On July 12, 2016, the European Commission announced its final approval of the EU-US Privacy Shield framework, which replaces the US Department of Commerce “Safe Harbor” program. Safe Harbor formerly served as one of several mechanisms for companies in the EU to transfer personal data from the EU to the US, but the European Court of Justice invalidated the program in the fall of 2015, on the grounds that it failed to adequately protect the privacy rights of EU citizens.
Back in February, here on the DiscoverReady blog we highlighted the major aspects of the proposed Privacy Shield program. The final, approved version of Privacy Shield incorporates those same provisions, but with a few amendments that mainly focus on addressing the concerns expressed by the Article 29 Working Party. The most important changes include:
- An additional requirement that companies delete personal data that no longer serves the purpose for which it was collected.
- A provision that third party processing companies working on behalf of companies that have signed up to the Privacy Shield must also guarantee the same level of protection as the Privacy Shield companies themselves.
- Clarity related to when bulk surveillance will be authorized in the US (i.e., only in exceptional circumstances, where targeted collection is not feasible) and assurance that 1) this surveillance must be accompanied by additional safeguards intended to minimize the amount of data collected and 2) access to the collected data beyond its first use be targeted and only permitted for specific purposes.
- Further clarity on the Ombudsperson Mechanism including 1) where an individual’s request relates to the compatibility of surveillance with US law, the Ombudsperson will be able to rely on independent oversight bodies with investigatory powers (such as the Inspector-Generals or the Privacy and Civil Liberties Oversight Board) and 2) that the US Secretary of State will ensure that the Ombudsperson will have the means to ensure that its response to individual requests is based on all necessary information.
On August 1, 2016, the Department of Commerce began accepting applications for self-certification under Privacy Shield. Former Safe Harbor members will be familiar with the general structure and process of Privacy Shield self-certification. And much has already been written about the enhanced protections for the private information of EU citizens under Privacy Shield, and the additional substantive obligations that certified companies must take on. (For some good resources, take a look at “We read Privacy Shield so you don’t have to,” from International Association of Privacy Professionals, and “What You Need to Know About Privacy Shield,” posted on Lexology.)
But some companies seeking Privacy Shield certification may be surprised by the additional cost as compared to the old Safe Harbor.
Companies who self-certify will be obligated to pay an annual fee into a cost recovery program established by the International Trade Association (ITA). The fees will support the operation of the Privacy Shield framework. Costs will be tiered according to a company’s annual revenue: from $250/year for up to $5 million in revenue, to $2,500/year for $500 million or more in revenue. There will be an additional fee, similarly tiered to a member company’s revenue, paid to a fund for arbitral costs, which fee has not yet been set. But while the amounts of the fees themselves are relatively negligible, there are other costs to Privacy Shield participation that could become substantial.
Privacy Shield requires members to provide a mechanism of recourse for Europeans who feel that their data has been misappropriated. Companies are advised to seek out external arbiters to provide independent recourse services, and such companies may set their own fees. So, member companies should “shop around,” and select a vendor that offers the best balance of cost, high-quality service, and good reputation.
Companies must also name a representative on the Privacy Shield certification. This person serves as the designated contact for handling questions, access requests, and any other issues relating to the organization’s Privacy Shield certification. In instances where a complaint is filed, the representative has 45 days to respond. For some companies, this requirement could mean the development of a new position, or a reallocation of existing resources. Either way, it’s likely that Privacy Shield certification will require a higher level of dedicated personnel resources—and the associated costs.
There are also potential costs in monitoring and deleting personal information that is no longer needed for its intended purpose. Often companies reuse data for valid purposes after its initial collection. Now they must monitor the data coming in and constantly assess whether or not use of the data for the original collection’s purpose is complete. If data is needed for another reason, the process conceivably would have to start again, requiring resources for multiple collections and oversight on each data pull—all this on top of the time investment necessary to build a process for collection, use and monitoring of data.
Yet another added cost could lie with third party processing companies. Companies will have to revisit their security agreements with these third party providers and apply mechanisms to monitor that adequate security assurances are made by them.
Given its extremely high value to European citizens—on par with the importance to Americans of freedom of speech—we really can’t put a price on privacy. But companies looking to certify under Privacy Shield, and take advantage of its mechanism for data transfers, must account for the costs of certification and the measures necessary to adequately protect private data. At DiscoverReady, we take on those costs willingly, and we’re proud of the resources we devote to the protection of our clients’ most sensitive and private information.