By Bart W. Huffman, Esq., Alan D. Meneghetti, Esq., Mark E. Schreiber. Esq., and Thomas J. Smedinghoff, Esq. of Locke Lord LLP
Beginning on August 1, 2016, U.S. companies have a new way to legally facilitate the transfer of personal data from the European Union to the U.S. Known as the EU-U.S. Privacy Shield, this new agreement between the EU and the U.S. was approved by the European Commission on July 12, 2016. It will facilitate the storage, sharing, retention and use of EU personal data by participating U.S. companies. Effective August 1, 2016, U.S. companies can join the Privacy Shield by self-certifying their compliance with its requirements.
The Privacy Shield promises to aEURoeimpose stronger obligations on U.S. companies,aEUR? as well as require greater monitoring by and cooperation between the U.S. and European Data Authorities.
1. What is Privacy Shield?
The EU-U.S. Privacy Shield is a set of principles agreed to by the European Union and the United States to enable U.S. companies that certify compliance with those principles to more easily receive personal data from the EU. It is a replacement for the U.S. aEUR" EU Safe Harbor program which was originally established in 2000 and declared invalid by the European Court of Justice in October 2015.
By certifying compliance with the Privacy Shield principles and its other requirements, a U.S. company satisfies the EU legal requirements necessary to receive and process personal data from the EU. A U.S. company also becomes subject to enforcement by the Federal Trade Commission under FTC Act section 5 if it subsequently fails to comply with any of those principles.
2. What Are the Privacy Shield Principles that U.S. Companies must comply with?
To join the privacy Shield, U.S. companies must commit to comply with seven principles governing the handling of personal data received from the EU. While those principles are similar to the principles adopted under the prior Safe Harbor agreement, the compliance obligations under each principle have been significantly expanded. The European Commission recently put out a
Guide to the EU-U.S. Privacy Shield, and the Department of Commerce has a
Fact Sheet for Interested Participants on its website. The principles are categorized as follows from the Guide:
- Notice: aEURoeYour Right to be informedaEUR?
- Choice: aEURoeLimitations on the use of your data for different purposes.aEUR?
- Data Integrity and Purpose Limitation: aEURoeData minimization and obligation to keep your data only for the time needed.aEUR?
- Security: Obligation to secure your data.
- Accountability for Onward Transfer: aEURoeObligation to protect your data if transferred to another company.aEUR?
- Access: aEURoeYour right to access and correct your data.aEUR?
- Recourse, Enforcement and Liability: aEURoeYour right to lodge a complaint and obtain a remedy.aEUR?
U.S. participants must not only agree to adhere to the Privacy Shield principles, they must also reflect certain information in their privacy policies and they must advise EU citizens of their redress and other rights. When a participating U.S. company commits a potential breach under the Privacy Shield framework, the individual will have a number of options to enforce their rights against the company.
3. How Does Privacy Shield Compare with the old Safe Harbor?
The seven Privacy Shield principles are similar to the original seven Safe Harbor principles in name. However, several of the new Privacy Shield principles impose obligations on U.S. companies that go well beyond the obligations of the old Safe Harbor.
One of the core principles that is significantly expanded is the onward transfer principle aEUR" now referred to as the aEURoeaccountability for onward transferaEUR? principle. For example, U.S. companies that want to transfer personal information received from the EU to third-party controllers must now enter into a contract with the transferee (1) providing that the data may only be processed for limited and specified purposes consistent with the consent provided by data subject, and (2) obligating the recipient to provide the same level of protection for the data as required under the Privacy Shield principles. Companies that self-certify under Privacy Shield before October 2016, will have a nine-month window to bring their transfer contracts into compliance with these and other requirements. During this nine-month period individuals will have opt-out rights. After that, all such onward transfer contracts must be compliant at the time of self-certification.
Another core principle undergoing significant changes is the recourse, enforcement, and liability principle. U.S. companies are now required to provide independent recourse mechanisms to resolve complaints and disputes at no charge, commit to binding arbitration at the request of the data subject, and respond promptly to inquiries from the Department of Commerce relating to any disputes.
4. What are the Pros and Cons of Joining Privacy Shield?
- It will facilitate personal data transfers from EU to U.S. entities.
- It will not facilitate personal data transfers from EU to other non-EU countries.
- It will certainly require more work for companies, both in privacy policy changes and back end implementation processes.
- The Privacy Shield undertaking will be rigorous and monitored.
- There is some risk of challenges to the legal validity of Privacy Shield in the future.
The EC has announced that the new arrangement will require the U.S. Department of Commerce aEURoeto conduct regular updates and reviewsaEUR? of all participating companies in the scheme. At the time of writing, we do not know how many companies will participate, although both Microsoft and Google have announced their intention to sign up to the proposal on 1 August 2016. It is highly likely that the U.S. Department of Commerce will require each company to keep updated records of personal data held and produce reports at regular intervals to the Department.