EU US PRIVACY SHIELD FRAMEWORK 2.1. Privacy Principles

1. As part of their self-certification under the EU-U.S. Privacy Shield, organisations have to commit to complying with the Principles[1].
2. Under the Notice Principle, organisations are obliged to provide information to data subjects on a number of key elements relating to the processing of their personal data (e.g. type of data collected, the purpose of processing, right of access and choice, conditions for onward transfers and liability). Further safeguards apply, in particular, the requirement for organisations to make public their privacy policies (reflecting the Principles) and to provide links to the Department of Commerce’s website (with further details on self-certification, the rights of data subjects and available recourse mechanisms), the Privacy Shield List (referred to in recital 30) and the website of an appropriate alternative dispute settlement provider.
3. Under the Data Integrity and Purpose Limitation Principle, personal data must be limited to what is relevant for the purpose of the processing, reliable for its intended use, accurate, complete and current. An organisation may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorised by the data subject. Organisations must ensure that personal data is reliable for its intended use, accurate, complete and current.
4. Where a new (changed) purpose is materially different but still compatible with the original purpose, the Choice Principle gives data subjects the right to object (opt-out). The Choice Principle does not supersede the express prohibition on incompatible processing[2]. Special rules generally allowing for the opt-out ‘at any time’ from the use of personal data apply for direct marketing[3]. In the case of sensitive data, organisations must normally obtain the data subject’s affirmative express consent (opt-in).
5. Still under the Data Integrity and Purpose Limitation Principle, personal information may be retained in a form identifying or rendering an individual identifiable (and thus in the form of personal data) only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorised. This obligation does not prevent Privacy Shield organisations to continue processing personal information for longer periods, but only for the time and to the extent such processing reasonably serves one of the following specific purposes: archiving in the public interest, journalism, literature and art, scientific and historical research and statistical analysis. Longer retention of personal data for one of these purposes will be subject to the safeguards provided by the Principles.
6. Under the Security Principle, organisations creating, maintaining, using or disseminating personal data must take ‘reasonable and appropriate’ security measures, taking into account the risks involved in the processing and the nature of the data. In the case of sub-processing, organisations must conclude a contract with the sub-processor guaranteeing the same level of protection as provided by the Principles and take steps to ensure its proper implementation.
7. Under the Access Principle[4], data subjects have the right, without the need for justification and only against a non- excessive fee, to obtain from an organisation confirmation of whether such organisation is processing personal data related to them and have the data communicated within a reasonable time. This right may only be restricted in exceptional circumstances; any denial of, or limitation to the right of access has to be necessary and duly justified, with the organisation bearing the burden of demonstrating that these requirements are fulfilled. Data subjects must be able to correct, amend or delete personal information where it is inaccurate or has been processed in violation of the Principles. In areas where companies most likely resort to the automated processing of personal data to take decisions affecting the individual (e.g. credit lending, mortgage offers, employment), U.S. law offers specific protections against adverse decision[5]. These acts typically provide that individuals have the right to be informed of the specific reasons underlying the decision (e.g. the rejection of a credit), to dispute incomplete or inaccurate information (as well as reliance on unlawful factors), and to seek redress. These rules offer protections in the likely rather a limited number of cases where automated decisions would be taken by the Privacy Shield organisation itself[6]. Nevertheless, given the increasing use of automated processing (including profiling) as a basis for taking decisions affecting individuals in the modern digital economy, this is an area that needs to be closely monitored. In order to facilitate this monitoring, it has been agreed with the U.S. authorities that a dialogue on automated decision-making, including exchange on the similarities and differences in the EU and U.S. approach in this regard, will be part of the first annual review as well as subsequent reviews as appropriate.
8. Under the Recourse, Enforcement and Liability Principle[7], participating organisations must provide robust mechanisms to ensure compliance with the other Principles and recourse for EU data subjects whose personal data have been processed in a non-compliant manner, including effective remedies. Once an organisation has voluntarily decided to self-certify[8] under the EU-U.S. Privacy Shield, its effective compliance with the Principles is compulsory. To be allowed to continue to rely on the Privacy Shield to receive personal data from the Union, such an organisation must annually re-certify its participation in the framework. Organisations must also take measures to verify[9] that their published privacy policies conform to the Principles and are in fact complied with. This can be done either through a system of self-assessment, which must include internal procedures ensuring that employees receive training on the implementation of the organisation’s privacy policies and that compliance is periodically reviewed in an objective manner or outside compliance reviews, the methods of which may include auditing or random checks. In addition, the organisation must put in place an effective redress mechanism to deal with any complaints (see in this respect also recitals 43) and be subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or another U.S. authorised statutory body that will effectively ensure compliance with the Principles.
9. Special rules apply for so-called ‘onward transfers’, i.e. transfers of personal data from an organisation to a third party controller or processor, irrespective of whether the latter is located in the United States or a third country outside the United States (and the Union). The purpose of these rules is to ensure that the protections guaranteed to the personal data of EU data subjects will not be undermined, and cannot be circumvented, by passing them on to third parties. This is particularly relevant in more complex processing chains which are typical for today’s digital economy.
10. Under the Accountability for Onward Transfer Principle[10], any onward transfer can only take place (i) for limited and specified purposes, (ii) on the basis of a contract (or comparable arrangement within a corporate group[11]) and (iii) only if that contract provides the same level of protection as the one guaranteed by the Principles, which includes the requirement that the application of the Principles may only be limited to the extent necessary to meet national security, law enforcement and other public interest purposes[12]. This should be read in conjunction with the Notice and, in the case of an onward transfer to a third party controller[13], with the Choice Principle, according to which data subjects must be informed (among others) about the type/identity of any third party recipient, the purpose of the onward transfer as well as the choice offered and can object (opt-out) or, in the case of sensitive data, have to give ‘affirmative express consent’ (opt-in) for onward transfers. In the light of the Data Integrity and Purpose Limitation Principle, the obligation to provide the same level of protection as guaranteed by the Principles presupposes that the third party may only process the personal information transmitted to it for purposes that are not incompatible with the purposes for which it was originally collected or subsequently authorised by the individual.
11. The obligation to provide the same level of protection as required by the Principles applies to any and all third parties involved in the processing of the data so transferred irrespective of their location (in the U.S. or another third country) as well as when the original third-party recipient itself transfers those data to another third party recipient, for example, for sub-processing purposes. In all cases, the contract with the third party recipient must provide that the latter will notify the Privacy Shield organisation if it makes a determination that it can no longer meet this obligation. When such a determination is made, the processing by the third party will cease or other reasonable and appropriate steps have to be taken to remedy the situation[14]. Where compliance problems arise in the (sub-) processing chain, the Privacy Shield organisation acting as the controller of the personal data will have to prove that it is not responsible for the event giving rise to the damage, or otherwise face liability, as specified in the Recourse, Enforcement and Liability Principle. Additional protections apply in the case of an onward transfer to a third party agent[15].

[1] Special rules providing additional safeguards apply for human resources data collected in the employment context as laid down in the supplemental principle on ‘Human Resources Data’ of the Privacy Principles (See Annex II, Sec. III.9). For instance, employers should accommodate the privacy preferences of employees by restricting access to the personal data, anonymising certain data or assigning codes or pseudonyms. Most importantly, organisations are required to cooperate and comply with the advice of Union Data Protection Authorities when it comes to such data.

[2] This applies to all data transfers under the Privacy Shield, including where these concern data collected through the employment relationship. While a self-certified U.S. organisation may in principle use human resources data for different, non-employment-related purposes (e.g. certain marketing communications), it must respect the prohibition on incompatible processing and moreover may do so only in accordance with the Notice and Choice Principles. The prohibition on the U.S. organisation to take any punitive action against the employee for exercising such choice, including any restriction of employment opportunities, will ensure that, despite the relationship of subordination and inherent dependency, the employee will be free from pressure and thus can exercise a genuine free choice.

[3] See Annex II, Sec. III.12.

[4] See also the supplemental principle on ‘Access’ (Annex II, Sec. III.8).

[5] See e.g. the Equal Credit Opportunity Act (ECOA, 15 U.S.C. 1691 et seq.), Fair Credit Reporting Act (FRCA, 15 USC § 1681 et seq.), or the Fair Housing Act (FHA, 42 U.S.C. 3601 et seq.).

[6] In the context of a transfer of personal data that have been collected in the EU, the contractual relationship with the individual (customer) will in most cases be with — and therefore any decision based on automated processing will typically be taken by — the EU controller which has to abide by the EU data protection rules. This includes scenarios where the processing is carried out by a Privacy Shield organisation acting as an agent on behalf of the EU controller.

[7] See also supplemental principle ‘Dispute Resolution and Enforcement’ (Annex II, Sec. III.11).

[8] See also supplemental principle ‘Self-Certification’ (Annex II, Sec. III.6).

[9] See also supplemental principle ‘Verification’ (Annex II, Sec. III.7).

[10] See also supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10).

[11] See supplemental principle ‘Obligatory contracts for Onward Transfers’ (Annex II, Sec. III.10.b). While this principle allows for transfers based also on non-contractual instruments (e.g. intra-group compliance and control programs), the text makes clear that these instruments must always ‘ensur[e] the continuity of protection of personal information under the Principles’. Moreover, given that the self-certified U.S. organisation will remain responsible for compliance with the Principles it will have a strong incentive to use instruments that are indeed effective in practice.

[12] See Annex II, Sec. I.5.

[13] Individuals will have no opt-out right where the personal data is transferred to a third party that is acting as an agent to perform tasks on behalf of and under the instructions of the U.S. organisation. However, this requires a contract with the agent and the U.S. organisation will bear the responsibility to guarantee the protections provided under the Principles by exercising its powers of instruction.

[14] The situation is different depending on whether the third party is a controller or a processor (agent). In the first scenario, the contract with the third party must provide that the latter ceases processing or takes other reasonable and appropriate steps to remedy the situation. In the second scenario, it is for the Privacy Shield organisation — as the one controlling the processing under whose instructions the agent operates — to take these measures.

[15] In such a case, the U.S. organisation must also take reasonable and appropriate steps (i) to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organisation’s obligations under the Principles and, (ii) to stop and remediate unauthorised processing, upon notice.