Check out this week’s Compliance News Flash with quick reads about:

  • Background screening operations in Canada and capturing consent.
  • Colorado’s new law safeguarding personal data.
  • Homeland Security and increased workplace investigations.
  • GDPR (need I say anything more for those working on this?).
  • Termination of Temporary Protected Status and work authorization.

Any questions please contact me at montserrat.miller@agg.com.

Annually my law firm publishes a checklist of legal issues we believe will be relevant in 2017.  To view the list click here.

In no particular order of importance this year’s list includes the following, with brief write-ups by AGG lawyers:

  1. Wage and Hour
  2. Non-GAAP Financial Measures
  3. Ban the Box
  4. EU-U.S. Privacy Shield
  5. Immigration Compliance – Form I-9 and E-Verify
  6. Robust Compliance Programs
  7. Blockchain and Digital Transactions
  8. Cyber Security and M&A Transactions
  9. Online Advertising Practices
  10. Wellness Programs
  11. Tax Reform
  12. The Consumer Financial Protection Bureau
  13. E-Discovery and Defense Costs

The U.S. and Swiss governments have finalized a Privacy Shield agreement to allow the cross-border transfer of personal data from Switzerland to the United States.

First, let’s jump in our proverbial time machine and go back in time.  Prior to the EU – U.S. Privacy Shield framework hammered out post-implosion of the EU – U.S. Safe Harbor framework due to the European Court of Justice’s decision in Schrems in 2015 (read about that here), we had both a Safe Harbor framework for the cross-border transfer of personal data for the European Union at large to the United States, and separately for transfers from Switzerland to the United States.  Enter the EU – U.S. Privacy Shield agreement finalized last year, which addressed transfers of personal data from the European Union to the United States, but not Switzerland.  In fact, it wasn’t entirely clear what the Schrems decision meant for the Swiss – U.S. Safe Harbor agreement since the Swiss seemed to be saying that it too was no longer relevant post-Schrems but yet the U.S. Department of Commerce said they would continue to administer the program.  And now, let’s return to the present.

There is a new Swiss – U.S. Privacy Shield framework which can serve as a mechanism to lawfully transfer personal data from Switzerland to the United States. Companies can begin self-certification under this program on April 12, 2017. This new framework will replace the Swiss – U.S. Safe Harbor framework.  Here is what the Swiss are saying, “At its meeting today, the Federal Council took note that a new framework, Privacy Shield, has been established for the transfer of personal data from Switzerland to the USA. Privacy Shield replaces the Safe Harbor Agreement between Switzerland and the USA, which the FDPIC had declared inadequate and which the Federal Council has now formally terminated. The FDPIC welcomes the introduction of the new framework.”  Read more of this press release from the Swiss Federal Data Protection and Information Commissioner (FDPIC) by clicking here. To read the press release issued by the U.S. International Trade Administration, click here.

Companies that transfer personal data from the European Union (“EU”) to the United States should be working toward their compliance with the EU’s General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679) which will go into effect May 2018.  Oh, but how silly, that’s, like, over a year away!  Why should you care?  If you transfer personal data from the EU to the US there’s a lot to know about the GDPR and it takes time.  I’m going to focus on the Data Protection Officer (“DPO”) requirement today.

Organizations that process personal data related to EU nationals may be either a “controller” or “processor,” or both.  Let’s say you are a background screening company and you’ve been hired to conduct a background investigation or check on an individual who lives, or previously lived and worked, in the EU. You’ll very likely need to transfer data to the United States from the EU and the bottom line is that whenever an organization transfers personal data related to EU nationals to the United States, you need to consider the GDPR in order to ensure compliance.  You also need to consider whether you have a legitimate cross-border onward mechanism, but that’s for another blog posting.

Let’s talk about the DPO.  Article 37(1) of the GDPR requires the designation of a DPO by a controller or processor (i) where the processing is carried out by a public authority or body; (ii) where the core activities of the controller or the processor consist of processing operations that require regular and systematic monitoring of data subjects on a large scale; or (iii) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data (as defined in Article 9) and (or) personal data relating to criminal convictions and offenses (as described in Article 10).

Special categories of data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data and information related to a person’s sex life or sexual orientation.

The DPO can be an internal employee or can be hired as an outside consultant, if you will.  The role and tasks of the DPO are described in Articles 38 and 39 of the GDPR.

And, in case you are wondering the cost of non-compliance?  It’s steep.  A violation of the obligation of a controller or processor related to the designation of a DPO can subject a company to administrative fines of up to 10 million Euros or up to 2% of the “total worldwide annual turnover of the preceding financial year.” (Article 83(4)(a)).

For recent guidelines from the Article 29 Data Protection Working Party on the role of the DPO, click here.

So, if you find your company in this situation and are doing a Google search of GDPR at this time, the privacy team here at AGG can help.  Just shoot me an email at montserrat.miller@agg.com.

 

Human Resources professionals have one more item to add to their compliance checklist – ensuring the lawful transfer of employee, consumer or customer personal data from the European Union (“EU”) to the United States. 

To unravel this compliance requirement let’s start with a hypothetical transfer of personal data from location A to location B for employment purposes.  Company based in Providence, Rhode Island has offices worldwide, including several in the EU.  Hiring is centralized in the United States and therefore all onboarding is conducted by Human Resources professionals in Providence.  As per company policy, the company sends all new hires an employee packet and several of the forms in the packet require the collection of personal data or information.  Personal data such as name, date of birth, address, email address, etc. For its new hires in the EU, they are asked to send the employee packet back to Providence electronically so that the information can be processed for employee benefits, payroll, and a background investigation.  Therefore, personal data is being transferred to the United States for processing.   The question is, is this legal?  Does the company in Providence, Rhode Island need to do anything from a compliance perspective?  The response to the first question is, maybe if the company has a permissible cross-border transfer mechanism in place.  The second response is, yes.  Bottom line is that any U.S. based company which operates globally has to factor in international privacy and data protection laws before transferring employee personal data from outside the United States to the United States.  

Here’s why.  In the EU it is generally prohibited to collect, use, transfer, disclose or otherwise process an individual’s personal data without justification.  In case you are wondering, what’s the European Union?  The EU is made up of 28 member countries in Europe.  It includes countries such as Austria, Belgium, France, Germany, Greece, Ireland, Italy, Spain and the United Kingdom (until they depart due to Brexit).  For a full list of member countries, click here.  

What do American companies need to do?  First, if you have offices, operations or otherwise transfer someone’s personal data from the EU to the United States you need to know that. We privacy professionals call that, mapping the data flows.  In other words, are your employees, customers, consumers sending you personal data from the EU to the United States, what data and for what purpose. 

Why should American companies care?  Because in the EU they are serious about privacy and data protection.  The Europeans would argue that they are far more serious and protective of their citizen’s privacy than the Americans.  They can and will bring enforcement actions against companies that transfer personal data outside the EU without having a permissible onward transfer mechanism.  See the most recent action by German data protection authorities by clicking here.

What’s a permissible onward transfer mechanism?  In the EU, there is a general legal framework under which companies operate which is the EU Directive 95/46/EC (“EU Directive”) and it describes how organizations can lawfully “process” personal data, meaning how they can collect, use, transfer, share, store, etc. personal data.   Generally speaking—and please note that I’m focusing only on cross-border transfers of personal data in this article—an organization cannot transfer an individual’s personal data from the EU to the United States without a lawful mechanism.   That’s right, you can’t just transfer personal data without having a plan in place.  Also, not to throw in a monkey wrench, but the EU Directive will be replaced by the General Data Protection Regulation (“GDPR”)  effective 2018, which will have stricter requirements on U.S. companies with operations in the EU, including requirements related to data breaches.

What options do American companies have to lawfully transfer personal data to the United States?  A few, actually.  One is by self-certifying with the Department of Commerce’s EU-U.S. Privacy Shield program,  instituting model contract clauses or binding corporate rules, or meeting one of the other derogations described in Article 26 of the EU Directive, such as consent of the data subject to the cross-border transfer.   There are pros and cons to each of these options and that is the subject of another discussion and greater legal analysis.  This article is intended as a primer to flag the issue of cross-border transfers of personal data from the EU to the United States and compliance considerations around such.   

If your organization transfers personal data from the EU to the United States and you would like to discuss what your legal requirements or obligations may be I am happy to have that conversation with you.  The privacy team at my firm, Arnall Golden Gregory LLP, advises companies on cross-border transfers of personal data and we would be happy to assist.

 

European Data Protection Supervisor (EDPS) Giovanni Buttarelli issued his formal opinion on the EU- US Privacy Shield, arguing that while it’s a step in the right direction, “robust improvements” are needed.  The EDPS is an independent advisor/institution and this opinion, along with its recommendations, is geared primarily to the European Commission.

A notable criticism is that Privacy Shield is based on the current EU Directive 95/46/EC, which will be superseded by the new and more robust EU data protection framework, the General Data Protection Regulation (GDPR), in May 2018.   This is problematic because, in his opinion, there isn’t consistency between the current and the future framework and data controllers could find themselves seeking to comply in an environment where that compliance model is changing.

Some additional points worth highlighting are that the EDPS believes more can be done with respect to data minimization and retention as well as automated processing of personal data.  Specifically, he recommends that:

  • The language regarding data minimization and retention should be strengthened to “clearly prohibit keeping personal data in a form which permits identification of data subjects for longer than necessary for the purposes for which the data were collected or further processed.” (See page 9)
  • Language regarding automated processing of personal data — especially when it impacts individuals “performance at work, creditworthiness, reliability, conduct, etc.” — should have greater safeguards and allow for human intervention on the part of the controller to express their “point of view and to contest the decision, and to obtain information about the logic underpinning the processing.”  (See pages 9 and 10)

The EDPS concludes by stating that he “welcomes the efforts shown by the parties to find a solution for transfers of personal data from the EU to the U.S. for commercial purposes under a system of self-certification.  However, robust improvements are needed in order to achieve a solid framework, stable in the long term.”

 

The full text of the EU-U.S. Privacy Shield (“Privacy Shield”) framework is now available.   Privacy Shield was “designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.” (See Fact Sheet)

Below is a non-exhaustive list of “quick facts” about Privacy Shield:

  • It remains a voluntary self-certification program, similar to the now defunct Safe Harbor program.
  • Applications for certification are not currently being accepted.  The Department of Commerce will begin accepting applications for certification pending the European Commission’s adequacy determination.  This approval process is underway.  No word yet on the cost of self-certification.
  • The Privacy Shield Principles are anchored on the following concepts: notice; choice; accountability for onward transfer; security, data integrity and purpose limitation; access; recourse, enforcement and liability.  In addition, there is a section entitled “Supplemental Principles” which covers topics such as sensitive data and human resources data.
  • Individuals may bring a complaint directly to a Privacy Shield participant and the participant must respond to the individual within 45 days.
  • Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
  • Expect greater involvement of the Department of Commerce as well as Federal Trade Commission with respect to oversight, supervision and enforcement.
  • Privacy Shield participants must include certain information on their websites related to the program (e.g., access and correction rights, whether personal information is disclosed to public authorities, and information about the independent recourse mechanism).

For more information, read the AGG Alert by my colleagues Kevin Coy and Gene Burd.