EU-U.S. Privacy Shield: Should You Sign Up?

EU-US Privacy Shield: Should You Sign Up?

Our Presenters

Rob Newman

Partner

Winston & Strawn LLP

[email protected]

Ryan Martin

Associate


[email protected]

Liisa Thomas

Partner

Chair, Privacy and Data Security Practice


[email protected]

2

1. What Is It And How Is It Different?

2. How Does It Work?a. Steps to Take Before You Apply

b. The Application Process

c. After You Are In

3. What If You Are On the Fence?

Agenda

3

Any time data flows from EU to US

• US-based multinationals with EU presence

• US companies that do business with EU companies

• US companies that do business in the EU

Why Do We Need This Again?

Data transfers

4

EU Data Transfer Restrictions, Unless:

Consent

Binding Corporate Rules

Model Clauses

Decision of Adequacy

5

Decision of AdequacyEntire Country • Andorra

• Argentina

• Canada

• Faeroe Islands

• Guernsey

• Israel

• Isle of Man

• Jersey

• New Zealand

• Switzerland

• Uruguay

Safe Harbor • For US

companies

• ECJ decision ruled no longer adequate Oct. 2015

• Renewals will stop Oct. 31, 2016

Privacy Shield • Replaces Safe

Harbor

• Started accepting applications Aug. 1, 2016

6

Shield may still make sense:

Hey, What About(esp. if lots of UK transfers)?

7

What If I’m In Safe Harbor Now?

New applications stopped Aug. 1

DoC will maintain list (indefinitely?)

• Will accept renewals until Oct. 31

• Consider it!

US‐Swiss Safe Harbor Framework continues

8

Privacy Shield vs. Safe HarborSafe Harbor Privacy Shield

Principles mirror EU directive

Heightened scrutiny and examination by DoC

Mandatory arbitration

Specific provisions to include in privacy policy

Contracts for onward transfers

Specific provisions for how to handle mergers

Enforced by FTC

Participant list maintained online by DoC

Specific exit procedures

Will cease to exist after Oct. 2016

9

Privacy Shield vs. Model Clauses

Model Clauses Privacy Shield

Internal training and review requirements

DoC and FTC scrutiny and clear enforcement procedure

Mandatory arbitration

Again modeled off of EU Directive

Specific to data set described as being transferred

Registration required with some DPAs

Can tailor easily to one data transfer set

10

Privacy Shield vs. Consent

Consent Privacy Shield

Works only if have direct relationship with individual

Criticized by some DPAs as inadequate, especially in HR context

Requires specific language whencommunicating data practices

11

Privacy Shield vs. BCRs

BCRs Privacy Shield

Applies only to intra‐company transfers

Must be approved by DPA

Application process can take several years

Would need supporting procedures to implement and effectuate

Core principles adhere to the EU Data Privacy Directive

Application to a US regulatory body

12

There are Principles, But What Do They Really Mean?!

Notice

Choice

Accountability & Onward Transfer

SecurityData Integrity & Purpose Limitation

Access

Recourse, Enforcement, & Liability

13




c. After You Are In


Agenda

14

Getting to the Shield

Understand Shield obligations

Providing opt‐out (or opt‐in)

Give access

Handle complaints

Contract with third‐parties

Secure information

Retention/storage concerns

Notice

Assess differences from US law

Some obligations don’t exist under current law

Some may merely be best practices

Some may exist only under “specialty” laws (COPPA, HIPAA, GLB, etc.)

Conduct diligence

What you have

With whom you share

Contractual provisions

How you give choices

How you respond to questions/complaints

Develop playbook

Develop systems to address requirements

Ensure ongoing compliance

Develop policies/procedures

Educate employees

Discipline

15

Provide Choice – Opt-Out

If disclose to third‐parties

If use will be materially different from why collected

If use will be materially different from what they subsequently authorized

From marketing (let them do this at any time)

16

Provide Choice – Opt-In for Sensitive

Examples• Medical condition

• Race/ethnic origin

• Political opinion, religious beliefs

• Information about sex life

Some exceptions to getting consent

• Necessary to person’s vital interest

• To establish legal claim

• To provide medical care/diagnosis

• Needed to “carry out obligation” in employment law

• Related to information person made “manifestly” public

Why would this come up

• Not just health care providers!

• Conducting a survey

• HR (some exceptions we’ll discuss)

17

How Does This Differ From US Law?

US

Marketing opt‐outs narrow (CAN‐SPAM, TCPA, etc.)

Email opt‐out can be provided only

at time of sending message

Shield

Opt‐out of marketing

regardless of type of delivery

Let people exercise

marketing opt‐out anytime

18

Determine with which third-parties information is shared

Assess types of marketing (email, direct, etc.)

Audit and see if collecting sensitive information

Have mechanism for marketing opt-out (anytime)

Develop opt-out tracking for sharing and marketing

Getting Prepared: Diligence Checklist

19

*Can limit number of times, if it is too expensive, if someone else’s rights would be violated, etc.

Give People Access to Information

Tell people if collected

Tell people what

collectedIf shared

Respond in timely manner

(can verify identity)

Respond about info

you currently have

Exceptions*

20

1. Confirm if processing

2. Say what is being processed (categories)

3. To whom it is being given

4. Copy of the information (to make sure it is correct)

5. Give them ability to correct

The Response to Access Request

21


US

No general requirements

Some sector‐specific (FCRA)

Some based on type of activity (Shine the Light)

Shield

General access requirement

22

Track what is collected

Develop system to accept/respond to access requests

Develop response mechanism (content, process)

Decide what exceptions you will use (number of times, cost, etc.)


23

Address Complaint Handling

Create process to accept and respond to complaints

Select ADRprovider (ex: JAMS, BBB, or DPA panel)

Be prepared!

24


US

Best practice

Common practice

UDAPexposure

Shield

Required

25

Vet and select different ADR providers

Put together process to handle complaints

Test the process


26

Sharing Information with Vendors (Processors)

Only give to them for limited/specific purpose

Make sure they give level of protection required in Principles

Make sure they use information consistent with your obligations under Principles

Require them to notify you if they can’t live up to the Principles

• You act only on our instructions

• You give appropriate safeguards

• You will help us respond to people who exercise rights under Principles

Have a contract in place that says:

• Stop them from further processing

• Give summary of contract or copy of relevant privacy provisions to DoC if DoC asks

If they notify you they can’t live up to Principles, then:

27

Sharing Information with Business Partners (Other Data Controllers)

Notify people in privacy policy that are sharing with these third‐parties

•Clear, conspicuous, and readily available

Give people choice about this sharing

•That will process only for limited purposes, only purposes consistent with granted consent from individual

•Give same level of protections as in the Principles

•Notify if can’t give same level of protection anymore

•If so, then they have to also promise not to process anymore or “take other reasonable and appropriate steps”

Have a contract in place with the third‐party

•Contract just has to say that will give same level of protection

•BUT, do have to have available “an equivalent mechanism”

Other party doesn’t have to be a Shield participant or have independent recourse mechanism

•Don’t always need a contract

•Could transfer using another mechanism (BCR, intra‐group agreements)

•Make sure information is protected

•If no contract, Shield company “remains responsible for compliance with the Principles”

What if part of same corporate family and both controllers?

28


US

Typically tied to sharing of certain information (MA)

Common practice

In regulated industries may be

required or expected

Shield

Contract required

29

Identify third-party vendors and partners (hard!)

Develop standard contractual language for each

Have guidelines/policy/playbook for how and when to provide personal information to third-parties

Regularly audit third-parties for compliance

Create mechanism to address if they aren’t living up to contract

Train and educate employees about obligations


30

Security

Reasonable and appropriate measures

Encrypt data in motion

Encrypt data accessible through Internet

Firewalls

Password protocols

Access rights protocols

To protect information from:

Loss

Misuse

Unauthorized access

Unauthorized disclosure

Unauthorized alteration

Unauthorized destruction

31


USRequired by some states (MA, NV, CA))

Common practice

In regulated industries may be required

Shield

Securityrequired

32

Assess current practices

Remediate gaps

Ensure ongoing updates

Assign sufficient personnel and budget


33

Retention and Storage Concerns

Use consistent with notice

Keep only as long as you need for

purposes for which provided

Destroy after you don’t need (or

return)

Make sure information is

reliable

Modify/delete if told by person of

an error

Update if get a “returned to sender”

35


US

Failure to take steps might expose company to UDAP if something

goes wrong

Some sector or state level requirements may exist (COPPA)

Shield

Required

36

Develop mechanism (internal privacy policy, for example) to understand and adhere to external privacy policy

Assess and update document retention policy if necessary

Determine how will update information/ensure reliable


37

1. That you participate in Shield

Watch out! You need to be listed!!

2. What PII you collect

3. That you adhere to Shield

4. Purposes for collecting

5. To whom you disclose and why

6. How to contact you

7. About access rights

8. Rights regarding choice

9. About Shield enforcement mechanisms

Provide Notice

38


US

State requirements

(CA, DE) but not as detailed

Sector‐specific requirements (HIPAA, GLB)

Shield

Required

39

Review current policy

Determine if gaps

Update

Ensure new language is accurate


40

Special Considerations for HR Data

• Need to give opt‐out

Notice

• “In context of making employment decisions”

• For operational needs (booking flights, etc.) as long as originally gave notice

Notice/choice exception

• Use reasonable efforts

Accommodate privacy preferences

41

• Explain that the personal data may be used in future medical or pharmaceutical research activities that are unanticipated

• Special treatment for:

• Clinical studies

• Providing information to regulators or other researchers

• Blind studies

• Product safety monitoring

• Key-coded data

Special Considerations for Pharma Data

42

* As long as not combined with non-public record information

Special Considerations for Publicly Available Information

Apply These Shield Principles:

Security

Data Integrity

Purpose Limitation

Recourse/Enforcement

Don’t Need to Apply* These Principles:

Notice

Choice

Accountability re Onward Transfer

Access

43

1. What Is It And Why Would We Join?



c. After You Are In


Agenda

44

Verify Compliance

45

Self-Verification

Validate

•Privacy policy is correct

• Prominently displayed

• Implemented

•Accessible

•Conforms to Principles

• People know what to do if they have a complaint

Training

• Train employees on how to implement

• Discipline if fail to comply

Review

• Objectively review “periodically” that are in compliance with Principles

46

• They check if:

Third-Party Verification

If all in order, you get their okay

Individuals are told

about how to complain

You are complying with your policy

Policy conforms to Principles

47

Contact details

Self-Certify with DoC

Organization info Selected dispute mechanism

Verification method Description of activities/policy

Payment!

48

How Payment is Calculated

Annual Corporate Revenue Annual Fee

$0 to $5 million $250

Over $5 million to $25 million $650

Over $25 million to $500 million $1,000

Over $500 to $5 billion $2,500

Over $5 billion $3,250

49

• Must also…

Self-Certification for HR Data

Tell DoCGive copy of HR Policy

Say how employees can see HR

Policy

Make sure FTC or DOT has

jurisdiction**

**Supplemental Principles, 6: “may [use Shield for HR] where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information.”

50




c. After You Are In


Agenda

51

Complaint-Handling Process

Let people bring issue to you

• 45 days to respond

Let people bring issue to you

• 45 days to respond

Independent Recourse Mechanism

• ADR based in EU or US* or

• DPA Panel

• Except HR data, cooperate with DPA

• They will look into unless frivolous

• *BBB, TRUSTe, AAA, JAMS, DMA

Independent Recourse Mechanism

• ADR based in EU or US* or

• DPA Panel

• Except HR data, cooperate with DPA

• They will look into unless frivolous

• *BBB, TRUSTe, AAA, JAMS, DMA

Arbitration Panel

• Based in the US

• Paid for by fees when you sign up

Arbitration Panel

• Based in the US

• Paid for by fees when you sign up

52

Record-Keeping

Keep records of how implemented Shield privacy practices

• Show if asked in context of an investigation on compliance

Respond promptly if DoC asks about Shield participation

Make verification (self‐assessment or third‐party assessment) available if individual asks

53

Maintain Shield Status – Recertify Annually

54

• Self-Verification: Corporate officer has to sign once a year confirming compliance

• Third-party verification: Statement made once a year that are compliant, signed by reviewer or corporate officer

Verify Ongoing Compliance

55

Remember: Self-Verification

Validate

•Privacy policy is correct

• Prominently displayed

• Implemented

•Accessible

•Conforms to Principles

• People know what to do if they have a complaint

Training

• Train employees on how to implement

• Discipline if fail to comply

Review

• Objectively review “periodically” that are in compliance with Principles

56

• They check if:

Remember: Third-Party Verification

If all in order, you get their okay

Individuals are told

about how to complain

You are complying with your policy

Policy conforms to Principles

57

Exiting the Shield

Merger?

Tell DoC in advanceExplain if still in Shield or other mechanism (or else

delete)

Remove references to Shield from Privacy Policy

Don’t otherwise imply participation

If keeping the data

Affirm the above annually to DoC If don’t, then need to delete

What do to with information collected under the Shield

Apply the Principles or apply “adequate” protection another way

Delete data

58

• FTC argues that representing to consumers that an expired Safe Harbor certification is current is a deceptive trade practice

• More than a dozen cases brought

• The FTC generally did not look at whether or not the companies were, in fact, adhering to the Safe Harbor Principles

Safe Harbor Enforcement: A Vision of the Future?

59

1. What Is It And Why Would We Join?



c. After You Are In


Agenda

60

• US-based multinationals with EU presence

• US companies that do business with EU companies

• US companies that do business in the EU

• But keep in mind…

Do You Have Data Flowing from EU to US?

Data transfers

61

Will Still Need One of These:

Consent

Binding Corporate Rules

Model Clauses

Privacy Shield

62

Pro

san

d C

on

s o

f th

e S

hie

ld

Cons

Significant diligence needed

Need to potentially create new

policies/procedures

Requires internal training and

mechanism to make sure don’t forget

obligations

Publicly stated commitments can raise risks (UDAP)

Will be revisited annually, so may change form

Pros

Forces diligence and policies (UDAP may be exposure lowered)

More streamlined than BCR

Less expensive and less time to approval

than BCRs

One‐stop shop to show EU partners

compliance

63

Thank You.

Rob Newman

Partner


[email protected]

Ryan Martin

Associate


[email protected]

Liisa Thomas

Partner

Chair, Privacy and Data Security Practice


[email protected]

65