Nothing about #SchremsX: What should companies do while EU bodies discuss the draft US adequacy decision?
New US adequacy draft opinion is out - everyone is talking about #SchremsIII (and IV and X), so I will not. Instead - let's discuss what should US companies involved in EU-US transfers actually be doing now?
- The new EU-U.S. Data Privacy Framework Principles’, including the Supplemental Principles are here in an updated form.
- Companies are required to apply the Principles to all personal data transferred in reliance on the EU-U.S. DPF after they enter the EU-U.S. DPF.
Overall To do: Companies should review them and start addressing any gaps in their compliance.
Why now, it's still in draft form?
- Because it is unlikely that the principles will change in a way that makes them less stringent. They may become more stringent if EDPB comments require it in order to more closely align with GDPR.
- and because...even in this format there is a lot of work to do, even for companies that certified under Privacy Shield (and definitely for those that did not).
Key changes and what you need to do:
1) Not your Grandmother's PII Anymore:
The definition of personal data/information is identical to GDPR and this is way broader than PII for data breach purposes (this is similar to the new US privacy laws)
Public data is in the house!
- The principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability also apply to personal data from public records (i.e., those records kept by government agencies or entities at any level that are open to consultation by the public in general) and publicly available sources [This is like GDPR and different from the US State laws that have (differing) carve outs for public information].
- The principles of Notice, Choice, or Accountability for Onward Transfer Principles to public record information, do not apply to public information as long as it is not combined with non-public record information or unless the European transferor indicates that such information is subject to restrictions that require application of those Principles by the organization for the uses it intends.[This is not like GDPR].
- Making personal information public in contravention of the Principles so that it or others may benefit from these exceptions - is a violation of the Principles.
To do: make sure your compliance program encompasses personal data and public data.
2) Sunlight is the Best Disinfectant (Transparency):
You need a privacy notice that informs individuals about the data you process, the purpose, their rights and recourse and other specific things regarding DPF enforcement
To do: Amend your privacy notice.
EU bodies are expecting EU level transparency and granularity of disclosure. The FTC, that is the enforcing body for DPF, has been vocal about true transparency. CPRA and CPA already require it, and it will give you a head start for the other state laws/ ADPPA.
3) The Purpose (and the Sky) is the Limit (accuracy, data minimization, purpose limitation):
- Personal information must be limited to the information that is relevant for the purposes of processing [See also: #CPRA, other state laws, #FTC, and a lot of AGs in their comments to the FTC rulemaking]
- Information may be retained in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing [See also: #CPRA and all the new US states laws, and #FTC in CafePress]
- You can't process (use or share) information in a way that is incompatible with the purpose for which it was originally collected or subsequently authorized by the data subject; [same as #CPRA #CPA etc].
- If you do, you need to provide notice + opt out (through a clear, conspicuous, and readily available mechanism) .
- Take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current [see recent CFPB enforcement on this]
(1) Review your data processing for purposes - what is necessary, what was told to the individuals, what is incompatible and document this for compliance (and also for a rainy enforcement day); (2) Develop and implement a data retention plan.
4) Don't be So Sensitive (Information):
- Sensitive information is like under GDPR: (and the US state privacy laws): medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual PLUS any personal information received from a third party where the third party identifies and treats it as sensitive. [This is broader than either US laws or GDPR]
- You need OPT IN consent to use sensitive information for purposes other than those for which it was originally collected or subsequently authorized by the individual (through opt-in), or to disclose it to third parties other than specific exceptions: vital interests, legal claims, medical care, non profit, employment law, manifestly made public) [This is stricter than #CPRA limited use right; and similar but not identical to #CPA opt-in (that has limited exceptions)]
(1)Assess whether and where you process sensitive information; (2) Incorporate processes to provide disclosure and collect opt-in consent for these.
5) The Old Ball and (Supply) Chain:
- Both controllers AND processors are bound: You need to comply even if you are a service provider. You need a contract, with your controller, that contains prescribed provisions and you need downstream contracts with your sub-processors guaranteeing the same level of protection as provided by the Principles.
- You also need a contract between a participating organization and a recipient third-party controller that provides for the same level of protection as is available under the EU-U.S. DPF, not including the requirement that the third party controller be a participating organization or have an independent recourse mechanism, provided it makes available an equivalent mechanism
- Any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract between the EU-U.S. DPF organization and the third party (or comparable arrangement within a corporate group) and (iii) only if that contract requires the third party to provide the same level of protection as the one guaranteed by the Principles
- For onward transfer to an agent (data processor) you also need to: (iv) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (v) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (vi) upon notice take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vii) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request
- You remain liable under the Principles if your agent processes such personal information in a manner inconsistent with the Principles, unless you can prove that it is not responsible for the event giving rise to the damage.
Assess all your onward transfers (down to Middle Earth) and make sure that you have agreements containing all the right provisions with all transferee controllers, as well as processors and sub-processors and sub-sub-sub processors.
6) Keep Me Safe and Sound (Secure):
Take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
Assess and revise/improve your information security policies and procedures. Reasonable and appropriate have meaning both under EU enforcement and under FTC decisions (Start and Stay with Security guides; recent enforcement actions with detailed requirements for governance like: Facebook, Equifax, Drizly etc).
7) (Individual) Rights of Passage:
(a) Right of access
- This is the right to obtain from an organization confirmation of whether or not the organization is processing personal data relating to them as well as to the relevant personal information [redacted as necessary to protect other individuals]
- This right is limited in a cases where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated [This is not a GDPR concept but, if applying the test in #CPRA for the right of access beyond 12 months, this is a very high threshold to pass] • The right is also limited to the extent that granting full access would reveal the company's confidential commercial information, such as marketing inferences or classifications generated by the organization, or the confidential commercial information of another that is subject to a contractual obligation of confidentiality [This is an exception not found in GDPR and seems to be narrower than the requirement under #CPRA, #CPA]
- Additional exceptions include: compliance with law or private causes of action, legal or professional privilege, prejudicing employee investigation and also "where the legitimate rights or important interests of others would be violated" which is somewhat vague.
- Unlike under GDPR, you may charge a fee that is not excessive.
- Response must be within a "reasonable time period" but the time is not set [unlike GDPR: 30 days, CPRA etc: 45 days].
(b) Right to correct
(c) Right to delete
(d) Right to opt out of processing for materially different (but compatible) purposes and general right to opt out of marketing
(e) Automated decision making
- If carried out by an EU controller - You need to enable the right to human intervention as an their agent (because GDPR applies)
- In the US, in areas like credit lending, mortgage offers, employment, housing and insurance it is subject to specific US law.
Institute policies and processes for granting individual rights (including making sure no request falls through the cracks; that the answer to the request encompasses all the right information and that you can respond within a reasonable time)
8) Recourse but Verify:
You have to
- Make available independent recourse mechanisms by which each individual’s complaints and disputes are investigated and expeditiously resolved at no cost to the individual
- You may choose independent recourse mechanisms in either the Union or in the United States and can be submitting to the EU DPAs. For HR - this is mandatory.
- Verify that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance
- Respond promptly to inquiries and requests by the Department for information relating to the EU-U.S. DPF
- Be ready to arbitrate claims if arbitration is invoked
- (if you are subject to a court order or FTC/DOT order for non compliance): Make public any relevant EU-U.S. DPF-related sections of any compliance or assessment report submitted to the court or U.S. statutory body to the extent consistent with confidentiality requirements
- Undertake to remedy problems arising out of failure to comply with the Principles
- Provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S through either (a) a self assessment or (b) outside compliance review.
- Put in place appropriate technical and organizational measures to effectively comply with their data protection obligations and be able to demonstrate such compliance, in particular to the competent supervisory authority. [FTC will be checking this and the FTC has stated how important this is in its decisions in Equifax, Facebook, Drizly etc]
(1) Devise/revise the relevant procedures and oversight mechanisms; and (2) Engage a third party independent recourse mechanism provider
9) HR Data is Data Too:
- Prior to the transfer of HR data from the EU - GDPR fully applies and may, in some cases, dictate/limit the use of the data by the transferee in the US
- Employers should make reasonable efforts to accommodate employee privacy preferences. This could include, for example, restricting access to the personal data, anonymizing certain data, or assigning codes or pseudonyms when the actual names are not required for the management purpose at hand.
- A U.S. organization participating in the EU-U.S. DPF that uses EU human resources data transferred from the EU in the context of the employment relationship and that wishes such transfers to be covered by the EU-U.S. DPF must therefore commit to cooperate in investigations by and to comply with the advice of competent EU authorities in such cases
- For occasional employment-related operational needs of the participating organization with respect to personal data transferred under the EU-U.S. DPF, such as the booking of a flight, hotel room, or insurance coverage, transfers of personal data of a small number of employees can take place to controllers without application of the Access Principle or entering into a contract with the third-party controller - provided that the Notice and Choice principles are followed [This is a deviation from what is required under Art 49 GDPR]
Extend your data protection requirements to HR data too
10) The Buck Stops Here: Dispute Resolution and Enforcement:
- DOC will carry out ‘spot checks’ of randomly selected organizations, as well as ad hoc spot checks of specific organizations when potential compliance issues are identified (e.g. reported to the DoC by third parties)
- If there is credible evidence that an organization does not comply with its commitments under the EU-U.S. DPF (including if the DoC receives complaints or the organization does not respond satisfactorily to inquiries of the DoC), the DoC will require the organization to complete and submit a detailed questionnaire.
- Organizations that persistently fail to comply with the Principles will be removed from the DPF List and must return or delete the personal data received under the Framework
- The DoC will monitor any false claims of EU-U.S. DPF participation or the improper use of the EU-U.S. DPF certification mark, both ex officio and on the basis of complaints (e.g. received from DPAs)
- Where the DoC finds that references to the EU-U.S. DPF have not been removed or are improperly used, it will inform the organization about a possible referral to the FTC/DoT (for deceptive conduct). If an organization fails to respond satisfactorily, the DoC will refer the matter to the relevant agency for potential enforcement action.
- The FTC/DoT can investigate compliance with the Principles, as well as false claims of adherence to the Principles or participation in the EU-U.S. DPF by organizations which either are no longer on the DPF List or have never certified
- Do all you need to do under 1-9 above and you won't need to #cryandpray about enforcement.
Article provided by INPLP member: Odia Kagan (Fox Rothschild LLP, United States)
Dr. Tobias Höllwarth (Managing Director INPLP)