On April 5, 2016, Wilson Elser released a client alert that outlined the details of the EU-U.S. Privacy Shield program, the proposed replacement for the Safe Harbor arrangement for transfers of EU citizens’ private data to the United States. At the time, Privacy Shield was conceived to fill the gap in protocols following the overturning of the Safe Harbor arrangement by the decision of the European Court of Justice in Schrems v. Data Protection Commissioner. Now, following more than four months of uncertainty, on July 8, 2016, the EU Article 31 Committee approved the Privacy Shield program, with representatives of four countries abstaining. Soon after, on July 12, EU Justice Commissioner Věra Jourová and U.S. Commerce Secretary Penny Pritzker jointly announced the new program’s formal adoption.
Incidentally, the United Kingdom’s recent referendum to leave the European Union, aka “Brexit,” complicates the picture. Although Brexit leaves the UK’s long-term data protection plans uncertain, the two-year period of negotiations leading up to Brexit (possibly more) will not commence until Article 50 of the Lisbon Treaty is invoked. Now that Theresa May has been confirmed as the New Prime Minister, things may move faster than initially expected. Nevertheless, the UK will for the time being continue to participate in both Privacy Shield and the incoming General Data Protection Regulation (GDPR) governing all EU Members’ data protection, which is set to become effective in May 2018. This pre-exit compliance suggests that an independent UK should not face huge hurdles in establishing adequate protection by EU standards post-Brexit.
While companies should immediately take steps to ensure that they are Privacy Shield compliant, the Commerce Department has indicated that it will begin accepting self-certifications on August 1, 2016. In addition to the 7 principles and 16 supplemental principles that companies must implement to be compliant, companies are advised to review the relevant letters from the International Trade Administration, the Federal Trade Commission (FTC) and the Department of Transportation (DOT) regarding Privacy Shield, depending on relevance to their industries.
To provide further guidance and clarification, the Department of Commerce has released a guide with five steps to assist in the self-certification process.
Five Steps to Self-Certification
- Confirm eligibility: To participate in Privacy Shield, a U.S. company must be under the jurisdiction of either the FTC or the DOT. Nonprofit organizations and depository institutions, among other entities, are typically not under the jurisdiction of either organization.
- Choose an independent recourse mechanism: Companies must provide individuals with a means of investigating unresolved privacy-related complaints at no cost to the individual. Under certain circumstances, companies may choose to or be required to cooperate and comply with the EU data protection authorities as an alternative to a third-party independent recourse mechanism.
- Implement a verification mechanism: Companies must either implement an internal auditing procedure or retain a third party to verify their ongoing compliance with Privacy Shield.
- Designate a Privacy Shield contact: Companies must assign a primary contact person to handle questions, complaints, access requests and other issues related to Privacy Shield. This person might be a chief privacy officer or other official able to adequately address such inquiries.
Privacy Shield provides a workable framework for the transfer of personal data between the United States and the European Union.