On 12 July 2016, the European Commission (“EC”) formally adopted the EU-U.S. Privacy Shield (“Privacy Shield”), which presents a new framework allowing the transfer of personal data outside the European Union to US-based companies.
The Privacy Shield - Background
Under the EU legal regime, the transfer of personal data from the EU to another country is restricted and subject to various conditions. The EC is authorized to grant recognition to certain countries which offer an "adequate level of privacy protection”, in order to allow the transfer of personal data from the EU to these countries without the need to comply with the other restrictions and conditions.
The United States has never been granted this level of recognition by the EC. However, the EC recognized a similar level of adequacy in the case of transferring personal data to US-based companies which have participated in the self-certification scheme - "the Safe Harbor". In October 2015, the European Court of Justice found that the EC’s previous decision to grant recognition to the Safe Harbor framework is invalid.
In February 2016 the EU and the US finalized an agreement which incorporated the new Privacy Shield program. This program aims at enhancing and strengthening the obligations on US-based companies in order to protect the personal data of EU citizens, as well as the monitoring and enforcement powers in this regard, following the requirements set out by the European Court's ruling.
Following the formal adaptation of the Privacy Shield and the issuance of the adequacy recognition decision concerning the Privacy Shield, US-based companies which will register under the new Privacy Shield framework, will enjoy the level of free personal data transfer from the EU, without the need to adopt alternative legal measures - such as implementing special data processing contractual clauses, obtaining explicit consent for the transfer to the US or adapting special binding corporate rules.
The Privacy Shield in Practice
US-based companies which seek to take part in the Privacy Shield program will be required to take the following measures:
- Register annually on the Privacy Shield List and declare that they meet its requirements;
- Comply with the detailed privacy principles and practices which are stipulated under the Privacy Shield ("Privacy Principles"). These Privacy Principles include, inter alia, the following main requirements with regard to personal data:
- Offering choice to data subjects with regard to data processing;
- Providing appropriate security measures to safeguard personal data;
- Compiling with data integrity requirements and purpose limitation;
- Honoring data subjects’ access requests;
- Accountability to onward transfers of personal data; and
- Complying with enforcement and liability requirements.
You can read more about the Privacy Principles and compliance issues which apply to companies wishing to join the Privacy Shield program in our previous Client Update on this subject.
Companies will be able to apply for the new Privacy Shield certification from 1 August 2016.
The requirement for full compliance with the Privacy Principles will apply immediately upon certification. One exception relates to the principle of “accountability for onward transfer”. In a case where a company self-certifying to the Privacy Shield already has in place commercial relationships with third parties, the company will be obliged to comply with such principles as soon as possible and no later than nine months from self-certification.
We encourage all of our US-based clients who transfer personal data of European citizens to the US and wish to be certified pursuant to the new Privacy Shield framework to take the appropriate steps to comply with the Privacy Shield's Privacy Principles and practices.