Co-written by Monica Meiterman-Rodriguez, Privacy Consultant, and Dan Goldstein, Co-founder and Partner of Tueoris.
In the wake of the Schrems II decision, invalidating the EU-US Privacy Shield as a mechanism for transferring EU resident personal data to certified US entities, participants in the program are faced with an important decision: whether to recertify, withdraw, or let their certification lapse.
To date, there is little guidance to support this decision, leaving the burden of selecting the best option to certified organizations. In order to make an informed decision, these organizations should consider not only the fact that Privacy Shield has been invalidated, but whether there are legacy benefits or risks that accompany recertification, withdrawal or lapse.
It is important to make clear that any organization that previously relied on the Privacy Sheild should no longer be using that as a transfer mechanism. For guidance on alternative legal transfer mechanisms such as Standard Contractual Clauses (“SCCs”) please see “SCCs under Scrutiny: Transfer Strategies for US Companies Contracting with EU Service Providers”.
Recertification
If your organization has participated in the Privacy Shield framework for more than a year, you know that recertification, when done in line with FTC and DOC expectations, is an involved process, requiring verification of compliance with Privacy Shield principles and updating Privacy Shield Certification documents, as appropriate. Currently, over 5,000 companies still maintain active Privacy Shield certifications, although many of these companies have simply yet to reach their recertification dates.
While withdrawal may seem to be the logical next step, there are factors to consider which may point to recertification, including consistency across organizational processes and anticipation of new decisions from the EU courts and EU Commission. The latter point may be more likely in light of the new US administration coming in January of 2021, which may be more inclined to consider changes that will alleviate or reduce some of the issues identified by the EU Court of Justice in the Schrems II case. This would almost certainly require that the adminsitration implement changes to the manner in which the Foreign Intelligence Surveillance (FISA) Court handles requests that include surveillance of EU residents.
Pro’s:
- If Privacy Shield is reinstated, the organization may be able to transition quickly back to transfering data under its certification.
- Fewer adjustments necessary to internal policies and procedures, as well externally facing privacy notices, although updates will need to reflect that the organization is not relying on Privacy Shield for purposes of data transfers.
- Elimination of the requirement to either:
- Return or delete EU personal data received under the Privacy Shield program; or
- Apply “adequate” protection by another “authorized means” for EU personal data retained.
- Privacy Shield Supplemental Principle 6(f) states that such “authorized means” may include the use of SCCs.
Con’s:
- Potential increased scrutiny from the FTC on the smaller universe of organizations remaining in the program.
- Time, effort and fees necessary for recertification.
- Internal policies, procedures, contracts, or other internal documents referencing transfer under Privacy Shield will require modification to reflect ongoing certification, but no reliance on Privacy Shield for transfers of EU personal data.
- Publicly facing privacy notices referencing transfer under Privacy Shield must be similarly modified.
Withdrawal
To withdraw from Privacy Shield an organization must notify the Department of Commerce, complete a withdrawal questionnaire, and pay an annual $200 fee if the organization continues to use data previously transferred under its certification. Additionally, there are internal steps that must be taken to remove references to Privacy Shield in internal policies and documents, as well as publicly facing privacy notices. An organization may initially determine that withdrawal is the best choice, as Privacy Shield no longer supports transfers of EU personal data and there are immediate benefits such as eliminating associated costs, time and resources. However, a balancing of risks and benefits will help in making this decision.
Pro’s:
- A clear demarcation from participation in the Privacy Shield program.
- Cost savings, as the recertification fee is eliminated.
- Elimination of the need for annual self-verification or third-party verification of compliance with Privacy Shield principles.
Con’s:
- If EU personal data received under the Privacy Shield program is retained , the organinzaiton must either:
- Return or delete EU personal data received under the Privacy Shield program;
- Annually certify (including payment of a $200 fee) that it continues to apply Privacy Shield principles; or
- Certify that it provides “adequate” protection by another “authorized means”, such as SCCs.
- Internal policies, procedures, contracts, and other documents must be updated to remove references to participation in the Privacy Shield program.
- Publicly facing privacy statements referencing participation in the Privacy Shield program must be similarly modified.
- Withdrawal has the potential to increase risk of FTC audit with regard to EU personal data transferred under the Privacy Shield program and retained.
- If Privacy Shield is reinstated, and the organization elects to re-join, it will need to start the certification process from scratch.
Certification Lapse
An inquiry made to the Department of Commerce regarding certification lapse was met with a response that a certified organization must either recertify or withdraw by its renewal date. Lapse was not presented as an option. However, some organizations are deciding that inaction is the best decision and simply allowing their certification to lapse. This course will still necessitate the removal of references to Privacy Shield in internal policies and procedures, as well as publicly facing privacy statements.
Pro’s:
- Avoidance of obligation to complete the withdrawal questionnaire, its required verifications, and additional obligations
- Avoidance of affirmative withdrawal obligations (i.e. return or deletion of EU personal data received under the program; annual verification of compliance with program principles; or application of “adequate” protection for EU personal data received under the program).
- No requirement to pay recertification fees.
Con’s:
- Higher risk of FTC scrutiny, as lapse – particularly without adjusting or updating procedures, notices and practices – has been a focus for FTC enforcement.
- Internal policies, procedures, contracts, and other documents must be updated to remove any reference to participation in the Privacy Shield program.
- If Privacy Shield is reinstated, and the organization elects to re-join, it will need to start the certification process from scratch.
Conclusion
While many US organizations previously relying on Privacy Shield for transfers of EU or Swiss resident personal data have changed their transfer strategies to SCCs or other adequate mechanisms, the question of withdrawal or continued participation in the Privacy Shield program remains. The “correct” answer will differ from organization to organization and requires thoughtful analysis of the risks and benefits of available options. Of course, once the decision is made, organizations should document the basis for the decision, as well as the processes followed to meet any ongoing obligations and their good faith efforts to comply.
For questions or additional guidance, please reach out to dan.goldstein@tueoris.com.
0 Comments