07.15.2016 Adoption of Privacy Shield Gives U.S. Businesses Greater Clarity On Data Transfers From Europe By: Kevin D. Pomfret

The European Commission (EC) announced that it has adopted the EU-US Privacy Shield (“Privacy Shield”) effective July 12, 2016, which replaces the US-EU Safe Harbor Framework (“Safe Harbor”). The adoption of Privacy Shield has clarified the uncertainty that has existed for companies that transfer personal data from Europe to the United States since Safe Harbor was struck down by the European Court of Justice (ECJ) last fall.

Privacy Shield, which consists of seven Privacy Principles and a number of additional supplemental provisions, is similar to Safe Harbor in that US companies can “self-certify” their compliance. Companies may begin to self-certify on August 1, 2016. The seven Privacy Principles, which are standard in most privacy frameworks, are:

  • Notice
  • Choice
  • Accountability of Onward Transfers
  • Security
  • Data Integrity and Purpose Limitation
  • Access
  • Recourse, Enforcement and Liability

Privacy Shield sets forth a number of specific requirements that must be followed in order to remain in compliance. Therefore, even a company that had self-certified under Safe Harbor should update its agreements, policies and procedures prior to self-certifying under Privacy Shield. Companies that did not participate in Safe Harbor must develop internal policies and procedures for personal data and ensure that their agreements contain required terms.

It is important to note that companies that self-certify to the Department of Commerce within two months of Privacy Shield’s effective date will have a nine-month grace period to ensure that their contracts with third parties are in compliance with the Accountability of Onward Transfer principle. Thereafter, a company must have all of its agreements with relevant third parties comply with the respective requirements before it can self-certify.

The ECJ decision last fall placed a number of companies in the US that either collect or process personal data from Europe in limbo, because the alternative measures to transfer such data – binding corporate rules (“BCRs”) or model clauses – were seen as difficult to implement, particularly for mid-sized and small businesses. Now that Privacy Shield has been officially adopted by the EC, those companies should immediately begin to assess whether to (i) self-certify under Privacy Shield or (ii) make use of one of the two other avenues, as stakeholders (e.g., European data protection authorities, European citizens, the Federal Trade Commission, etc.) are likely to be closely monitoring data transfers to the U.S. for the foreseeable future.   If a company determines that Privacy Shield is the best option, it should consider expediting the process in order to avail itself of the grace period.