On July 12, 2016, the European Commission (“Commission”) formally adopted and released the Privacy Shield Adequacy decision, which will allow certified U.S. companies to transfer EU personal data to the United States. The EU-U.S. Privacy Shield (“Privacy Shield”) replaces the U.S.-EU Safe Harbor framework (“Safe Harbor”), which was invalidated in October 2015 by the European Court of Justice (“ECJ”) in Maximillian Schrems v Data Protection Commissioner. The decision will immediately go into effect upon notification to the EU Member States.

The more than 4,400 U.S. companies that previously relied on the Safe Harbor and have been waiting for an alternative mechanism for data transfers can choose to self-certify to the Department of Commerce (“Commerce”) under the new Privacy Shield framework. Commerce will begin accepting Privacy Shield applications on August 1, 2016. This client advisory provides an overview of Privacy Shield, highlights key differences between Privacy Shield and Safe Harbor, and offers some key considerations given the forthcoming Global Data Protection Regulation and other data privacy developments.

Privacy Shield

The Commission’s adequacy decision found that U.S. mechanisms and regulations under Privacy Shield provide an adequate level of protection for international data transfers. Since October 2015, the Commission and U.S. authorities have negotiated Privacy Shield, which has undergone substantive changes since the Commission issued a draft adequacy decision on February 29, 2016. The key elements of Privacy Shield include:

  • Robust enforcement and strong obligations on companies handling Europeans’ personal data. Commerce will play a more significant role in monitoring certification and ensuring that false claims of Privacy Shield participation are appropriately sanctioned. Companies that withdraw from Privacy Shield must annually affirm to Commerce certification to the Privacy Shield principles until the personal data are returned or deleted. Notably, accountability for onward transfers has changed. Now companies must comply with notice and choice principles for onward transfers in addition to entering into contractual agreements to guarantee the same level of protection.
  • Clear safeguards and transparency obligations on U.S. government access. Under Privacy Shield, the U.S. has committed to a new oversight mechanism for national security interference in the form of an Ombudsperson that will be independent from the U.S. intelligence authorities. Relying on Presidential Policy Directive 28, the USA Freedom Act, and written assurances by the U.S. government, the Commission concluded that Privacy Shield effectively protects EU citizens against generalized access to personal data.
  • Effective protection of EU citizens’ rights with several redress possibilities: EU data subjects may file complaints directly with a U.S. self-certified company, with a free-of-charge independent dispute resolution body, as designated by the company, with national data protection authorities (“DPAs”), or with the Federal Trade Commission (“FTC”). Additional referral options are built into Privacy Shield so as to ensure compliance with the privacy principles. Complaints must be resolved by companies within 45 days. If a case is not resolved, an arbitration mechanism, the “Privacy Shield Panel,” may be convened to guarantee an enforceable remedy.
  • Annual joint review mechanism. To ensure U.S. accountability to commitments with respect to public authority access to personal data, the Commission and Commerce will carry out an annual review that will involve, when appropriate, DPAs, U.S. national security authorities, and the independent Ombudsperson. The results of this review will be incorporated into a public report issued to the European Parliament and the Council.

Like Safe Harbor, under Privacy Shield, companies must self-certify adherence to a set of privacy principles to Commerce. These include: (1) the Notice Principle; (2) the Security Principle; (3) the Accountability for Onward Transfer Principle; (4) the Security Principle; (5) the Data Integrity and Purpose Limitation Principle; (6) the Access Principle; and (7) the Recourse, Enforcement, and Liability Principle. Privacy Shield also includes a detailed set of supplemental principles.1

The chart below highlights some key differences between Privacy Shield and Safe Harbor:

Privacy Shield

Safe Harbor

1. Self-Certification
Annual re-certification of compliance to Commerce is required.
1. Self- Certification:
Annual self-certification letters reaffirming commitment to the Framework is required.
2. Removal from Privacy Shield List
Upon removal from the Privacy Shield list, organizations must (1) return or delete EU personal data collected under the Privacy Shield or (2) have ongoing obligations to apply Privacy Principles to personal information and affirm this commitment to Commerce. 
2. Removal from Safe Harbor List:
Upon removal from the Safe Harbor list, organizations must promptly delete any data collected under the Safe Harbor.
3. Privacy Principles: Notice
In addition to disclosure obligations of the Safe Harbor, organizations must also inform data subjects of (1) the purpose for third parties’ disclosures of information, (2) their right to access their personal data, (3) the company’s liability for onward transfers to third parties, and several other significant rights of data subjects.
3. Privacy Principles: Notice
Organization must inform data subjects about the purpose for data collection and use, how to contact the company regarding inquiries or complaints, the types of third parties the company discloses information to, and the choices and means offered to individuals to limit use and disclosure.
4. Privacy Principles: Choice
The organization must offer data subjects the opportunity to opt out of whether their personal information is used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized.
4. Privacy Principles: Choice
The organization must offer data subjects the opportunity to opt out of whether their personal information is used for a purpose that is incompatible with the purpose for which it was originally collected or subsequently authorized.
5. Privacy Principles: Onward Transfer
Organization must enter into a contract with third-party controller, adhere to specific onward transfer requirements, and has a rebuttable presumption of liability for violations of sub-processing obligations by the third-party controller.
5. Privacy Principles: Onward Transfer
Organization must have contract with third-party onward transfer recipient orascertain that the third party subscribes to the Principles or is subject to Directive or another adequacy finding. If the company complies with these requirements it will not be held responsible for violations by a third-party onward transfer recipient.
6. Redress Possibilities:
Data subjects have multiple options to lodge complaints. They can bring a complaint directly with the organization, with a free-of-charge independent dispute resolution body, as designated by the company, with national DPAs or with the FTC.
6. Redress Possibilities:
Data subjects are encouraged to raise complaints with the relevant organization before proceeding to an independent recourse mechanism, which must be readily available and affordable.

Timeline for Full Implementation

The Privacy Shield decision enters into force immediately upon notification to EU Member States. To that end, Commerce has issued a guide to self-certification and will begin accepting self-certifications to the Privacy Shield on August 1. The guide highlights five steps for companies wishing to come into compliance and certify under the Privacy Shield:

  1. Confirm Your Eligibility: Companies subject to Federal Trade Commission or Department of Transportation jurisdiction are eligible to participate in Privacy Shield.
  2. Develop a Compliant Privacy Policy Statement: Develop a privacy policy that (1) conforms to Privacy Shield principles, (2) references your Privacy Shield compliance, (3) identifies your independent recourse mechanism, and (4) is publicly available. Companies should also provide accurate information about the location of the privacy policy when self-certifying.
  3. Identify Your Independent Recourse Mechanism: Identify an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual.
  4. Establish and Put in Place a Verification Mechanism: Use a self-assessment or an outside/third-party assessment program to verify compliance consistent with Privacy Shield’s verification requirement.
  5. Designate a Privacy Shield Contact: Designate a contact for the handling of questions, complaints, access requests, and any other issues arising under Privacy Shield.

What Now?

While the European Commission and the U.S. government have expressed optimism regarding the legal certainty for businesses under Privacy Shield, Privacy Shield may very well be challenged in EU courts or require renegotiation once the General Data Protection Regulation comes into force in May 2018.2

The EU privacy watchdogs that make up the Article 29 Working Party (the “Working Party”) expressed concerns with an earlier draft of Privacy Shield. Criticizing Privacy Shield’s overall lack of clarity and accessibility, the Working Party noted that U.S. representation did not rule out bulk U.S. government data collection,3 and the lack of detail regarding the newly-established Ombudsperson. Although the Commission and the U.S. agreed on additional clarifications on bulk collection of data, and strengthened the role of the Ombudsperson, it is unclear whether these and other changes are sufficient to protect the rights of EU citizens.

Additionally, privacy advocates have raised concerns that Privacy Shield suffers from the same underlying issues as the now-defunct Safe Harbor. A prompt legal challenge is likely to determine whether Privacy Shield can withstand the scrutiny set forth in the ECJ’s decision in Schrems.

What is certain is that the FTC and Commerce will play an active role in enforcement of data transfers under this framework. FTC Chairwoman Edith Ramirez stated that the FTC would “continue to work closely with our European counterparts to provide robust privacy and data security protections for consumers in the United States and Europe.”

In light of this, the best course of action for companies, particularly those that have yet to enter into model contracts, is to evaluate Privacy Shield and their data transfer practices to see whether self-certification to the Privacy Shield makes sense for the company.