Starting on August 1, 2016, U.S. companies can participate in the E.U.-U.S. Privacy Shield program, a new mechanism that enables the lawful transfers of personal data between the European Union and the United States. The Privacy Shield replaces the now-invalidated “Safe Harbor” program that many companies previously relied upon to transfer personal data of E.U. citizens into the U.S.
The Privacy Shield is a potentially valuable tool for any company transferring personal data out of the E.U., but it is especially important to those that have not updated their cross-border compliance plans since the invalidation of the Safe Harbor in October of 2015.
Like the predecessor Safe Harbor initiative, the Privacy Shield is a self-certification program. In order to participate, a company must self-certify to the Department of Commerce that it meets the requirements set forth in the seven basic privacy principles embodied in the Privacy Shield: (1) notice; (2) choice; (3) accountability for onward transfer; (4) security; (5) data integrity and purpose limitation; (6) access; and (7) recourse, enforcement and liability. These principles are implemented in various ways, including internal policies and practices, customer-facing policies, and third-party contracts. In order to encourage early participation, companies that certify before October 1, 2016 will receive a special 9-month grace period to evaluate and amend existing third party contracts in order to ensure compliance with the Privacy Shield principles.
Although the Privacy Shield has many similarities to the invalidated Safe Harbor, there are several key differences that companies should understand. Most notably, the Privacy Shield provides for significantly more oversight and enforcement, including increased investigative, monitoring, and compliance reviews by U.S. authorities, as well as E.U. citizens’ enhanced redress options with E.U. authorities. In light of the Privacy Shield’s enhanced focus on compliance and enforcement – a notoriously weak aspect of the Safe Harbor – companies considering participating should be sure to carefully review the requirements to ensure compliance.