The EU-U.S. Privacy Shield is official. This post explains what Privacy Shield is, what it requires, what has changed since the first version proposed in February 2016, how to join, and the benefits of joining early.
What’s the Bottom Line?
The EU and several other European jurisdictions restrict transfers of personal data to the United States. Existing methods of overcoming these restrictions can be cumbersome and impede transatlantic business, slowing and sometimes killing cross-border deals and associated revenue, and creating compliance headaches even for intra-company transfers. Today, a new alternative for overcoming these restrictions was announced: the EU-U.S. Privacy Shield. U.S. companies that choose to join this program will enjoy streamlined transactions with their EU counterparts. Companies that join by early September will enjoy a nine-month grace period for complying with some of the program’s requirements. [Update: See the “Why Join Privacy Shield Early?” section below for an update on this deadline.]
What is Privacy Shield?
First, some background. For many years, the Safe Harbor program provided an exception to EU cross-border data restrictions and permitted the export of personal data to participating U.S. companies. However, in October 2015, the European Court of Justice determined that Safe Harbor did not provide a sufficient legal basis for the transfer of personal data to the U.S., invalidating its use as a data transfer mechanism.
This decision forced companies that relied on Safe Harbor to shift their compliance strategies to use other exceptions for their transfers to the U.S., most frequently the Standard Contractual Clauses (also known as the “Model Contracts”). However, for many companies, Model Contracts contain impractical requirements (such as onerous subcontracting and audit provisions in the controller-to-processor Model Contract used for transfers to service providers), and using them can involve bureaucratic red tape in some European countries. Pressure mounted for a Safe Harbor successor.
In February 2016, EU and U.S. negotiators announced the EU-U.S. Privacy Shield, which, like Safe Harbor, is a compliance program that U.S. companies can choose to join. European exporters of personal data would not be liable for violating EU cross-border data transfer restrictions when transferring personal data to participating U.S. companies. Privacy advocates and EU privacy regulators assailed the February 2016 version as lacking adequate privacy protection. The negotiators then made some adjustments to address these concerns, and the new version was approved last week by a committee of EU member states (four countries abstained), paving the way for final approval.
Today, that final approval came in the form of an adequacy decision from the European Commission that recognizes the Privacy Shield as providing privacy protection that is “essentially equivalent” to that provided by existing EU data protection law.
The decision is effective as of today. U.S. companies can join the Privacy Shield by registering with the Department of Commerce on or after August 1, 2016.
What Does Privacy Shield Require?
By registering, the U.S. company agrees to comply with the Privacy Shield Principles and related rules (see primarily the adequacy decision’s Annex II, which starts on page 16 of this document), most notably the following:
- Notice: Provide individuals whose personal data is received under the program with certain information about how their personal data is handled and how to exercise their Privacy Shield rights.
- Choice: Give the individuals certain options regarding uses and disclosures of their personal data. This choice can be offered on an opt-out basis, except where the personal data is considered sensitive (i.e., personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual), in which case only opt-in suffices.
- Accountability for Onward Transfer: Take certain compliance steps when transferring EU data to a third party. The specific steps depend on whether the third party will handle the data as the U.S. company’s “agent” (i.e., handling the data only pursuant to the instructions of and on behalf of the U.S. company). In most cases (for transfers to both agents and non-agents), the U.S. company will be required to impose certain contractual restrictions on the data recipient.
- Security: Implement “reasonable and appropriate measures to protect [personal data] from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.”
- Data Integrity and Purpose Limitation: Only use personal data that is relevant to the purposes for which it was collected, and use it only in ways that are compatible with such purposes (or other purposes authorized by the individual). Data retention limits apply.
- Access: Provide individuals with a limited right to access the personal data about them and to correct, amend, or delete that information where it is inaccurate or has been processed in violation of the Privacy Shield Principles.
- Recourse, Enforcement and Liability: Select an independent recourse mechanism to arbitrate certain Privacy Shield-related disputes, and participate in that and the other dispute resolution and enforcement processes set forth in the Privacy Shield.
What’s New in the Final Version of Privacy Shield?
Here are the key differences between the final version and the one that was proposed in February 2016:
- The contracts that the Accountability for Onward Transfer Principle requires now must obligate the data recipient to notify the U.S. company if the recipient determines that the recipient cannot honor its contractual Privacy Shield obligations. Contracts with non-agents must specify that in this case, the non-agent will cease processing the data or take other appropriate steps to remediate the situation.
- The data retention restrictions in the Data Integrity and Purpose Limitation Principle are new. Personal data may be retained in identifiable form only for a limited time and under certain conditions, though there are exceptions for certain uses, including “statistical analysis.” The new rules establish standards for de-identification.
- The U.S. has given the EU additional assurances about the U.S. government’s collection of EU data. These take the form of, for example, promises in a letter from Secretary of State John Kerry.
- The dispute resolution processes have been clarified somewhat, as has the role of the U.S. government’s Privacy Shield Ombudsperson, who will respond in a very limited fashion to certain complaints about the U.S. government’s collection of EU data.
How Does a Company Join the Privacy Shield Program?
Like under Safe Harbor, U.S. companies can submit a registration application via a Department of Commerce website that will open on August 1, 2016. Companies do not need to obtain any third-party certification before or after joining. For example, there is no need to have a privacy vendor issue any sort of determination of compliance, and doing so will not lessen a company’s compliance obligations under the Privacy Shield. (Note also that communications with those sorts of vendors are not protected by attorney-client privilege.)
While the exact certification process will vary on a company-by-company basis, it typically involves the following steps. The process is quicker for companies that participated in Safe Harbor or that have taken steps to comply with EU data protection law.
- Identify the personal data that the company receives (or wants to receive) from the EU and how the company wishes to collect, use, and disclose the data.
- Perform a gap analysis to identify areas where the company’s data handling and privacy practices do not already comply with the Privacy Shield. For example, companies should assess whether their opt-in or opt-out practices comply with the Choice Principle.
- Address the gaps. This will require selecting a dispute resolution mechanism and revising the company’s privacy policy. It also probably will involve steps such as the following:
- Creating or revising internal policies to implement Privacy Shield requirements.
- Negotiating revisions to contracts with data recipients (such as service providers).
- Confirming that the company’s security practices are reasonable and appropriate.
- Ensuring that relevant personnel are trained in their role in ensuring the company’s compliance with Privacy Shield.
- Submit the certification to the Department of Commerce.
Many companies will use this process to begin to address their upcoming obligations under the EU’s General Data Protection Regulation (“GDPR”), which takes effect in May 2018 and will apply to many U.S. companies. For example, when revising their privacy policy to address Privacy Shield requirements, they also will make the additional adjustments that are necessary to comply with the GDPR.
Why Join Privacy Shield Early?
A company that joins Privacy Shield by two months from its effective date of July 12, 2016 (in other words, around September 12, 2016, depending how the regulators calculate the date), will have nine months from the join date to negotiate contract amendments with then-existing data recipients to add the language required by the Accountability for Onward Transfer Principle. [Update: Although the actual text of the Privacy Shield (which is what was approved by the European Commission) specifies that the two-month grace period for registrations begins on the program’s effective date (which was July 12, 2016) and thus would end around September 12, an informal FAQ page on the U.S. Department of Commerce’s Privacy Shield website states (without explanation) that the two months begin on August 1, 2016 and end on September 30, 2016.] All other requirements will apply from the date the company joins the Privacy Shield. For example, if a company joins Privacy Shield on September 1, 2016, and at that time is sharing personal data with four service providers, the company will have until June 1, 2017 to amend its contracts with those four service providers to include the necessary Privacy Shield language. If the company instead waits until November 1, 2016 to join Privacy Shield, then the company will be violating Privacy Shield if on that date it has not already amended its contracts. Regardless of a company’s certification date, all data-relevant contracts concluded after joining must include appropriate Privacy Shield language.
More Resources
From the European Commission:
From the Department of Commerce:
Updated: 9/14/16