My company, RADAR, Inc., develops purpose-built decision support software that ensures consistency and provides efficiency for compliance with data breach laws. As of August 29th, we are certified under the E.U. – U.S. Privacy Shield Framework.
As the privacy officer of a company entrusted with the assessing and providing automated support in decisions on sensitive data incidents and notification, it is important to me that we at RADAR do not simply talk the talk, we also ‘walk the walk.’ One of our company values is integrity. Our customers place great trust in us, and being certified in the Privacy Shield program is an important step in continuing to earn this trust because it demonstrates our commitment to the privacy rights of our customers, their employees, and their own customers.
As our company expands, we also want to acknowledgement that European Union’s laws and principles are respected by our company and our software. RADAR will not only be a tool for United States law compliance, but we are also adapting our risk assessment engine to the GDPR and other regulatory guidance and authority to provide decision support with respect to European data breach obligations.
Given the RADAR product’s use in the world of privacy incidents, we thought it imperative that our company be among the early adopters to register under Privacy Shield.
What is Privacy Shield?
Privacy Shield is an international agreement that replaces the U.S. – E.U. Safe Harbor framework that was invalidated in October, 2015 by the European Union’s highest court. The Privacy Shield requirements have more significance for an organization than the Safe Harbor program it replaces. Under Safe Harbor, self-certification was not overseen by a compliance team, and privacy notices were not required to subjected an organization to resolution mechanisms like arbitration and oversight by the Federal Trade Commission. Under Privacy Shield, an organization must, among other things:
- Ensure that the company’s privacy notice conforms with the following Privacy Shield Principles:
- Accountability for Onward Transfer
- Purpose Limitation
- Data Integrity
- Identify and submit to an independent recourse mechanism, such as the E.U. Data Protection Authority Panel.
- Include a statement that indicates that the organization is subject to the jurisdiction of the Federal Trade Commission or Department of Transportation.
- Include a statement that the organization will agree to arbitrate disputes.
To Certify or Not? Weighing the Pros and Cons
From a legal perspective, companies may hesitate in certifying with Privacy Shield because in one way it causes a company to ‘stick its neck out,’ in that a publicly posted and compliant privacy notice is likely to waive potential legal defenses such as lack of jurisdiction, international conflicts of laws, venue, and other ways of avoiding liability.
As an argument for companies certifying with Privacy Shield, the certification provides a mechanism for demonstrating compliance with the upcoming General Data Privacy Regulation (GDPR), which will take effect across the European Union by summer, 2018. The GDPR will provide some clarity and harmony between the laws in different countries in the E.U., but will also bring stringent requirements, including the requirement to notify data protection authorities of any data breach that poses a “high risk to the rights and freedoms of natural persons.”
This language in the GDPR is so broad that many lawyers doubt that anyone could provide advice that would ensure complete compliance. For that reason, Privacy Shield has been closely tracked by highly visible big data companies, such as Microsoft (which has already certified), in order provide a path to compliance.
It is short-sighted to only consider legal reasons for compliance, because a business and software that provides compliance support must be trusted and liked by its customers. At RADAR we build long-term, supportive, and collaborative relationships with our customers. We interact with highly regulated data every day. Demonstrating commitment to compliance is a strong reason for certification.
Finally – and not least – it is simply the right thing to do. European data subjects have a right to Accountability for Onward Transfer, Notice, Choice, Access, Purpose Limitation, Data Integrity, Security, Recourse, Enforcement, and Liability with regard to their personal data. These are not simply words.
The Process of Certification: Aligning Company Values with Privacy Shield Principles
In certifying RADAR, Inc., I had a difficult time finding reliable examples from which to work, and truly, a privacy notice should not be a cookie-cutter exercise.
For this purpose, and in the spirit of strongly adhering to the Privacy Shield Principles, I drafted a Privacy Notice that was based entirely around the principles, categorizing many of the statements you have probably seen in other privacy notices or privacy policies under the various principles to ensure each principle was addressed directly.
This exercise, aligning privacy framework with the Privacy Shield Principles, underscores the fact that you are not simply providing “notice,” for instance, of what data is collected and how it is used, but also promising to use that data only in the manner consistent with that notice, that the personal data will not be forwarded to third parties unaccountably, that the company recognizes a consequence for affected individuals if personal data held about them is inaccurate, providing them with no recourse, access or ability to correct that information.
I also ensured that the company and my colleagues understood what RADAR was promising, in an effort to make sure our external promises matched our internal practices in every respect.
Quick, Painless – and Certainly Worth Your While
I found the Department of Commerce Privacy Shield team to be extremely receptive and the process to be very straight-forward. I was able to register for dispute resolution with the EU DPA and submit our application online. The Dept. of Commerce responded within 24 business hours with relevant comments, and after submitting a couple minor revisions, the application was approved the same day.
I highly recommend that American companies join the Privacy Shield program and go through the complete exercise of assessing internal policies and getting feedback from appropriate stakeholders. This process can strengthen an organization internally,help shore up your company’s culture of compliance, and align your privacy values with international standards. This work is more important to the long term health of an organization than any contractual protection you could draft.