What Companies Do to Comply with Privacy Shield
This post provides a snapshot of what certified companies have been doing in order to meet their obligations under the EU-U.S. Privacy Shield framework. This comes as the European Commission and the U.S. Administration will formally review the Privacy Shield framework in Brussels this week.
Close to 4,000 European and American companies have committed to complying with the EU-U.S. Privacy Shield since it became effective in July 2016. This number is a testament to the importance of Privacy Shield for the thousands of large, small, and medium-sized companies that rely on this data transfer mechanism, and for both the EU and U.S. as increasingly digitised economies.
This week, both the EU and the U.S. executive branches will review the working of the Privacy Shield framework and the implementation improvements the U.S. Administration has made since its last review in October 2017. Ahead of this review, CCIA surveyed its member companies about the processes they have put in place to meet their obligations under the Privacy Shield framework.
While compliance practices and internal governance differ from one company to another, one thing is clear: companies have allocated significant resources and put in place robust procedures to ensure adequate protection of Europeans’ data transferred and stored in the United States.
In this blog post, we provide a snapshot of the answers we have received.
Compliance with the Privacy Shield Principles
All companies have comprehensive privacy and security policies covering the Privacy Shield Principles, including Notice & Choice, Access, Security, Data Integrity, and Purpose Limitation. To comply with the Verification principle, policies specific to Privacy Shield requirements are regularly reviewed, either through internal committees or working groups, and often by third party audits.
At a more granular level, each product development and launch is subject to internal reviews against these policies. This typically involves regular conversations across relevant departments, from engineers, business development and marketing to the data protection office, legal, and security teams. Companies provide employees with regular trainings — the depth of which is usually commensurate to the employee’s role.
To transfer data to third party vendors, partners, and affiliates, new data protection agreements (including Standard Contractual Clauses), amendments or addenda to existing contracts have been put in place to meet the Accountability for Onward Transfer principle. Third-party data recipients are typically subject to compliance review and security audit clauses, as well as an obligation to enter into data transfer agreements with any other parties they may have engaged before sharing can even begin.
Enforcement of the Access, Choice, and Notice principles varies from one service provider to the next. However, user-friendly interface settings and controls have become increasingly popular among consumer-facing service providers, with processors up the supply chains, such as cloud service providers, working hand-in-hand with their customers to allow users to access, correct, or delete their personal data. Processors also impose on controllers contractual obligations to obtain all necessary rights and consent from their users and any applicable third parties to allow the collection and use of personal data.
Handling of User Requests and Complaints, and Dispute Resolution
The vast majority of Privacy Shield requests have generally been limited to inquiries regarding certification status, and to date, our member companies have not received any complaints.
That said, respondent companies have taken several practical and procedural steps to meet their obligations under the Privacy Shield framework and the General Data Protection Regulation. This typically includes the setup of dedicated online interfaces for users to lodge complaints or inquiries regarding Privacy Shield and the allocation of staff resources (including where necessary the legal team and Alternative Dispute Resolution service provider) to review and respond to possible complaints.
Access to Data for National Security and Law Enforcement Purposes
Companies provide detailed information regarding access to data for national security and law enforcement purposes in their transparency reports pursuant to the USA FREEDOM Act. Additional disclosure procedures have been put in place, including user notification before the requested information is disclosed, unless prohibited by law, or delayed notice after a legal prohibition is lifted. Generally, companies review each request from government before responding to make sure they satisfy the applicable legal requirements and policies. They may ultimately push back should that not be the case, regardless of whether the affected user decides to challenge the access request.