Privacy Shield Boot Camp 2016

Transcription

1 INTELLECTUAL PROPERTY Course Handbook Series Number G-1291 Privacy Shield Boot Camp 2016 Chair Harry A. Valetk To order this book, call (800) 260-4PLI or fax us at (800) Ask our Customer Service Department for PLI Order Number , Dept. BAV5. Practising Law Institute 1177 Avenue of the Americas New York, New York 10036

2 22 Privacy Shield Overview Submitted by: Brian L. Hengesbaugh Baker & McKenzie LLP If you find this article helpful, you can learn more about the subject by going to to view the on demand program or segment for which it was written. 331

3 332

4 Page 1 of 5 PRIVACY SHIELD OVERVIEW EU-U.S. Privacy Shield Program Overview The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination ( The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework (/EU- US-Framework) should review its requirements in their entirety. To assist in that effort, Commerce s Privacy Shield Team has compiled resources and addressed frequently asked questions below. Resources Key New Requirements for Participating Organizations (/Key-New-Requirements) How to Join the Privacy Shield (/article?id=how-to-join-privacy-shield-part-1) Frequently Asked Questions Q. Why should an organization that previously participated in the Safe Harbor program self-certify to the Privacy Shield? 333

5 Page 2 of 5 The Privacy Shield provides a number of important benefits to U.S.-based organizations, as well as their partners in the EU. These include: The Privacy Shield Framework was deemed adequate by the European Commission, meaning it is a recognized mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. Participating organizations are deemed to provide adequate privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive. Compliance requirements of the Privacy Shield Framework are clearly laid out and can be implemented by small and medium-sized enterprises. The U.S.-EU Safe Harbor Framework is no longer legally recognized as adequate under EU law for transferring personal data from the European Union to the United States. Q. What information will an organization be required to provide to the Department of Commerce in the online self-certification process? The information that an organization must provide during the self-certification process is outlined here (/article?id=self-certification-information). Organizations interested in self-certifying are encouraged to review and compile this information prior to initiating the online certification process. Q. What URL must be included in an organization s privacy policy to meet the Framework requirement to link to the Privacy Shield website? ( Q. How will acceptance of certifications be rolled-out? The Department of Commerce recognizes that it is critical to enable certifications as soon as possible to address the uncertainty that organizations on both sides of the Atlantic have faced. Given that need, acceptance of certifications will be available immediately August 1 to any eligible company. Certification processing times will vary depending on the completeness of the original self-certification and the number of self-certifications received in particular during the initial roll-out. The Privacy Shield team will provide updates on expected processing times periodically to assist companies in their planning. Q. What is the initial timeframe for bringing existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle? The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, the Framework allows organizations that submit their self-certification to the Department of 334

6 Page 3 of 5 Commerce within the first two months (between August 1 and September 30, 2016) up to nine months from the date upon which they certify to bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle. During that interim period, where organizations transfer data to a third party, they must (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. Q. How much will it cost to self-certify to the Privacy Shield? ITA is implementing a cost recovery program fee to support the operation of the EU-U.S. Privacy Shield Framework, which will require that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield. The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach. The fee will be tiered based on the organization s annual revenue. Fee Schedule: EU-U.S. Privacy Shield Framework Cost Recovery Program Organization s Annual Revenue Annual Fee: $0 to $5 million $250 Over $5 million to $25 million $650 Over $25 million to $500 million $1,000 Over $500 million to $5 billion $2,500 Over $5 billion $3,250 Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees. Furthermore, the Framework requires that the Department of Commerce facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, which will cover arbitral costs as described in Annex I to the Principles. As indicated in the Framework, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures. 335

7 Page 4 of 5 The contribution that Privacy Shield organizations are required to pay to cover arbitral costs will be based in part on the size of the organization and will be set within this period. All participants in the Privacy Shield will be notified of the fee, which each participant will be required to pay to remain in the Privacy Shield program. While the fee has not yet been established, we expect it to be no more than the fee that organizations pay to ITA to participate in the Privacy Shield program. Self-Certify Privacy Shield List Audiences (/US-Businesses) U.S. Businesses (/US-Businesses) European Businesses (/European-Businesses) Individuals in Europe (/Individuals-in-Europe) Data Protection Authorities (/Data-Protection-Authorities) About (/Program-Overview) Program Overview (/Program-Overview) Framework Text (/EU-US-Framework) Inactive Participants (/inactive) News & Events (/NewsEvents) Contact (/assistance) 336

8 Page 5 of 5 Home (/) Website Feedback (/assistance) Privacy Policy (/Website-Privacy-Policy) Disclaimer (/Website-Disclaimer) FOIA ( USA.gov ( The International Trade Administration ( (ITA), U.S. Department of Commerce ( manages this site to facilitate the Privacy Shield framework in the United States. External links to other Internet sites should not be construed as an endorsement of the views or privacy policies contained therein. This site contains PDF documents. A PDF Reader ( is available from Adobe Systems Incorporated. U.S. Department of Commerce EU-U.S. Privacy Shield 1401 Constitution Avenue, N.W. Room Washington, D.C

9 NOTES 338