For companies seeking to transfer personal data from the EU to the U.S., the formal adoption of the Privacy Shield on July 12, 2016 by the European Commission and yesterday’s launch of the Privacy Shield website (privacyshield.gov) provides a data transfer mechanism to replace the Safe Harbor. Companies can begin to self-certify to the Privacy Shield on August 1, 2016, and companies that do so by September 30, 2016 get a nine-month grace period for compliance. Many companies have been struggling to find a workable data transfer mechanism after the European Court of Justice ruled that the Safe Harbor provided an inadequate level of protection for the transfer of the personal data of EU citizens in October 2015.

The Article 29 Working Party also gave conditional backing to the Privacy Shield on July 26, 2016 stating that it “welcomes the improvements brought by the Privacy Shield mechanism compared to the Safe Harbor decision.” They also stated that they will not challenge the framework for at least a year, despite previously attacking the first draft of the deal in April 2016.

For organizations interested in certifying to the Privacy Shield, they must be subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation. Organizations not subject to these enforcement authorities are ineligible to join the Privacy Shield. Companies must also submit a privacy policy that complies with the Privacy Shield’s principles, states the company adheres to Privacy Shield principles, and includes a link to privacyshield.gov.

Interested companies will also need to establish an independent recourse mechanism to investigate complaints at no cost to the individual, and include information on this recourse mechanism in its privacy policy. Organizations such as the Council of Better Business Bureau, TRUSTe, the American Arbitration Association and the Direct Marketing Association have developed programs to assist with recourse. Alternatively, companies can choose to cooperate with EU data protection authorities.

Privacy Shield self-certification also requires companies to have procedures in place for verifying compliance, either through self-assessment or a third-party assessment program. A contact must also be designated for addressing questions, complaints, access requests and any other issues relating to the Privacy Shield. The Privacy Shield requires organizations to respond to a complaint from an individual within 45 days. Additionally, self-certifications must be submitted through privacyshield.gov, and companies will need to reaffirm their certification annually.

Given the history of the demise of the Safe Harbor, the many rounds of negotiations and continued skepticism by European Regulators of the Privacy Shield, it appears that the Privacy Shield and its requirements will continue to evolve. However, Privacy Shield is now a legal mechanism for transferring EU data to the U.S., in addition to model clauses and binding corporate rules.