Dealing with Third-Party Vendors Under the Privacy Shield

One of the trickiest parts of attaining certification under the EU-U.S. Privacy Shield Framework (“Privacy Shield”) is bringing your organization’s relationships with third parties into compliance. Under the Privacy Shield, it’s not enough that your company maintains internal compliance with the Privacy Shield principles: you’re also responsible for ensuring compliance by third-party vendors acting as agents.

This idea is enshrined in the Privacy Shield Principle known as “Accountability for Onward Transfer,” which can be found in Section 3 of the Framework text. Section 3 is divided into two subsections, the first dealing with transfers to third-party data controllers, and the second dealing with transfers to third parties acting as agents (or, in data protection terms, as processors and subprocessors).

Section 3(a) deals with the transfer of personal data to third-party data controllers—other organizations that have the power to determine the purpose and means of processing data. In addition to requiring organizations to abide by the Notice and Choice Principles in this case, Section 3(a) requires companies transferring personal data to a third-party data controller to execute a written contract which ensures that the third party will only process such data for limited and specific purposes consistent with the intent given by the individ+ual whose data is being processed, that the recipient will provide the same level of data protection as required by the Principles, and that the recipient shall notify the transferring organization if it determines that it can no longer meet the obligation to provide the same protection.

Privacy Shield presumes a higher level of liability and responsibility on the part of the recipient in the context of transfers to a controller, as is appropriate in situations where personal data is transferred to an organization that will have the authority to control the purpose and means by which the personal data is processed.

Section 3(b), on the other hand, deals with transfers of personal data from an organization to a third party acting as agent—in effect, a processor or subprocessor of that personal data. It’s in this context that Privacy Shield places the heaviest liability on the certified organization, and therefore is where companies have to be the most careful.

No organization is an island: especially if you are a small or medium-sized company, you’re likely outsourcing a fair amount of services and logistics. Because (at least in terms of data protection) most third-party vendors fall under the definition of agents, not fellow controllers, complying with Section 3(b) of Privacy Shield is a constant and growing concern for companies that process personal data.

Does your company pay for web hosting? Do you use third-party payment platforms or customer relationship management (CRM) software? Do you share customer data in any way with a corporate parent or affiliate? In all of these scenarios, Accountability for Onward Transfer applies.

Think about it: if you’re a Privacy Shield-certified company (or one in the process of attaining certification), every single contractual relationship you have with an outside vendor likely falls under the Section 3(b) Accountability for Onward Transfer Principle.

Section 3(b) is simply written, and it lays out six things Privacy Shield-certified organizations are required to do with respect to contracts with third-party agents. Here it is in its entirety:

To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Discussing each of these six requirements point by point is, perhaps, beyond the scope of this article, but suffice it to say that this language carries with it a host of potential data-related responsibilities for both the organization and the third party. And because the burden is on the transferor, not the recipient, to apply these principles, ensuring that your company meets its obligations under Section 3(b) becomes a matter for negotiation with your vendors.

A common misconception many companies have about Privacy Shield is that it operates similarly to the Safe Harbor Privacy Principles that preceded it, when in fact Privacy Shield imposes more stringent requirements on its participants.

For example, many companies (some of them larger and more influential than you might believe) are under the impression that the fact that they are themselves certified under Privacy Shield means that any personal data transfer made by another Privacy Shield participant is automatically in compliance with the Principles. In other words, some companies think that because they’re on the Privacy Shield-certified list found at https://www.privacyshield.gov/list, any personal data transferred to them by another company is therefore automatically in compliance with Privacy Shield.

This, of course, entirely misses the point: The Accountability for Onward Transfer Principle places the obligation on the party sending the data to ensure that their contract with the recipient complies with the six points listed above.

Even in cases where there is a mutual understanding of this fact, or where you have been successful in educating a vendor about your obligations under Section 3, negotiations can still be difficult for several reasons.

For one, large companies, particularly those that offer web applications to the general public, are often unwilling to renegotiate any aspects of their terms of service. Contracts of adhesion are tried and true methods used by big corporations to save on legal costs and simplify the logistics of their customer relationships. These companies are essentially saying: either you agree to our terms, or you don’t use the service. We can survive without you. This is particularly common with services that are focused on the consumer market and either aren’t interested in or are inexperienced in dealing with the needs of business clients in the B2B sphere. Getting these industry giants to come around requires both a dedicated team of privacy compliance experts and, as a last case scenario, the willingness to take your business elsewhere when negotiations go south.

Another reason vendor negotiations often stall is related to conflicting versions of a privacy amendment or data protection addendum: many companies have already developed their own internal data protection agreements (DPAs) intended to address the concerns raised by Privacy Shield. Unfortunately, these DPAs often fail to include one or more of the requirements of the Accountability for Onward Transfer Principle, or, in some extreme cases, merely state that the company is themselves Privacy Shield-certified, which brings us back to the problems addressed above.

Then there’s the simple issue of getting in touch with the right person or persons who can help your organization make the necessary changes to your agreement. Even with companies who focus on B2B relationships, customer service varies, and account representatives are not all created equal. The legal technicalities at play with these issues usually require interfacing directly with legal professionals or data protection officers. Not all vendors have knowledgeable data protection staff, and many are not initially willing to put you in touch with their in-house legal departments, so the process of negotiating the appropriate amendments to your vendor agreement becomes a game of trying to get past the gatekeepers.

All of these are situations that VeraSafe has broad experience in dealing with. Our team has built tried and true internal resources to address these concerns, and a network of contacts with common vendors that we use to assist your organization in meeting its obligations under the Accountability for Onward Transfer Principle. In short, don’t presume the industry standard is good enough; put your trust in privacy experts that prioritize your organization’s best interests.

Contact VeraSafe today to learn more