From the 1st of August 2016, the new Privacy Shield regime in US-EU data market space has come into operation. This has replaced the “Safe Harbor” regime that was declared as ineffective by the Court of Justice of EU (CJEU) in October 2015.
This new Privacy Shield will provide the framework for EU-US personal data transfers from now on and will work concurrently with the alternatives such as the BCR (Binding Corporate Rules), SCC (Standard Contractual Clauses of EU) and the CBPR (Cross Border Privacy Rule).
Relevance to Indian IT Companies
These EU-US developments will also apply to the data processing that happens in India either because the data transfering customer is an EU country or that these will emerge as general standards of the industry. Hence a general understanding of these principles is essential for Indian companies engaged in data processing activities involving “Personal Data” of non Indian Citizens.
As regards the data of the Indian Citizens, the ITA 2000/8 imposes its own obligations under Section 43A (For sensitive personal information), Section 72A (For all personal information) besides other provisions that apply to “Data” in general. The key aspect of the Indian law is that it provides legal backing to the contractual agreements between an Indian data processor and the foreign data vendor. Hence whether it is the Privacy Shield obligations or the BCR/SCC/CBPR obligations, they all get extended to Indian processors and become enforceable under the Indian law.
This should establish the relevance of the new US-EU Privacy Shield regimes and the other frameworks to the Indian context.
Essence of Privacy Shield
Privacy Shield principles are not much different from the general principles which are being followed in Safe harbor principle, there are a few significant differences that we need to take note of mainly in the enforcement of the provisions.
The intent of Privacy Shield is to transform the oversight system from self-regulating to one that is more responsive and proactive. The certification and annual re-certification process will remain unchanged, but the Department of Commerce will actively monitor compliance through detailed questionnaires, among other things.
Additionally, the FTC will maintain a “wall of shame” for companies that are subject to FTC or court orders in Privacy Shield cases.
Any EU citizen who believes that his or her data has been misused will have several redress possibilities under Privacy Shield. Among them, EU citizens will be able to report complaints directly to their local Data Protection Authorities. Redress mechanisms include established timelines for responses by a subject company. Privacy Shield also creates a new arbitration right for unresolved complaints.
Limitations imposed on US public bodies
There will be clear limitations, safeguards, and oversight mechanisms for access by public authorities for law enforcement and national security purposes. A new redress mechanism will inform a complainant whether an access or surveillance matter has been properly investigated and that either U.S. law has been followed or has been remedied in the case of non-compliance.
Steps to Certify
The subject Company should firstly develop and maintain a Privacy or Privacy Shield policy based on the following principles of certification under the EU-U.S. Privacy Shield, which includes
- Choice. The policy will also cover areas where consent, permission, data use limitations or opt-out strategies, and special treatment for “Sensitive Personal Data” are applicable.
- Access, Data Integrity, and Redress. The policy also addresses other areas related to existing processes or controls, if applicable, to meet Access, Data Integrity, and Redress requirements needed to cover a Privacy Shield election.
A Privacy Shield company must maintain adequate and reasonable administrative, technical, and physical safeguards and controls designed to address appropriate security requirements for U.S. and EU applications that capture or process data within the scope of the certification.
Following a review of existing contracts, the contracts with the downstream Business Associates must be updated to addresses the specific Privacy Shield wording requirements.
Training of manpower to update them on the requirements of the Privacy Shield requirements need to be undertaken.
Documentation supporting the company’s Privacy Shield certification (e.g., policies and procedures, gap assessment report, and contract addendum) should be prepared/compiled and included in a compliance binder.
Companies who decide to adopt the Privacy Shield must register themselves with the International Trade Administration of the US department of Commerce and subject themselves to the self certification process involving completion of the required questionnaires.
Consequent to the introduction of GDPR with effect from 25th May 2018, Privacy Shield is no longer adequate for compliance.