For companies seeking to transfer personal data from the EU to the U.S., the formal adoption of the Privacy Shield on July 12, 2016 by the European Commission and yesterday’s launch of the Privacy Shield website (privacyshield.gov) provides a data transfer mechanism to replace the Safe Harbor. Companies can begin to self-certify to the Privacy Shield on August 1, 2016, and companies that do so by September 30, 2016 get a nine-month grace period for compliance. Many companies have been struggling to find a workable data transfer mechanism after the European Court of Justice ruled that the Safe Harbor provided an inadequate level of protection for the transfer of the personal data of EU citizens in October 2015.
The Article 29 Working Party also gave conditional backing to the Privacy Shield on July 26, 2016 stating that it “welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbor decision.” They also stated that they will not challenge the framework for at least a year, despite previously attacking the first draft of the deal in April 2016.
Privacy Shield self-certification also requires companies to have procedures in place for verifying compliance, either through self-assessment or a third-party assessment program. A contact must also be designated for addressing questions, complaints, access requests and any other issues relating to the Privacy Shield. The Privacy Shield requires organizations to respond to a complaint from an individual within 45 days. Additionally, self-certifications must be submitted through privacyshield.gov, and companies will need to reaffirm their certification annually.
Given the history of the demise of the Safe Harbor, the many rounds of negotiations and continued skepticism by European Regulators of the Privacy Shield, it appears that the Privacy Shield and its requirements will continue to evolve. However, Privacy Shield is now a legal mechanism for transferring EU data to the U.S., in addition to model clauses and binding corporate rules.