value insights

Q&A: Factors to consider before joining the Privacy Shield framework- Valutrics

The U.S. Department of Commerce (DOC) began accepting certifications for the EU-U.S. Privacy Shield on Aug. 1. The transatlantic data transfer framework — a joint effort by the U.S. DOC and European Commission — replaces Safe Harbor and enforces stronger data privacy compliance obligations on U.S. organizations transferring EU residents’ personal data as part of transatlantic commerce relations.

In part one of this two-part QA, Melinda McLellan, privacy and data protection lawyer at BakerHostetler law firm, discusses the factors and operational reforms that companies eligible to self-certify under the Privacy Shield framework should consider before joining.

What are some of the factors that companies should consider before self-certifying under the Privacy Shield framework?

Melinda McLellan: One of the first things would be how well companies understand their own data flows and what kind of compliance framework and policy framework they already have in place. They are going to want to have that well established before they certify.

Melinda McLellanMelinda McLellan

I think the second thing to consider is how many onward transfers are involved, and how they are going to manage their vendor relationships. Under the new framework, onward transfers require contractual agreements. 

I have clients who, after the Safe Harbor came down, started putting in place model contracts to cover their data transfers. It may be more of an internal decision for them, whether they would prefer to move to the Privacy Shield.

Companies need to consider whether they are prepared to meet all of the requirements and they shouldn’t think of it as just a check the box exercise. Careful thought needs to go into the decision, and certainly for many companies that would mean revising their policies or updating the way they are implemented.

What kind of operational reforms should a company think of before self-certifying under the Privacy Shield framework?

McLellan: Companies that previously had certified to the Safe Harbor probably already have many of the policies and procedures in place. But there are a few new things under the Privacy Shield framework that they have to consider. And certainly a company that wasn’t Safe Harbor-certified will probably have a number of things that they have to review in their organization and consider in terms of new policies or procedures to make sure they are complying with the Privacy Shield principles.

One thing that is different or new with the Privacy Shield framework is that the company’s privacy policy, which may be posted online or distributed to people whose information you are collecting, will need to incorporate additional information. The framework lists 13 points that need to be covered. Many of these concepts had to be covered previously if you were Safe Harbor-certified, but the requirements are more explicit now, for example, disclosing the fact that individuals may have the option of invoking binding arbitration.

You also have to state the choices and means that the organization offers for an individual to limit how their data can be used and disclosed, and the fact that they have the right to access their personal data. I do think that the enforcement authorities will be looking to make sure that these items are included because it’s a relatively straightforward way for authorities to see if an organization is complying.

How important is it for companies to start mapping their data flows?

McLellan: Companies need to assess and understand their data flows. They need to make sure they know exactly what data they are collecting, what data is coming from the EU to the U.S. That includes reviewing service provider agreements and seeing which vendors or service providers might be receiving their data from the EU, because under the Privacy Shield framework they could be liable for violations by their service providers or by third parties that they allow to have access to the data.

Sometimes there are many entities within a large organization that may be handling different types of data in different ways. For example, you might have an HR department doing one thing with employee data, and a marketing department doing something totally different with customer data. It is really important to map those data flows throughout the entire organization. Companies also need to look for less obvious ways the organization might be collecting EU residents’ data and transferring it to the U.S.

Stay tuned for part two of this QA, where McLellan discusses some of the new principles that the Privacy Shield framework has introduced.