After two years of negotiations, the European Commission and United States of America (the “U.S.”) have unveiled the replacement to the U.S.-EU Safe Harbor Framework (the “Safe Harbor”), known as the EU-U.S. Privacy Shield (the “Privacy Shield”).
When U.S. companies engage in trade and commerce with the European Union (the “EU”), the personal information of EU citizens is often transferred to the U.S. Prior to October 2015, U.S. companies protected the data of EU citizens by complying with the requirements of the Safe Harbor. However, on October 6, 2015, the Court of Justice of the European Union declared that the Safe Habor was invalid. After this decision, the U.S. and EU began negotiations to develop a new framework for transatlantic data transfers, which the European Commission revealed on February 2, 2016 as the Privacy Shield. The intention of the Privacy Shield is to ensure that when the personal information of EU citizens is transferred to U.S. companies under the Privacy Shield, such personal information will receive equivalent data protection standards to those standards that exist in the EU. On February 29, 2016, the European Commission released a draft adequacy decision and the legal texts that will form the Privacy Shield, including written assurance by the U.S. government to enforce the agreement and the Privacy Shield Principles, that is, the principles that participating U.S. companies will be required to follow (the “Privacy Shield Principles”)1.
The decision to enter the Privacy Shield is voluntary. U.S. companies that wish to rely on the Privacy Shield are required to self-certify, publicly declare their adherence to the Privacy Shield Principles and demonstrate full compliance. The U.S. Department of Commerce (the “Department of Commerce”) will keep an updated and publicly available list of the companies that have entered the Privacy Shield (the “List”) and will remove from such List any companies that have voluntarily withdrawn or been removed due to non-compliance. U.S. companies that have entered the Privacy Shield must apply the Privacy Shield Principles to personal information transferred under the Privacy Shield. Additionally, companies that were removed from the List, but still retain personal information that was received while they participated in the Privacy Shield, must continue to apply the Privacy Shield Principles to such personal information.
The Privacy Shield Principles are broken down into seven areas: (1) Notice (i.e. companies must inform individuals about specifically listed information); (2) Choice (i.e. individuals must be given the opportunity to choose whether their information can be disclosed to a third party or used for a purpose other than the original purpose for which the information was collected); (3) Accountability for Onward Transfer (i.e. companies must enter into contracts with third party controllers that will process the personal information); (4) Security (i.e. companies must protect the personal information from loss, unauthorized access, disclosure, modification and destruction); (5) Data Integrity and Purpose Limitation (i.e. the personal information must be limited to that which is necessary and it cannot be processed in ways that are incompatible with the purposes for which the information was collected or authorized; (6) Access (i.e. individuals must have access to their personal information and can correct, amend or delete any inaccuracies); (7) Recourse, Enforcement and Liability (i.e. there must be “robust mechanisms” to ensure participating companies comply with the Privacy Shield Principles, consequences for those that do not comply, and recourse for individuals affected by such non-compliance such as dispute resolution services and arbitration). In addition to these seven principles, there are supplemental principles that provide additional information regarding various topics including, but not limited to, the role of EU Data Protection Authorities (the “DPAs”), the self-certification process, human resources data, mandatory contracts for onward transfers of personal information, requests by an individual to access his/her personal information, pharmaceutical and medical products and publicly available information.
The Privacy Shield is not yet in force. Before the College of Commissioners can make a final decision, there will be consultations with representatives of the EU member states and the Article 29 Working Party. In the meantime, the U.S. will begin preparing for this new framework.
Canadian companies should take note that U.S. companies will have new and distinct compliance requirements under the Privacy Shield, including amended privacy policies, in the near future.