How Privacy Shield Updates Will Impact Your Franchise

International

New U.S. / E.U data transfer program paving way for broader, more restrictive regulation in 2018. 

By Dan Caprio

Franchisees and franchisors need to be aware of the details of the newly updated United States/European Union Privacy Shield program —  www.commerce.go/privacyshield — designed to heighten protections for transferring transatlantic personal data. While the newly renegotiated program will replace the original U.S./E.U. Safe Harbor program for transferring transatlantic data, the new program is a harbinger of things to come with the broader and more restrictive E.U. General Data Protection Regulation (GDPR) coming into force in 2018.  

The Privacy Shield must not be viewed by itself since it builds upon strong protections in the new GDPR. While the Privacy Shield and GDPR are silent on how organizations should manage and quantify risk, trends are beginning to emerge that will guide organizations in implementing a risk-based approach. While the GDPR identifies new obligations for data processing determined to be at high risk, the GDPR is part of a broader strategy to raise privacy and security requirements for all companies that do business in the E.U. 

The program requires companies to implement a comprehensive privacy program. In a very real sense, the Privacy Shield is a global extension of European privacy rights and standards. The program also reflects an intricate system of oversight, enforcement and redress, involving a number of overlapping institutions with different cross-border roles. For example, under the extra-territorial jurisdiction provision of the GDPR, U.S. based companies must comply with European legal requirements if they monitor or target European citizens for products or services. 

Organizations certifying their compliance with Privacy Shield will be authorized to transfer the personal data of E.U. residents to the U.S. An organization becomes eligible to transfer data under the Privacy Shield once included in the U.S. Department of Commerce’s list of certified organizations. 

To join the new program, an organization must meet four requirements. First, the organization must fall under the enforcement authority of the Federal Trade Commission or another U.S. agency (such as the Department of Transportation for airlines) that can ensure compliance; it must publicize its commitment to adhere to the Privacy Shield; it must publicly disclose its privacy policy; and finally, it must actually implement the Privacy Shield principles.

New Privacy Shield requirements:

Notice 

Participating organizations must provide individuals, in clear and conspicuous language, with notice of the organization’s participation in Privacy Shield, the type of data collected, and the purposes for which the data is collected. Individuals also must be informed of any third parties to whom their data will be transferred, their right to access their data, and the means for limiting the use and disclosure of their personal data. 

Choice

Organizations must provide “clear, conspicuous, and readily available mechanisms” by which individuals can opt out of any disclosure of personal data to a third party or the use of data for a purpose other than the one for which it was initially collected.

Accountability for onward transfer / vendor agreements

Expanded regulation of and accountability for third party personal data transfers means that organizations must specify in third party contracts that transferred personal data “may only be processed for limited and specified purposes consistent with” the data subject’s consent. 

Security

Participating organizations “must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction.” These measures must be appropriate to the “risks involved and the nature of the personal data.”

Data integrity and purpose limitation

Organizations must maintain a strict requirement that the data must be “relevant for the purposes of processing,” however, organizations are required to “limit” collection to only the relevant data. Organizations also must “take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete, and current.”

This presents significant data management issues for long-term data processing, including risk disclosures in merger and acquisition transactions.

Access

Organizations must provide individuals with access to their personal data as well as the opportunity to correct, amend or delete information that is inaccurate or processed in violation of the Principles.

Human resources data

Separate rules are created for transferring human resources data in order to ensure compliance with labor laws in each member state. Employers generally must comply with the Privacy Shield’s notice and choice requirements, but they may be exempt from the access requirement in the case of employee security investigations, grievance proceedings, corporate reorganizations, or where it may prejudice “sound management.” 

Several administrative steps remain before the new Privacy Shield program will come into force, including review and approval by E.U. representative bodies. Approval may come as early as June, however, some E.U. politicians have expressed their opposition to the agreement. One of the most significant changes in the Privacy Shield is the introduction of detailed mechanisms for recourse and dispute resolution. The verification requirement ensures that organizations actually implement the policies they promise. An organization can meet this requirement either through self-assessment or outside compliance reviews.

Integrity of data crucial to global economy

The ongoing attention paid to Privacy Shield and the GDPR underlines the fundamental and core value of data in today’s economy. Ensuring the integrity of data flows globally will be an increasingly strategic consideration going forward. Whether that data is personal information or intellectual property, the information that organizations collect, create, share and store is vital to their success and should be handled as a priority and protected with care.

Franchisees and franchisors need to understand that the Privacy Shield imposes significantly greater obligations upon organizations and their vendors than existed before. In the context of the rights accorded to individuals, these new requirements mirror those set out in the GDPR. Given these heightened obligations, franchisees and franchisors that intend to certify to the Privacy Shield should consider updating their policies around notice, choice, access, onward transfers, and recourse, as well as reviewing their standard vendor agreements.

If your organization does business internationally, it should take steps to ensure it can continue to transfer data from the E.U. and do so in a way that is in compliance with regulation and best practices. That begins with a thorough review and mapping of current processes, including the legal agreements, tools and policies used to effect such operations. Companies should be thinking strategically about managing risk with all relevant business stakeholders through your business supply chains both internal and external to articulate a narrative of data flows from collection to disposal where data is transferred to a third party or internationally transferred. 

Dan Caprio is co-founder and Executive Chairman of the Providence Group. Find him at fransocial.franchise.org. 

Advertisement

We excel in Excellence

We represent excellence in franchising education and advocacy. We’re here to support your growth, connect our community, and protect our business model.  Advancing every aspect of franchising since 1960, IFA is the collective power of our membership.

About IFA

Knowledge is Power

© Copyright. All rights reserved.