On July 12, 2016, following the Maximillian Schrems v Data Protection Commissioner decision, ECLI:EU:C:2015:650, CJEU 6 Oct. 2015, Case C-362/14, the EU Commission adopted the EU-US Privacy Shield Framework as replacement for the Safe Harbor Program providing: “Member States shall provide that the transfer to a third country of personal data (by an entity) … may take place only if … the third country in question ensures an adequate level of data protection.” See, http://bit.ly/2hkcrrV.
Privacy Shield framework prohibits personal data (defined as: “any data that could potentially identify a specific individual”) transfers outside the European Economic Area (EEA) unless a European Commission (EC) adequacy decision or an exception applies. An “adequacy decision” is a decision adopted by the EC which establishes that a third country ensures an adequate level of protection of personal data by reason of its domestic law or the international commitments to which it has entered.
Under the framework, Privacy Shield creates a specific set of seven privacy principals with which U.S. organizations must comply when receiving personal data, including Notice; Data Integrity and Purpose Limitation; Choice; Security; Access; Recourse, Enforcement and Liability; and Accountability for Onward Transfer. See, http://bit.ly/2ikV1LP.
This article discusses the corporate impact of the EU-US Privacy Shield and practical approaches to managing global corporate data in the wake of Schrems.
So What’s the Big Deal?
Under Privacy Shield, entities now only have 45 days to respond to data subject complaints and must look into each complaint received (unless it is clearly baseless). This means a corporation must know its data “buckets” and where they live and breathe in order to both internally investigate and respond.
It’s important to note Privacy Shield (like Safe Harbor) only applies to entities that are “subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC),” (or the Department of Transportation), and the FTC does not have jurisdiction over the activities of banks and other financial institutions. The McCarran-Ferguson Act also excludes application of the FTC Act to the “business of insurance.”
Next, there will be stronger oversight by the U.S. Department of Commerce (DOC) and more direct cooperation between EU Data Protection Authorities (DPAs) and the FTC to transform from a self-regulating system to an oversight system. This means the DOC will monitor Privacy Shield Principles compliance on an ongoing basis, handle complaints from individuals and act when there’s credible evidence that a corporation may not be compliant with Privacy Shield Principles.
Think significant penalties potentially from the DPAs, DOC and/or the FTC (each may refer Privacy Shield complaints to the other) when in the wrong.
Under Safe Harbor, the FTC brought nearly 40 enforcement actions, led numerous investigations, and responded to several cooperation initiatives with European DPAs. Privacy Shield has exacted commitments from the DOC and FTC for more rigorous enforcement than Safe Harbor, including utilizing the FTC Act’s prohibition on unfair and deceptive acts or practices with the imposition of all remedies available to protect domestic consumers when protecting EU data subjects.
These are serious enforcement teeth when regulators might be bearing down on your corporation. The floodgates are also open to a vastly expanded multitude of EU data privacy complainants right here in the U.S., where the same might have previously lacked standing.
The new guideline is: The corporation may keep personal data only for as long as this serves the lawful purpose for which the data was collected. This means instituting and enforcing a corporate personally identifiable information (PII) data disposition policy to limit exposure.
How Does This Work in the Real World?
One of the most common trigger events subjecting a corporation to scrutiny over its handling of personal data is the all-too-ubiquitous data breach scenario. Here, best practices to understand where/how personal data lives within corporate systems must be established.
1. Data Mapping
The process of “data mapping” now becomes essential for corporations to document where all the pieces of PII really reside in our applications given looming Privacy Shield liability.
What personal data is located in the HR application, the payroll system, active directory and the email address book? To answer, a corporation has to identify application owners and document the data that is being utilized in each and every application: No small task, but ultimately leading to the keys for limiting exposure.
Let’s say personal data was collected when your company set up an enterprise resource planning (ERP) system. Best practices dictate we track down the system design documents as a starting point to build your corporate system data maps (saving a tremendous amount of corporate resource costs).
Next, identify which applications pass PII to or utilize shared databases with other platforms/applications. Is your HR new hire process passing key pieces of PII to payroll? Are select pieces of PII being used to create security credentials for network access/mailbox profiles so that the employee can hit the ground running on day one?
Yep, you guessed it. The devil is in the details and corporations now need to know how data is used in our systems to be able to track where and how PII lives, breathes, replicates, transports, disseminates and otherwise spreads through our corporate systems.
Assuming in-house and on-premise applications where data transfer happens through a secure corporate network, we next need to know how data is passed along to cloud-based applications. In other words, it’s time to understand the what, where and how the corporation’s cloud based applications and third party providers handle data (with PII in particular). Regulated industries, such as financial services, health care, pharmaceuticals and many other vertical categories are painfully aware of these regulatory/legal obligations which expand under Privacy Shield.
2. Securing Data in Transport
We all do it every day: sending data for business purposes. Corporate use of secure file transfer protocol (FTP) is one recommended method for data transport. Encryption-in-transit and encryption-at-rest may be required, in addition to the data transfer process or physical transfer via CD/DVD or other external media. Even with the most powerful computers, encryption passwords of 12 mixed characters and letters or more will be daunting to the hackers that may intercept corporate data packages.
For data transport, we need to know the specific countries and their respective laws in which a corporation’s third party providers are housing the PII, which has been shared via replications, backup, inter-application shared usage or otherwise.
3. Getting Third Party Providers on the Same Page
Third party providers with whom a corporation engages are also required to meet Privacy Shield protections (see the seventh principal of Privacy Shield above: Accountability for Onward Transfer).
Beyond a corporation’s own data activities, update the corporation’s agreements with any third-party providers handling corporate data to cover the corporation’s interests in the event of data theft or misuse. Accountability for Onward Transfer imparts a certain level of corporate ongoing duty to ensure their third party providers maintain adequate methodology, procedures and protections with data.
Turning a blind eye to third-party provider data handling methods may end up being an extremely costly mistake.
4. Disaster Planning
Understand how the corporation’s computer systems are being backed up for disaster recovery purposes. Is your IT group running the standard daily and weekly incremental backups to disk and then monthly full backups to tape, culminating in yearly backups? Are the monthly and yearly backups being stored off-site in a secure location? Most corporations can answer “yes” to these questions. The million-dollar liability and resource cost question now becomes: do you know on which tapes particular pieces of PII reside given the applications specific to the backup tapes?
Here’s where it gets even more interesting.
Knowing your backup process is one thing, but having it tied to a corporate records information management (RIM) retention schedule can open a whole new box of snakes. If data in a particular set of applications, say tax records, needs to only be kept for seven years, how do you carve out those backup tapes for destruction at the end-of-life of the tax data? The backup tapes where tax data resides may also hold (and likely does) application backups from corporate HR applications or other disparate application processes. Under this scenario, HR data and any PII contained within the same or other applications have a different RIM end-of-life cycle than does the tax data.
The Onion Metaphor and Takeaways
Corporations need to peel back the applications, the data backups and the RIM retention schedules to understand where PII resides and the relationship between these various processes in order to segregate the data. This, my friends, is as they say: “the whole shooting match.”
Expending corporate resources to know how, where and when your corporate data with PII is utilized within and between applications, data backups and pursuant to the RIM retention schedule will prepare the corporation for that point in time when the authorities come knocking to check your compliance with the Privacy Shield regulations. More importantly, this knowledge is the key to developing processes to limit corporate liability exposure for the same.
If the corporation knows where PII lives and can certify as to its removal from your corporate systems and data backups in the event of a complaint, compliance costs decrease exponentially.
Despite current legal challenges posed by Privacy Shield, limiting corporate regulatory, legal, financial and reputational exposure requires new rules for the road. This means corporations must undertake internal/external technical due diligence, security audits, house cleaning and process re-engineering to reach policy/protocol consensus between the internal business leads (including the CTO/CSO), application owners, legal, IT, backup teams and third party providers regarding the PII data they collectively and separately hold/transport.
Executing corporate business processes which satisfy regulators and individuals/complainants under Privacy Shield can be delivered by corporations in a cost/process effective way while achieving corporate business objectives.
Given a dislike for narratives which lack visual punch and wrap up without a solution to the challenge, we provide you with a simple diagram and an invitation for ongoing dialogue.
Dan Panitz, DTI Director of Legal Solutions, is an experienced lawyer based in the New York area. Panitz has more than 20 years of combined legal and business development experience. His background also includes government securities regulation/enforcement, litigation, forensic investigations, regulatory compliance and enforcement, and corporate advisory services. H. Bruce (HB) Gordon currently works for Teva Pharmaceuticals located in Horsham, Pennsylvania as their Manager, ESI Response Management. Prior to Teva, Gordon worked for AmerisourceBergen Corporation as the IT Liaison to the Legal Department, and Rohm and Haas Company as the IT Manager for the Legal Department. This article also appeared in Legal Tech News, an ALM sibling of this newsletter.
The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.