A Brief Recap
EU law generally prohibits the transfer of personal data from the European Economic Area to the U.S., unless the transfer is made in accordance with an authorized data transfer mechanism or otherwise falls within an exception. The Safe Harbor framework was one of these authorized data transfer mechanisms, but it was declared invalid by the Court of Justice of the European Union last October. Following months of negotiation between the U.S. and the EU, as of August 1, 2016, the EU-U.S. Privacy Shield was launched, and companies can now self-certify with the Department of Commerce and join the program.
We therefore take a look at the current “state of play” with regard to the Privacy Shield and some of the decisions facing those considering whether to self-certify.
Why Rush to Certify?
Given that companies were managing to transfer personal data from the EU to the U.S. prior to August 1, 2016, why, then, should companies rush into Privacy Shield certification?
Nine-Month Grace Period: To incentivize use of the new Privacy Shield, if a company filed its self-certification by September 30, 2016, it was granted a nine-month grace period (from the date of certification) to conform its contracts with third-parties to the new onward transfer requirements under the Privacy Shield. This onward transfer requirement essentially means that certifying companies have to ensure that any subprocessors of the personal data (entities to which the personal data is transferred) have Privacy Shield-type safeguards in place. This grace period was seen as a big incentive to certify early.
Risk of Invalidation of Model Clauses: On May 25, 2016, the Irish DPA referred a matter to the Court of Justice of the European Union, effectively challenging the legal validity of the Model Clauses (the other key authorized data transfer mechanism) on similar grounds as those on which the Safe Harbor was challenged. This left the market wondering whether they could continue to rely on Model Clauses, potentially making the Privacy Shield a more attractive alternative.
Some Added Certainty from the Regulators: Following the uncertainty created by the Irish DPA referral (above), on July 26, 2016, Isabelle Falque-Pierrotin, the Chairwoman of the Article 29 Working Party of data protection regulators, announced that EU data protection regulators would not challenge the adequacy of the Privacy Shield until late 2017, providing some level of certainty to the Privacy Shield route – at least in the short term.
A Step Closer to GDPR Compliance: A thorough Privacy Shield gap analysis and compliance program has the benefit of moving a company a step toward the compliance requirements of the General Data Protection Regulation (GDPR), which will become effective in mid-2018. The GDPR extends the territorial reach of EU Privacy Law to U.S. companies providing services to the European market or profiling EU citizens, so Privacy Shield compliance may be seen by some as Phase 1 of a multiphased approach to GDPR compliance.
Reasons for Possible Reluctance
The Privacy Shield has certainly received mixed reviews from the market and regulators alike, so not everybody has been so keen to certify. Here’s why:
Early Adopters = Increased Scrutiny: The benefits of the nine-month grace period have to be weighed against the risks of the increased scrutiny that early adopters will face. There will be pressure on regulators and governments to ensure that the Privacy Shield is seen as a robust mechanism, protecting the fundamental freedoms of EU citizens. This will bring with it heightened sensitivities around compliance and transparency, meaning that those certifying early will likely be closely scrutinized. Now that the ability to take advantage of the grace period is over, it will be interesting to see how demand for certification is impacted.
“Better the Devil You Know:” Since the Safe Harbor invalidation, many companies have been scrambling to implement a Model Clause program, which would have required a level of analysis, assessment and implementation. Implementing a Privacy Shield compliance program will now require changes. Given that many companies have become comfortable with the risk profile and obligations of Model Clauses, they may opt to retain the Model Clause approach, and adopt a wait and see position concerning whether the regulators, the courts or their customers force their hand to certify under the Privacy Shield. A sensible approach would seem to be to have one eye on each regime.
Cost of Compliance Program: A criticism of the Safe Harbor was that self-certification was often not taken seriously enough by those certifying and those supervising. Under the new framework, the consequences of noncompliance are real, and warrant appropriate attention and resources. Some will simply wish to postpone this until the next quarter, calendar year or revenue cycle, or maybe even until early examples of strong enforcement justify the legal spend.
So Who Has Certified?
At the time of writing, over 200 U.S. companies have already self-certified to the Privacy Shield, with another 300 companies being reviewed. Sophisticated companies, such as Oracle, Microsoft, Google and Salesforce, are now among those that have been certified, along with smaller enterprises. In contrast, more than 4,000 companies had been certified under the Safe Harbor regime. The International Association of Privacy Practitioners noted in their 2016 Annual Privacy Governance Report that “many companies remain wary of Privacy Shield and are still weighing other transfer compliance options. This is especially true of small companies for whom GDPR compliance presents a formidable challenge.”
It therefore appears that a state of flux will continue, at least in the short term.