The European Commission has now issued its implementing decision, confirming the much anticipated determination that the Privacy Shield program “ensures an adequate level of protection” for personal information transferred from the EU to the U.S. The Department of Commerce has committed to having the Shield’s online certification process live on August 1. Companies can thus sign up starting on that date and are beginning to consider several questions. Should companies who participate in Safe Harbor rush to sign up? What about companies who did not participate in Safe Harbor, but relied on other mechanisms to transfer data, like model clauses? The answer: it depends.
There are several differences between Privacy Shield and Safe Harbor, including greater oversight mechanisms. Companies considering signing up should carefully assess several provisions, including those that:
- require companies to have measures in place to ensure that privacy statements are true (Supplemental Principle 7), either through internal verification or using an outside company to perform compliance reviews;
- require companies to arbitrate claims with complaining EU individuals who have exhausted prior avenues. Companies that participate in the Shield will pay an annual fee to fund arbitration costs (the amount has yet to be set);
- address how data will be handled in the event of a merger;
- require a company to have contractual provisions in place with third parties with whom it shares personal information; and
- apply to choices individuals must be given over direct marketing and sharing with third parties who will be using the information for their own purposes (controllers) rather than acting as agents (processors or vendors) to the company.
Also worth noting is the Department of Commerce’s stated commitment to monitor compliance, including around companies who cease to participate. The Department of Commerce will maintain a list of participating companies, as well as those who are no longer participating. Companies who cease to participate will need to ensure that all representations (express or implied) regarding participation in the Shield are removed from their communications, in particular their privacy policies (something the Department has indicated it will be monitoring).
There are some incentives to signing up soon. Companies who join prior to October 1 will have nine months from the date that they self-certify to address the contractual provisions of the Privacy Shield Principles for existing relationships. In particular, companies who provide information to third parties who will be “controllers” must have a contract in place that provides that information shared must be used consistent with the Principles, inter alia, and similar contracts must be in place with third party vendors.
Causing concern, however, is the fact that the Commission’s adequacy decision provides for the Commission to re-evaluate whether the Privacy Shield continues to be adequate on an annual basis.
TIP: U.S. companies who receive consumer information from EU partners may want to consider joining the Privacy Shield prior to October 1 to take advantage of the Shield’s protections and benefit for the “grace period” regarding existing contracts. However, companies should think carefully about taking this step, as there are several provisions of the Shield that are worth evaluating to ensure that the program is a fit for your company. Any companies that do participate would be well served to have an internal playbook in place to keep track of their obligations under the program and to ensure that appropriate employees are trained on the programs’ requirements.