Self-Certification Process to Begin August 1, 2016
On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield, replacing the former Safe Harbor Framework, which the Court of Justice of the European Union (CJEU) struck down late last year. After months of negotiations and several rounds of review by U.S. and EU leadership, the Privacy Shield was formally approved by the EU as an adequate mechanism for data transfers to the U.S. The agreement was signed by Commissioner Vera Jourova and U.S. Secretary of Commerce Penny Pritzker. Secretary Pritzker stated that the Privacy Shield is a "milestone for privacy" and emphasized U.S. and EU leadership’s commitment to ensuring a smooth transition to the new framework.
Key Elements of the Privacy Shield
Elements of the Privacy Shield were modified after the U.S. and EU introduced the new data transfer arrangement in February to include a number of provisions identified by the European Data Protection Authorities (DPAs) as areas of continued concern, namely: issues around bulk data collection; the independence of the newly-created U.S. Ombudsperson; and the addition of an explicit data retention principle.
The Privacy Shield is based upon seven foundational Principles: (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse, Enforcement, and Liability. In particular, the newly-adopted framework includes requirements pertaining to:
- Notifying individuals about data processing and access rights
- Providing a free and accessible dispute resolution mechanism
- Cooperating with the U.S. Department of Commerce inquiries and document requests
- Maintaining data integrity and purpose limitation
- Ensuring accountability for data transferred to third parties, including third-party contractual data processing obligations
- Transparency in enforcement actions (including a requirement to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the Federal Trade Commission (FTC) if the organization becomes subject to an FTC or court order based on non-compliance)
- Ensuring compliance with the Privacy Shield Principles for as long as the data received under the framework is held, even if the company no longer participates in the Privacy Shield
Participating in the Privacy Shield
In order to participate in the Privacy Shield, U.S.-based companies must self-certify to the U.S. Department of Commerce and publicly commit to complying with the requirements set forth under the new framework. The Commerce Department announced that it will begin accepting certifications on August 1, 2016. The Commerce Department has also released guidance to assist organizations that are interested in joining the Privacy Shield.
It is important to note that, although the Privacy Shield is a voluntary program, it is legally enforceable against participants. Thus, before joining the Privacy Shield, companies should review the Privacy Shield to ensure that they are able to adhere to its requirements and establish a compliance management plan for doing so.
Further, the Privacy Shield is not the only existing permissible data transfer mechanism—other avenues are still available, including Model Contract Clauses and Binding Corporate Rules. Companies should assess their business operations and data transfer needs and consult with legal counsel to determine which mechanism is most appropriate for their organization.