On July 12, the European Commission adopted the EU-U.S. Privacy Shield, replacing the U.S.-EU Safe Harbor framework. The Privacy Shield provides a mechanism to certify that a company’s transfer to the U.S. of personal data collected about European Union (EU) residents is in compliance with the EU Data Protection Directive.* The directive requires those who collect and store personal data of EU residents to provide an “adequate level of protection” for the data’s safekeeping and use.
The Privacy Shield framework allows U.S. companies to register and self-certify compliance with the higher standards of protection required under EU laws, permitting the free flow of EU resident data to compliant U.S. organizations.
Companies that submit their self-certification by Sept. 30, 2016, automatically receive an additional nine months to ensure their existing relationships with third-party data controllers conform with the Privacy Shield principle on Accountability for Onward Transfer. Certification covers not just the operations of the certifying company, but also the commercial arrangements the company has with third-party “data controllers” (such as cloud storage providers). Companies may submit self-certifications after Sept. 30, but such submissions will have to certify compliance by their third-party data controllers at the same time.
The U.S. Department of Commerce began accepting self-certification submissions on Aug. 1. To take advantage of Privacy Shield, U.S. companies must submit a statement to the Department of Commerce self-certifying that the company’s data protection policy for EU personal data complies with 23 principles. The Commerce Department will examine the self-certification and confirm that the materials submitted comply with the principles. Upon confirmation, the company is added to the list of Privacy Shield-compliant companies.
In October 2015, the Court of Justice of the European Union found the “Safe Harbor” framework invalid in Maximillian Schrems v Data Protection Commissioner for failing to provide adequate protection for EU personal data against government surveillance, among other reasons. The U.S. Department of Commerce and the EU Commission subsequently negotiated a substitute framework, dubbed Privacy Shield, that seeks to meet the “adequate level of protection” standard for transfers of EU personal data and also permits compliance with U.S. national security laws and regulations. For more information about the history of the invalidation of the Safe Harbor and the development of Privacy Shield, please see our prior alerts here and here.
Privacy Shield is an important certification for companies that collect or use personal data of European residents and desire to transfer it to the U.S. Alternate transfer mechanisms, namely Binding Corporate Rules and Model Contract Clauses, may also be available to certain organizations.
*European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, or Directive 95/46/EC.