Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
International: Overview of the EU-US and Swiss-US Privacy Shield Frameworks
The EU-US Privacy Shield Framework ('the EU-US Privacy Shield'), and the Swiss-US Privacy Shield Framework ('the Swiss-US Privacy Shield') (together, 'the Privacy Shield'), were designed by the U.S. Department of Commerce ('Department of Commerce'), the European Commission ('the Commission'), and the Federal Council of Switzerland respectively to be one mechanism to satisfy EU and Swiss requirements for adequate protection for transfers of personal data outside the European Economic Area ('EEA') and Switzerland to the US.
While the Privacy Shield is no longer a valid means for organisations to rely upon to transfer personal data to the US, as described further below, the Privacy Shield continues to provide a means for organisations to signal that they have taken steps towards certain data protection principles, including while organisations await further details of the new Transatlantic Data Privacy Framework announced by the Commission and the US.
Therefore, notwithstanding the invalidation of the Privacy Shield as a transfer mechanism, many companies have maintained their Privacy Shield certification. In light of this, Robert Blamires, Serrin Turner, and Jennifer Howes, from Latham & Watkins LLP, outline the requirements of the Privacy Shield frameworks for companies that continue to participate, and as we await further details of what the new Transatlantic Data Privacy Framework may require from a certification and participation perspective.
The Privacy Shield in a nutshell
Under EU and Swiss data protection law, the transfer of personal data outside the EEA and Switzerland is prohibited unless the data is transferred to a country which ensures adequate protection for that data, other Commission-approved adequate safeguards are put in place to protect that data, or a specific derogation applies.
The Privacy Shield was designed by the Department of Commerce, the Commission, and the Federal Council of Switzerland to be one mechanism to satisfy EU and Swiss requirements for adequate protection for transfers of personal data outside the EEA and Switzerland to the US. However, in 2020, the EU-US Privacy Shield was invalidated by the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II') and, in a similar manner, the Swiss-US Privacy Shield was invalidated soon after by the Federal Data Protection and Information Commissioner ('FDPIC') after the Schrems II case.
These decisions mean that the Privacy Shield can no longer be relied upon to transfer personal data to the US and that organisations must rely on other mechanisms, such as the Standard Contractual Clauses ('SCCs') and Binding Corporate Rules ('BCRs'), instead. The Schrems II case imposed a number of caveats on the use of the SCCs and BCRs for data transfers to the US (and other destinations). Broadly, organisations are required to assess whether relevant US laws (as applicable in the context of each data transfer on a case-by-case basis), in combination with the relevant SCCs or BCRs, ensure adequate protection for the personal data being transferred, and to put in place additional safeguards when necessary.
Since these decisions, on 25 March 2022, the Commission and the US announced that they had confirmed an agreement in principle for a new Transatlantic Data Privacy Framework to facilitate data transfers between the EU and US. On 7 October 2022, the White House announced that U.S. President Biden had signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities ('the Executive Order'), which directs the steps that the US will take to implement its commitments under the EU-US Data Privacy Framework ('EU-US DPF') . Ultimately, the goal is to create a new valid mechanism to satisfy adequate protections for transfers from the EEA to the US, after the invalidation of the Privacy Shield as a transfer mechanism. The Government of the United Kingdom has also indicated an intention to validate a mechanism for personal data transfers from the UK to the US, on the basis of the Executive Order.
Notwithstanding the invalidation of the Privacy Shield as a transfer mechanism, the Department of Commerce is continuing to administer the Privacy Shield, including processing applications for certification and re-certification, and maintaining the Privacy Shield List.
This Insight will be drafted in the present tense, acting as an overview of the Privacy Shield frameworks as they were drafted.
Scope of application
The EU-US Privacy Shield is a voluntary self-certification scheme, administered by the Department of Commerce.
Eligibility to join the EU-US Privacy Shield
Certification is available to any US organisation that processes personal data in connection with an activity that is subject to the jurisdiction of the Federal Trade Commission ('FTC') or the Department of Transportation ('DOT'). This covers most US organisations, although generally excludes banks, federal credit unions, savings and loan institutions, telecommunications and interstate transportation common carriers, labour associations, most non-profit organisations, most organisations involved in packer and stockyard activities, and most insurance companies. Organisations that fall under these regulatory categories should seek further guidance from legal counsel before applying for the EU-US Privacy Shield. Non-US organisations (including organisations incorporated in the EU) cannot certify for the EU-US Privacy Shield, because they are not subject to the jurisdiction of either the FTC or the DOT.
Re-certification
Organisations must complete an annual re-certification application to continue participation in the Privacy Shield. The information required during re-certification is identical to the information required during the initial self-certification process. Organisations should submit their re-certification application before their current certification lapses; however, there is currently a 'grace period' of 30 days in which the Department of Commerce still accepts an organisation's re-certification application. As described below, the FTC has been active in its enforcement actions against companies that continue to claim to be Privacy Shield certified after allowing their certification to lapse without applying for re-certification.
Verification mechanism
Organisations must either register with a third-party assessment program to verify annual compliance with the principles (please see below), or commit to performing an internal annual assessment to verify such compliance. Most organisations choose to perform this annual compliance check themselves.
Anyone can verify whether an organisation is Privacy Shield-certified via the Privacy Shield List. The Privacy Shield List includes, for each certified organisation, the organisational entities covered by the certification, the types of data collected, details about the dispute resolution procedure chosen, and a link to the organisation's privacy policy.
Other information
Organisations must provide the following additional information in the application:
- EU-US Privacy Shield contact: Name and contact information of the designated individual nominated to be a EU-US Privacy Shield point of contact for data subjects and responsible for handling:
- inquiries;
- requests to access, amend, or delete personal information that the organisation holds;
- complaints; and
- any other issues arising under the EU-US Privacy Shield;
- a description of the organisation's data processing activities: A description of the types of personal data the self-certification covers, the purposes for which the personal data is processed, and the types of third parties with whom the organisation discloses personal data;
- organisational entities included in the application: A list of all US entities (affiliates and subsidiaries) within the organisation's corporate group that are adhering to the principles and are covered under the organisation's self-certification; and
- annual revenue: The organisation's annual revenue (to calculate the annual fee).
Key definitions and basic concepts
Key terms used in the Privacy Shield largely mirror the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), and include the following:
Controller: means a person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Personal data and personal information: means data about an identified or identifiable individual that are within the scope of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data ('Data Protection Directive'), received by an organisation in the US from the EU, and recorded in any form.
Processing: means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
Sensitive data: means any data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual.
In addition, the Privacy Shield is built on the Privacy Shield Principles ('the Principles'), which are:
- Notice: Organisations must publish privacy notices containing certain information about their privacy practices, their use, collection, and sharing of personal data, and their participation in the Privacy Shield.
- Choice: Individuals must have a mechanism for opting out of having their personal data disclosed to a third party or used for a different purpose than that for which it was provided.
- Accountability for onward transfer: Organisations must have contracts with third parties who process personal data for, and on behalf of, the organisation, that contain certain commitments.
- Security: Organisations must take reasonable and appropriate measures to protect personal data from misuses, loss, unauthorised access, disclosure, alteration, and destruction.
- Data integrity and purpose limitation: Organisations must take reasonable steps to limit processing for the purposes for which it was collected and ensure that personal data is accurate, complete, and current.
- Access: Organisations must provide a method by which data subjects can request access, correct, amend, or delete information the organisations hold about them.
- Recourse, enforcement, and liability: There must be recourse for individuals affected by an organisation's non-compliance, including consequences for such organisations.
Requirements
Privacy policy
Organisations must adopt a clear, concise, and easy-to-understand website privacy policy that complies with the Principles. The privacy policy must include the following:
- a statement that the organisation adheres to the Principles;
- a link to the Privacy Shield website (accessible here); and
- a link to the website or complaint submission form of the independent recourse mechanism chosen.
The process for first-time applicants in relation to implementing their privacy policy is as follows:
- the organisation provides the privacy policy (in draft) to the Department of Commerce, including information about the intended location, e.g. website address where the privacy policy will be made available (but must not make the privacy policy publicly available online or otherwise at this point);
- the Department of Commerce will review the application, including the privacy policy, and (if applicable) confirm that the organisation fulfils all certification requirements;
- once confirmed, the organisation makes its privacy policy public; and
- the organisation then notifies the Department of Commerce that it has made its privacy policy public.
Key considerations regarding certain types of data
Organisations that are considering applying for the EU-US Privacy Shield should give special consideration to HR data, sensitive personal data, and law enforcement access requests.
Human resources data
Organisations that choose to extend the EU-US Privacy Shield benefits to HR personal data transferred from the EU for use in the context of an employment relationship must indicate this when self-certifying. If the self-certification will cover HR data, then the organisation must agree to use data protection authorities ('DPAs') as an independent recourse mechanism with respect to such. For an EU-US Privacy Shield certification to cover HR data, there must be an HR privacy policy with the same requirements as the website privacy policy. Like the website privacy policy, organisations must make a copy available as part of the certification and re-certification processes. However, unlike the website privacy policy, an organisation is not required to make the HR privacy policy publicly available on their website (although it can do so if it wishes, either combined with the website privacy policy or as a standalone).
The requirements for onward transfers also apply to HR data, but exceptions may be made for occasional employment-related operational needs of the organisation that involve minimal transfers of personal data to third parties (such as booking a flight or hotel room for an employee).
Sensitive personal data
If the personal data processed by an organisation includes sensitive personal data, organisations must obtain affirmative express consent from individuals if such information is to be either disclosed to a third party, or used for a purpose other than as originally collected or as otherwise expressly authorised by the individual.
However, an organisation is not required to obtain affirmative express consent where the processing is:
- in the vital interests of the data subject or another person;
- necessary for the establishment of legal claims or defences;
- required to provide medical care or diagnosis;
- carried out in the course of legitimate activities by a foundation, association, or any other non-profit body with a political, philosophical, religious, or trade-union aim, and on condition that the processing relates solely to the members of the body or to the persons who have regular contact with it in connection with its purposes and that the data is not disclosed to a third party without the consent of the data subjects;
- necessary to carry out the organisation's obligations in the field of employment law; or
- related to data that is manifestly made public by the individual.
In all cases, an organisation should treat as sensitive any personal data received from a third party where the third party identifies and treats it as sensitive.
Law enforcement access requests
Organisations must inform individuals that personal data may be disclosed in response to lawful requests by public authorities, including for the purposes of meeting national security or law enforcement requirements. This disclosure is typically included in the organisation's public-facing privacy policy.
Management system
Preparing for Privacy Shield self-certification requires an organisation to take several steps in relation to the organisation's data governance and management system, including updating its privacy policy, reviewing current procedures for providing rights to choice and access, and reviewing data security mechanisms to ensure adequate protection. Although not specifically required by the Principles, organisations will be assisted in achieving and maintaining certification by developing related internal policies and procedures and providing training to employees on Privacy Shield and related data privacy and security compliance.
In addition, the verification principle requires organisations to provide follow-up procedures for verifying that the organisation's attestations and assertions they make about their Privacy Shield privacy practices are true and that those practices have been implemented as represented and in accordance with the Principles. An organisation must verify such attestations and assertions either through registering with a third-party assessment program, or commit to performing an internal annual assessment to verify such compliance. Most organisations choose to perform this annual compliance check themselves. There are specific requirements for verification depending on whether the organisation uses a third-party assessment program or performs internal assessments. In both cases, organisations must retain their records on the implementation of their Privacy Shield practices and make the records available upon request in the context of an investigation or complaint about non-compliance.
Data security
Organisations must take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorised access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data. The Privacy Shield does not provide any specifics regarding what form those measures may or must take. However, they should be reasonable and appropriate under the circumstances. If an organisation's data security measures are out of date or have not been recently reviewed, the internal review (and any updates required) may require significant time and resources to complete.
Accountability and recordkeeping
Organisations must provide a Privacy Shield contact, that is the name and contact information of the designated individual nominated to be a Privacy Shield point of contact for data subjects and responsible for handling:
- inquiries;
- requests to access, amend, or delete personal information that the organisation holds;
- complaints; and
- any other issues arising under the Privacy Shield.
The Privacy Shield Contact should, amongst other things, maintain a record of any questions or complaints received from data subjects, and how each question or complaint is resolved.
As described above, organisations must verify annual compliance with the Principles, through either self-assessment or outside compliance reviews. Organisations must maintain records relating to their Privacy Shield implementation and compliance as part of this verification process, and make their records available upon request in the context of an investigation or complaint about non-compliance. Records may include documents such as:
- the organisation's Privacy Shield privacy policy;
- any relevant internal policies and procedures;
- any relevant third-party contracts or contract addendums;
- employee training materials relevant to privacy or security;
- findings of any privacy or security audit or related gap analysis report; and
- the organisation's signed verification form.
Additionally, if an organisation leaves the Privacy Shield, but retains information received under the Privacy Shield, it must annual certify its commitment to apply the Principles to such information, or provide 'adequate' protection for the information by another authorised means.
Data subject rights
Right of access
Under the Privacy Shield, data subjects have the right to:
- obtain from an organisation confirmation of whether or not the organisation is processing personal data relating to them;
- have communicated to them such data so that they can verify its accuracy and the lawfulness of the processing; and
- have the data corrected, amended, or deleted, where it is inaccurate or processed in violation of the Principles.
Organisations must make good faith efforts to provide access. If access is to be restricted in any particular instance (e.g. certain information needs to be protected from disclosure and can be redacted), the organisation should provide the individual with an explanation of why it made that determination, and a contact point for further inquiries. The right to access may be restricted only in limited, exceptional circumstances. Organisations may charge a fee that is not excessive, e.g. if the request is manifestly excessive due to its repetitive character.
Right to limit the use and disclosure of personal data
Organisations must offer data subjects the opportunity to choose whether personal data about them is to be disclosed to a third party or to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorised by the data subject (i.e. opt-out). However, the provision of choice is not necessary if disclosure is made to an agent performing tasks on behalf and under the instruction of the organisation.
For sensitive information, organisations must obtain affirmative express (i.e. opt-in) consent from individuals if such information is to be disclosed to a third party or used for a purpose other than that for which it was originally collected or subsequently authorised through the exercise of opt-in choice.
Independent recourse mechanism
Organisations must choose an independent recourse mechanism and register with the recourse mechanism provider, if required (see below). This is necessary to comply with the EU-US Privacy Shield's requirement to provide a third-party investigative body to address data subjects' unresolved complaints regarding the organisation's compliance with the Principles. The recourse mechanism must be provided at no cost to data subjects. Organisations have two options for satisfying this requirement:
- registering with a private-sector privacy program; or
- committing to cooperate and comply directly with the EU DPAs.
If the self-certification will cover HR data, then the organisation must agree to cooperate and comply with DPAs with respect to such data, i.e. must choose option two in relation to such data.Organisations choosing option two are subject to an annual fee of $50 (there is no need to register with a DPA). For organisations that chose to register with a private sector privacy program, registration must be complete prior to submitting the EU-US Privacy Shield application. Private sector programs typically charge either annual fees, ranging from $300 to $7,000 per year, (depending on the organisation's annual revenue), or a fee-per-dispute, ranging from $500 to $2,250 per dispute.
The Principles encourage data subjects to raise any complaints they have with the relevant organisation before proceeding to the organisation's independent recourse mechanisms, and organisations must respond to a consumer within 45 days of receiving a complaint.
Cross-border data transfers and localisation
Onward transfers
The Privacy Shield sets out certain requirements for the onward transfer of personal data to third parties. Meeting this these requirements will require the organisation to review (and possibly update contracts) with those third parties to include certain required provisions. The requirements differ according to whether the third party will be acting as a controller or an agent (the Privacy Shield's terminology for 'processor').
For transfers to third party controllers, organisations must:
- give individuals notice and the opportunity to opt out, or, in case of sensitive data, obtain their consent prior to the transfer; and
- enter into a contract which provides that data may only be processed for limited and specified purposes consistent with the consent provided by the individual, and that the third party will provide the same level of protection as the Principles, will notify the organisation if it makes a determination that it can no longer meet this obligation and, if so, cease processing or take other reasonable and appropriate remedial steps.
For transfers to third-party agents, organisations must:
- transfer personal data only for limited and specified purposes;
- ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- take reasonable and appropriate steps to ensure that the agent effectively processes the personal data in a manner consistent with the organisation's obligations under the Principles;
- require the agent to notify the organisation if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and, if so, take reasonable and appropriate steps to stop and remediate unauthorised processing; and
- provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
As described above, the requirements for onward transfers also apply to HR data, but exceptions may be made for occasional employment-related operational needs of the organisation that involve minimal transfers of personal data to third parties (such as booking a flight or hotel room for an employee).
Organisations must review arrangements for the onward transfer of personal data to third parties, including reviewing and updating contracts with those third parties to include certain required provisions. The requirements differ according to whether the third party will be acting as a controller or an agent (the Privacy Shield's terminology for 'processor').
For transfers to third party controllers, organisations must:
- give individuals notice and the opportunity to opt out, or, in case of sensitive data, obtain their consent prior to the transfer; and
- enter into a contract which provides that data may only be processed for limited and specified purposes consistent with the consent provided by the individual, and that the third party will provide the same level of protection as the Principles, will notify the organisation if it makes a determination that it can no longer meet this obligation and, if so, cease processing or take other reasonable and appropriate remedial steps.
For transfers to third-party agents, organisations must:
- transfer personal data only for limited and specified purposes;
- ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
- take reasonable and appropriate steps to ensure that the agent effectively processes the personal data in a manner consistent with the organisation's obligations under the Principles;
- require the agent to notify the organisation if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles and, if so, take reasonable and appropriate steps to stop and remediate unauthorised processing; and
- provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.
Vendor management
As described above, when transferring personal data to a third-party agent (e.g. a vendor or other company processing personal data for, or on behalf of, the organisation), the organisation must take certain steps to ensure that the agent processes personal data in a manner consistent with the organisation's obligations under the Principles, enter into a written contract with the agent, and include certain information in that contract.
Incident and breach
The Principles do not require any specific steps in relation to security incidents or breaches. However, a security incident or breach may be evidence of the organisation's non-compliance with the security principle (i.e. the requirement that organisations take reasonable and appropriate measures to protect personal data from loss, misuse and unauthorised access, disclosure, alteration, and destruction).
Privacy by Design
The Privacy Shield does not specifically require organisations to implement Privacy by Design ('PbD'). However, compliance with several of the Principles could facilitated by a PbD approach.
Additional requirements
In addition to taking steps outlined above, organisations must provide the following information in their application for Privacy Shield participation:
- EU-US Privacy Shield contact: Name and contact information of the designated individual nominated to be a EU-US Privacy Shield point of contact for data subjects;
- a description of the organisation's data processing activities: A description of the organisation's data processing activities, a description of the types of personal data the self-certification covers, the purposes for which the personal data is processed, and the types of third parties with whom the organisation discloses personal data;
- organisational entities included in the application: A list of all US entities (affiliates and subsidiaries) within the organisation's corporate group that are adhering to the Principles and are covered under the organisation's self-certification; and
- annual revenue: The organisation's annual revenue (to calculate the annual fee; see section on fees directly below).
Fees
Organisations must pay the following fees, calculated by reference to the organisation's annual revenue:
- Annual EU-US Privacy Shield Fee (paid upon submission of application); and
- One-time EU-US Privacy Shield Arbitral Fund Fee for the Annex I Binding Arbitration Mechanism (this fee may be paid here).
Annual Revenue of organisation | Annual Privacy Shield Fee (Single Framework / Both Frameworks) | One-time EU-US Privacy Shield Arbitral Fund Fee |
$0 to $5 million | $250 / $375 | $250 |
Over $5 million to $25 million | $650 / $975 | $500 |
Over $25 million to $500 million | $1,000 / $1,500 | $1,000 |
Over $500 million to $5 billion | $2,500 / $3,750 | $5000 |
Over $5 billion | $3,250 / $4,875 | $10,000 |
Additionally, if an organisation leaves the Privacy Shield, but retains information received under the Privacy Shield, it must annually pay a $200 fee for each applicable Privacy Shield unless it subsequently provides 'adequate' protection for the information by other authorised means.
Compliance benefits
The EU-US Privacy Shield is a voluntary self-certification scheme, administered by the Department of Commerce. As described above, the Department of Commerce is continuing to administer the Privacy Shield, notwithstanding the invalidation of the Privacy Shield as a transfer mechanism. Therefore, participation in the Privacy Shield still has some limited value, e.g. in signalling adherence to certain data protection standards and, in some cases, in fulfilling contractual commitments to maintain participation. In addition, Privacy Shield participation creates a foundation for compliance with the GDPR and data privacy requirements across other jurisdictions. Organisations that continue to participate in the Privacy Shield are not relieved of their obligations and public commitments under those frameworks, and risk enforcement action if they remain a member of the program, but fail to comply.
Practical considerations for self-certification
Under the Privacy Shield frameworks, organisations must have the Privacy Shield requirements in place before completing the self-certification process and should budget several months for preparation. In practice, the steps for an organisation to undertake, in preparing for self-certification, include:
- deciding which organisational entities will be included in the self-certification and the types of personal data that will be covered (i.e. HR data or only non-HR data);
- updating the organisation's privacy policy;
- identifying all contracts between the organisation and third-party controllers and agents that include transfers of personal data, including both existing signed contracts and contract templates used by the organisation;
- updating such contracts to include the required Privacy Shield protections, which typically involves preparing data processing addendum templates to provide to third parties in relation to existing signed contracts, as well as adding the required language to the organisation's templates (also using a data processing addendum or otherwise);
- reviewing the organisation's current procedures for providing individuals the ability to exercise their rights to choice and access under the Principles;
- selecting from the available independent recourse mechanisms and registering with a provider, if applicable;
- selecting a verification mechanism and registering with a provider, if applicable; and
- reviewing the organisation's current data security mechanisms to ensure the organisation is providing adequate protection of personal data.
Of the above, the process for updating relevant contracts (i.e. steps 4 and 5 above) is typically the most time-consuming for an organisation, both in terms of identifying all relevant contracts across the organisation and in terms of updating existing signed contracts with third parties (given the potential lack of response or cooperation from the third party, or potential attempts by the third party to negotiate the updated contract). In addition, if the organisation's data security mechanisms are out of date or have not been recently reviewed, the organisation should expect that this internal review and update process will require significant time and resources to complete.
Enforcement
Supervisory authorities and cooperation procedures
Organisations and their selected independent recourse mechanisms must respond promptly to inquiries and requests by the Department of Commerce for information relating to an organisation's compliance with the Privacy Shield. Organisations that have chosen DPAs – or, for the Swiss-US Privacy Shield, the FDPIC must respond directly to such authorities with regard to the investigation and resolution of complaints. While organisations are required to provide all data subjects with the contact information of their chosen independent recourse mechanism provider, the Principles recommend that organisations encourage data subjects to resolve their complaints by first contacting the organisation directly, and then using the independent recourse mechanism if the issue has not been resolved. If no resolution is reached at the level of the independent recourse mechanism provider, complaints can then be brought to arbitration (see Annex I of the Principles).
Sanctions for non-compliance
The remedies issued by the independent recourse mechanism provider should ensure that any data processing activities of the organisation that are not in compliance with the Principles are brought into compliance. Dispute resolution bodies, including independent recourse mechanism providers and arbitration panels (see Annex I of the Principles), have discretion to implement sanctions corresponding to the severity of the violation. Such sanctions could include publication of findings of non-compliance, the requirement to delete certain personal data, suspension or removal of a seal, financial compensation for data subjects for losses incurred, and injunctions. Dispute resolution bodies must notify the Department of Commerce, and either the FTC or the DOT, as applicable, of an organisation's failure to comply with sanctions.
The FTC may choose to seek an administrative cease-and-desist order, or file a complaint in federal court against an organisation that it has reason to believe has violated Section 5 of the Federal Trade Commission Act of 1914 prohibiting unfair or deceptive practices. Such violations may include failure to adhere to the Principles, or falsely claiming to be EU-US Privacy Shield certified. Since the EU-US Privacy Shield came into effect in 2016, the FTC has initiated enforcement actions against numerous companies. These have focused on companies falsely claiming that they are certified when they either have never been certified or they have allowed their certification to lapse, but continued to claim participation in the EU-US Privacy Shield.
Where a dispute resolution body has found that an organisation persistently fails to comply with the Principles, the organisation must promptly notify the Department of Commerce of such facts. Failure by the organisation to do so may be actionable under the False Statements Accountability Act of 1996. The Department of Commerce will remove organisations from the Privacy Shield List in response to persistent failures to comply with the Principles or issued sanctions. Organisations will be provided 30 days' notice and an opportunity to respond before being removed.
Swiss-US Privacy Shield
As described above, the FDPIC invalidated the Swiss-US Privacy Shield on 8 September 2020, meaning that the Swiss-US Privacy Shield can no longer be relied upon to transfer personal data from Switzerland to the US. However, as with the EU-US Privacy Shield, the Department of Commerce is continuing to administer the Swiss-US Privacy Shield program. The Swiss-US Privacy Shield largely follows the framework and requirements of the EU-US Privacy Shield, but with a few key distinctions (as outlined below).
Key distinctions between the Swiss-US Privacy Shield and the EU-US Privacy Shield
Organisations interested in certifying for both the EU-US Privacy Shield and the Swiss-US Privacy Shield should note the following distinctions between the frameworks:
FDPIC
Under the Swiss-US Privacy Shield, the FDPIC replaces the DPAs as the authoritative regulatory agency. Thus, organisations that process personal data in both Switzerland and EU Member States will be subject to the regulatory authority of multiple agencies.
There is no annual fee for the FDPIC being the independent recourse mechanism provider, unlike the $50 that organisations must pay under the EU-US Privacy Shield.
Definition of 'sensitive data'
Under the Swiss-US Privacy Shield, the definition of 'sensitive data' is slightly broader than under the EU-US Privacy Shield, and includes 'ideological or trade union related views or activities, or information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings'.
How to certify
Organisations can certify for the Swiss-US Privacy Shield when they certify for the EU-US Privacy Shield. The link to self-certify can be found here. Organisations that have already self-certified to the EU-US Privacy Shield may add the Swiss-US Privacy Shield to their certification by logging into their existing EU-US Privacy Shield account and selecting the Swiss-US Privacy Shield self-certification option. Organisations that self-certify for the Swiss-US Privacy Shield will be required to pay a separate annual fee to the International Trade Administration ('ITA') in order to participate, equal to half the amount of the Annual EU-US Privacy Shield Fee.
Concluding remarks
The Department of Commerce continues to administer the Privacy Shield and maintain a list of participants notwithstanding the Privacy Shield no longer being a valid transfer mechanism to transfer personal data to the US. Therefore, participation in the Privacy Shield still has certain value for organisations, so long as the organisation relies on alternative mechanisms for the transfer of personal data to the US, such as the SCCs or BCRs. For those that choose to participate, certification may assist the organisation towards compliance with certain principles of the GDPR and data privacy requirements in other jurisdictions (and certification remains a useful tool for demonstrating a certain level of privacy best practice), although certification on its own will not guarantee compliance with all requirements of data privacy laws and regulations.
Robert Blamires Partner
[email protected]
Serrin Turner Partner
[email protected]
Jennifer Howes Associate
[email protected]
Latham & Watkins, LLP, San Francisco