On June 7, 2016, the European Commission adopted the US-EU Privacy Shield. Companies that self-certify under Privacy Shield with the US Department of Commerce – dubbed “Privacy Shield organizations” – are thus officially recognized by the EU as providing an adequate level of protection for data transferred from the EU. As a result, Privacy Shield organizations may in principle freely receive transfers of personal data from the EU. (For more information on Privacy Shield, visit our Privacy Shield FAQs.)
One question that many organizations had following Privacy Shield’s adoption was how it would be implemented by the Data Protection Authorities (“DPAs”) of EU member states. On Monday, the DPA of the German state of North Rhine-Westphalia (“NRW”) issued what appears to be the first series of DPA-crafted FAQs about how it views, and intends to enforce, Privacy Shield.
Many of the NRW DPA’s points will be familiar to US companies that have invested time in evaluating Privacy Shield and its potential fit to their information governance structures. However, the DPA raises several issues that will not directly apply to US Privacy Shield organizations, but instead to European companies that intend to transfer data to Privacy Shield organizations in the US. US companies may wish to begin anticipating the impacts of these issues now, while organizations with German subsidiaries or affiliates should begin considering potential compliance updates.
1. Due Diligence Requirement
During the Safe Harbor days, German DPAs introduced a requirement that German companies conduct due diligence on Safe Harbor-certified US companies before they were permitted to transfer EU data to them. The NRW DPA’s FAQs indicates it will maintain similar due diligence requirements for transfers to Privacy Shield organizations. According to the NRW DPA, a German company intending to transfer data to a Privacy Shield organization must first:
Determine that the US company has a valid Privacy Shield certification. The NRW DPA formulates this as a requirement to ascertain that “the data-receiving US company has a valid certification,” and “that it is complying with it.” At a minimum, the DPA requires German companies to determine (a) that the US company’s Privacy Shield certification exists; (b) that it is current and valid; and that (c) the data to be transferred is within the scope of the certification.
Evaluate the US company’s privacy notice. The German company must ascertain “how the US company is meeting its notice obligations to individuals.” The NRW DPA further indicates that German companies must ask US organizations to “document” their compliance with Privacy Shield notice obligations. This could conceivably require German companies to not merely check US companies’ privacy notices, but also ask for assurances that notices are being displayed and/or deployed in required situations. The NRW DPA also indicates it expects to see US privacy policies contain references to US companies’ obligations to comply with public-sector information requests.
Monitor the US company’s onward transfer compliance. Privacy Shield contains a grace period for US companies that self-certify before September 30, 2016; such companies have nine months from the date of certification to bring their vendor contracts into compliance with Privacy Shield onward-transfer obligations. The NRW DPA requires German companies, before transferring data to Privacy Shield organizations, to ascertain whether they are making use of the nine-month grace period. If so, after the grace period is over, the NRW DPA requires German companies to have the Privacy Shield organization “document” or “at least confirm” that they have brought vendor contracts into compliance.
2. German-Law Processing Contracts
Privacy Shield introduced a new onward-transfer requirement for Privacy Shield organizations: in order to transfer data to a processor, the Privacy Shield organization must now conclude a written contract governing the processing relationship. However, this requirement only regulates the US Privacy Shield organizations – not the EU companies that transfer data to them in reliance on their Privacy Shield certification.
The NRW DPA indicates it will require German companies that transfer data to US processors that are certified as Privacy Shield organizations to conclude German-law processing contracts. Concretely, the DPA states: “If a US company receives data as a processor, the [German] controller transferring the data must additionally abide by the requirements of § 11 Federal Data Protection Law (Bundesdatenschutzgesetz, or “BDSG”).” Section 11 BDSG generally requires a written contract (the so-called “Section 11 agreement”) in which the (US) processor agrees to process only on instructions from the controller. Moreover, Section 11 agreements typically include detailed descriptions of how the processor is to respond to defined situations.
In any case, the NRW DPA indicates that German companies within its jurisdiction will need to conclude German-law processing contracts with US companies in order to transfer data to them for processing purposes – even if the US company is Privacy Shield-certified. The DPA’s reasoning is that a Section 11 agreement is required to ensure the legality of the underlying processing – not the legality of transfer – and is therefore necessary independent of a Privacy Shield certification.
* * * *
The NRW DPA states that EU DPAs are currently engaging in discussions to reach “common understandings on questions of interpretation” regarding Privacy Shield. It therefore makes clear that its FAQs will be “continually” updated and expanded. As a result, companies should likely view the above summary as a DPA’s initial foray into Privacy Shield interpretation, and as a suggestion of requirements that German DPAs may impose more generally in the future. For the moment, however, companies within North Rhine-Wesphalia will need to begin bringing Privacy Shield-related transfers into compliance – and US organizations should begin anticipating due diligence and local-law contracting requests.
A copy of the NRW DPA’s FAQs (in German) can be downloaded here.