In January 2016, the United States Department of Commerce and Switzerland’s Federal Council declared that the new Swiss-US Privacy Shield Framework will succeed the Swiss-US Safe Harbor framework.
The Swiss-US Safe Harbor framework was declared invalid in October 2015 following the EU Court of Justice’s decision that it was an inadequate legal mechanism for personal data transfers to the US.
Since then, officials have drafted a new framework to ensure that the Swiss-US Privacy Shield Framework improves upon the Safe Harbor framework by including stricter data protection principles.
New Requirements and Principles as Swiss-US Privacy Shield Replaces Safe Harbor
The new framework includes
- enhanced requirements around notice, onward transfers and data retention,
- improved framework management by US authorities,
- and new mechanisms for individuals to obtain recourse for violations.
While the replacement occurred immediately, the Department of Commerce will begin accepting certifications on April 12, 2017, so that organizations can review the new Swiss-US Privacy Shield Principles.
The mechanism for personal data transfers from member countries of the European Economic Area (EEA) is the EU-US Privacy Shield.
Because Switzerland is not a member of the EEA, Swiss and US officials developed this separate agreement.
Although the two agreements are separate, the Swiss-US Privacy Shield framework parallels the EU-US Privacy Shield framework in many ways.
The Federal Council stated that “the fact that the two frameworks are similar is highly significant, as it guarantees the same general conditions for persons and businesses in Switzerland and the EU/EEA area in relation to trans-Atlantic data flows.”
While the two agreements are similar in many ways, there are still some areas where the two agreements vary.
Organizations should not assume that certification for EU-US Privacy Shield translates directly to certification for Swiss-US Privacy Shield.
An assessment and verification should be conducted for an organization’s privacy posture against the new Swiss-US framework.
Are You Ready for the End of the Privacy Shield Grace Period?
Soon companies that self-certified with the Department of Commerce before the September 30, 2016 deadline will have the 9 month “grace period” come to a close.
The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle.
The grace period ends soon, meaning that the deadline is fast approaching.
The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:
To transfer personal data to a third party acting as an agent, organizations must
(i) transfer such data only for limited and specified purposes;
(ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles;
(iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
(iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
(v) upon notice, including under
(iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and
(vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence.
Third Party Vendor Relationship Requirements
When a company has a relationship with a third party vendor involving the transferring personal information to that vendor, the company has to ensure that the vendor will process personal information in a manner consistent with your company’s obligations under the Principle.
The company’s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes.
What’s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.
For most companies, this is a lot of work that is extremely time consuming.
Larger organizations may use thousands of vendors.
The initial grace period concession was given in light of the time it may take a company to comply with this principle.
For example, a few of the hundred vendors that a typical mid-sized business uses include a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system.
How will companies adhere to the Accountability for Onward Transfer Principle?
One option is to compile a large spreadsheet and call, email, or meet with internal business or process owners.
Though this option is cost effective in terms of dollars, it is not cost effective in terms of time, productivity, and data integrity.
Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs.
Benefits of Early Privacy Shield Adoption
On August 1, 2016 the U.S. Department of Commerce (DOC) started accepting self-certifications for compliance with the Privacy Shield Principles.
A number of companies have already started the process to self-certify with the DOC to take advantage of the grace period offered to early adopters of the Principles to get contracts with third parties updated.
How the Privacy Shield Grace Period Works
If a company self-certifies to Privacy Shield within the first two months of the DOC accepting certifications, those companies will be given an additional nine months to get their contracts with third parties updated to meet Privacy Shield requirements.
So if a company certifies to Privacy Shield on September 1st, they have nine (9) months from that date to get their third party contracts updated.
During that time, the Notice and Choice Principles apply to transfers to third parties. The grace period only applies to the Accountability for Onward Transfer Principle.
The company needs to be in full compliance with the remaining Principles to self-certify.
Companies self-certifying Privacy Shield compliance with the DOC after September 30th will need to be in full compliance with all the Principles including Accountability for Onward Transfer and must be able to provide a copy of the privacy provisions in their contracts upon request.
This means, a company must have all their ducks in a row (including updating contracts) before they self-certify.