The Dispute Resolution Mechanisms Under the Privacy Shield (Part 2 of 2)

What Happens if I Join Privacy Shield and an Employee Submits a Complaint? (Part 2 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, a “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission). Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee.

In our fifth installment, we provided a roadmap of the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. In this sixth installment, we provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the ways in which an employee might file a complaint against an employer.

hrdara

 

The Dispute Resolution Mechanisms Under the Privacy Shield (Part 1 of 2)

What Happens if I Join Privacy Shield and Someone Submits a Complaint? (Part 1 of 2)

The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions that we have received concerning how the Privacy Shield will function in practice.

One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, every “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission).

Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee. In this fifth installment, we provide a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. Our next installment will provide a similar roadmap for the ways in which an employee might file a complaint against an employer.

Click here to view a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved.non-hr

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Controller Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affiliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data controllers that were based in the US complied with the Directive by entering the pre-approved controller-controller model clauses or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-controller model clauses; the use of those clauses became far and away the most popular way to comply with the Directive if you were a data controller.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-by-side comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons has already included a Privacy Shield/Safe Harbor side-by-side comparison and a Privacy Shield/Controller-Processor Clauses side-by-side comparison.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Controller Model Clauses.

contro-control

A Side-By-Side Comparison of “Privacy Shield” and the Controller-Processor Model Clauses

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for the national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an adequate level of protection is guaranteed, and traditionally the EU does not consider the laws of the United States as “adequate” unless a company (1) enters into EU Commission preapproved model contractual clauses with the data recipient, (2) sends data to a corporate affliate in the US that is under the scope of “Binding Corporate Rules,” or (3) entered the EU-US Safe Harbor Framework.

Most data processors (e.g., service providers) that were based in the US complied with the Directive by entering the pre-approved controller-processor model clause or the EU-US Safe Harbor Framework. In October of 2015, the EU-US Safe Harbor Framework was invalidated by the European Court of Justice. As a result, many of the companies that had relied upon the Safe Harbor switched to the controller-processor model clauses; the use of those clauses became far and away the most popular way to comply with the Directive.

On July 12, 2016, the EU formally approved a new mechanism for transferring data to the United States called the “Privacy Shield.” Although you can find a full discussion of the history, and implementation, of Privacy Shield here, the best way for a company to understand Privacy Shield (and decide if it wants to use it going forward) is to do a side-byside comparison of the Privacy Shield against the mechanism that it currently uses, used, or is considering. Our series of side-by-side comparisons started with a Privacy Shield/Safe Harbor comparison published here.

Click here to view the side-by-side comparison of the Privacy Shield and the Controller-Processor Model Clauses.

comparison2

A Side-by-Side Comparison of “Privacy Shield” and the “Safe Harbor”

More than 5,000 companies had taken advantage of the now defunct U.S.-EU Safe Harbor Framework. Those companies are now considering whether to join the newly approved “Privacy Shield,” and are trying to understand the difference between the old and new framework. As they do, these companies are faced with many questions: How does the Privacy Shield differ from Safe Harbor? Can you rely on the Model Clauses? Or would it make more sense to join the Privacy Shield? If so, what do you need to do to join?

To supplement our earlier publication, we have prepared a side-by-side comparison of the invalidated Safe Harbor and the new Privacy Shield. Over the next week, we will be publishing similar comparisons between Privacy Shield and other adequacy methods including the model controller-controller clauses and the model controller-processor clauses. If you would like to receive those comparisons, please register at www.bryancavedatamatters.com.

Click here to view the side-by-side comparison of the Safe Harbor and the Privacy Shield.

sidebyside

Privacy Shield Finalized – How Everyone Can Take Advantage of the New European Data Transfer Framework

Background

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU Member State.  The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed.  Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection.  As a result, if a company intended to transfer personal data from the EU to the U.S., it traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

priovacyshielf

Privacy Shield Released – How Employers Can Take Advantage of the New European Data Transfer Framework (2016)

The EU Data Protection Directive 95/46/EC (the “Directive”) creates the legal framework for national data-protection laws in each EU member state. The Directive states that personal data may only be transferred to countries outside the EU when an “adequate” level of protection is guaranteed. Few exemptions apply, and the laws of the United States are not considered by the European Union as providing an adequate level of data protection. As a result, if a company or employer intended to transfer personal data from the EU into the U.S., they traditionally had to achieve the Directive’s required “adequacy” status through: Safe Harbor certification; standard contractual clauses; or binding corporate rules….

rishield