) in future scientific research; (2) after withdrawal from a clinical trial; (3) in transfers for regulatory or supervision purposes; (4) in blinded studies; and (5) in product safety and efficacy. Key-Coded Data is not personal data subject to the privacy shield.

15. Public Record and Publicly Available Information – the privacy principles do not apply to public record information as long as it is not combined with non-public information.

16. Access Requests by Public Authorities – US companies may voluntarily issue periodic transparency reports on the number of requests for personal data they receive from public authorities for law enforcement or national security reasons, to the extent such disclosures are permissible under applicable law. Absence of notice in accordance with the privacy shield shall not prevent or impair US company’s ability to respond to any lawful request.

Sources and Resources

• U.K. Information Commissioner’s Office (https://ico.org.uk/) • Int’l Assoc. Privacy Professionals (https://iapp.org/) • TeachPrivacy.com • Department of Commerce U.S. Privacy Shield Framework (https://www.privacyshield.gov/welcome)

Lewis Roca is a premier U.S.-based law firm, serving clients from around the world in complex litigation, intellectual property, business transactions, labor and employment, regulatory counseling, and government relations. More than 275 lawyers strong, we are large enough to handle virtually any matter, no matter how sophisticated, but small enough to preserve our culture of legal excellence and exceptional client service.

Our firm is built on a rich history of difficult cases won by distinguished lawyers. For decades, we have been at the forefront of legal change in intellectual property, business regulations, land use, technology, and civil rights. Our prominent alumni include presidential advisors, federal appellate judges, and renowned legal scholars.

Although we embrace and celebrate our history, we continue to redefine ourselves each day by the strength of our client relationships and service. We pride ourselves on our ability to deliver for our clients while serving their highest goals and needs.

Firm Overview

• Distinguished History of Legal Excellence

• Dedicated to Outstanding Client Service

• Exceptional Practice & Industry Expertise

• Depth and Continuity of Client Relationships

• Commitment to Diversity & Inclusiveness

Why Lewis Roca?

Silicon Valley Phoenix DenverLos Angeles Las VegasAlbuquerque Tucson RenoColorado Springs

Irvine

Stuart Bartow PartnerSilicon Valley650.687.8443SBartow@lrrc.com

Terry AhearnPartnerSilicon Valley650.687.8442TAhearn@lrrc.com

About Us

Stuart Bartow is a partner in Lewis Roca Rothgerber Christie’s Intellectual Property practice group, and is co-managing partner of the Silicon Valley office. Stuart is a trial lawyer and experienced litigator with months’ worth of trial days in federal courts and other tribunals, both in the United States and internationally. As a dual-qualified U.S. patent attorney and English solicitor, he represents clients from around the globe in intellectual property and privacy matters, with an emphasis on complex disputes concerning high technology.

Education J.D., Georgetown University Law CenterM.S., Columbia UniversityB.S., B.S.E.E., University of Maryland, College Park

Bar AdmissionsCalifornia

Terry is a partner in Lewis Roca Rothgerber Christie’s Intellectual Property practice group and is co-managing partner of the Silicon Valley office. Terry is a trial lawyer and represents clients in intellectual property and other complex commercial litigation related to high technology.

Terry has significant experience managing major complex patent litigation, including management of electronic data in large, cross-border litigations. Terry is also certified CIPP/US by the International Association of Privacy Professionals. Terry regularly counsels clients in the area of data privacy and cybersecurity

EducationJ.D., Santa Clara University School of LawB.A., cum laude, Fordham University

Bar AdmissionsCalifornia

Dick Clark has more than 40 years of experience as a business lawyer emphasizing international trade, investment and finance. He offers legal advice to public companies and small and large private companies, both domestic and foreign.

Mr. Clark has successfully handled international transactions and resolved international disputes involving complex issues such as export controls, import duties and tariffs, distribution agreements and networks, foreign manufacturing and fabrication, theft of trade secrets, antidumping issues, product liability claims, international financing arrangements, mergers and acquisitions, entity selection, contract rights and remedies, transfer pricing, internet and website issues, infringement of trademarks and patents, foreign trade zones, and treaty application disputes.

EducationJ.D., University of South Dakota School of Law, 1969B.A., University of South Dakota, 1966

Bar AdmissionsColorado

Richard K. ClarkPartnerDenver303.628.9531RClark@lrrc.com

Copyright © 2018 Lewis Roca Rothgerber Christie LLP, All rights reserved. These materials have been prepared by Lewis Roca Rothgerber Christie LLP for general informational purposes only. These materials do not, and are not intended to, constitute legal advice. The information provided in this document is not privileged and does not create an attorney-client relationship with Lewis Roca Rothgerber Christie or any of the firm’s lawyers.