• Raising the Privacy Shield and Other Protections:  How U.S. Organizations Can Receive Personal Data from the EU
  • April 17, 2017 | Author: Corina V. San-Marina
  • Law Firm: Willcox & Savage, P.C. - Norfolk Office
  • The transfer of personal information from European Union (EU) members to U.S. subsidiaries and other organizations is governed by strict legal requirements imposed by the European Commission, the U.S. Department of Commerce, and the U.S. Federal Trade Commission (FTC), depending on the transfer mechanism implemented. The personal information subject to transfer restrictions includes any information relating to an identified or identifiable natural person. In deciding which transfer mechanism to implement, an organization has to take into account financial and business factors as well as its tolerance for risk.

    If a U.S. organization is subject to the jurisdiction of the FTC or the Department of Transportation (DOT), one way the organization can receive personal information from the EU is by certifying the organization’s compliance with the “Privacy Shield.” This process began on August 1, 2016.

    To make such a certification, an organization must take several steps. Those steps include: (1) developing a Privacy Shield-compliant privacy policy; (2) engaging a third-party that provides a dispute resolution program; (3) cooperating and complying with EU Data Protection Agencies with respect to any transfer of human resources data; (4) self-assessing or engaging a third-party to assess compliance with the Privacy Shield; and (5) designating an individual within the organization to handle questions, complaints, access requests, and other issues arising under the Privacy Shield.

    The organization’s privacy policy will need to address the following principles: notice; choice (an opt-out or opt-in for sharing an individual’s personal information); accountability for onward transfer; security; data integrity and purpose limitation; and access recourse, enforcement, and liability. The risk associated with using the Privacy Shield is that the shield will most likely face legal challenges based on concerns about the scope of U.S. government surveillance.

    Other transfer mechanisms that U.S. organizations can use to legally receive data from the EU are model contractual clauses and binding corporate rules. The model contractual clauses amount to pre-approved adhesion contracts with terms that cannot be negotiated.

    The type of model contractual clauses that an organization may use depends on whether the organization receiving the information is a data controller or a data processor. Although the model contractual clauses consist of “boilerplate” language, parties must specify in an appendix the relevant categories of data and types of data processing. For multinational organizations that regularly engage in data transfers among multiple jurisdictions, the use of model contractual clauses is not efficient or cost-effective because the organization would have to enter into multiple contracts.

    Binding corporate rules (BCRs) allow multinational organizations to develop and adopt internal privacy policies that mandate EU-style data protections across the entire organization. Once approved by the appropriate privacy authority in each jurisdiction in which the organization transfers data, BCRs allow an organization to transfer data without having to enter into separate model contractual clauses or get approval for each transfer. There is no model form of BCRs-each organization must develop its own specific set of rules to fit its particular needs. BCRs can be used by organizations that are data controllers or data processors.

    Each of the three mechanisms has distinct advantages and disadvantages. In determining how best to meet the EU data protection requirements, U.S. organizations should consider those advantages and disadvantages carefully and consult legal counsel experienced with all three mechanisms.