On February 29, 2016, the European Commission published a draft adequacy decision and related documents intended to implement the EU-U.S. Privacy Shield. Upon adoption (anticipated for June 2016), the Privacy Shield will serve as a new legal mechanism for transatlantic data flows replacing the U.S.-EU Safe Harbor Framework. We have provided a brief review below, and a more detailed analysis is available here.
Self-Certification Process
Like Safe Harbor, the Privacy Shield will function through a self-certification process by which U.S. companies agree to adhere to a set of privacy principles. The Department of Commerce will maintain and make publicly available an up-to-date list of Privacy Shield participants. Overall, enforcement of the Privacy Shield is projected to be more stringent than under the Safe Harbor Framework.
Commercial Obligations
U.S. companies that self-certify under the Privacy Shield will be required to comply with the following core Privacy Shield principles (as well as additional supplemental requirements):
- Notice Principle. Organizations must notify data subjects about thirteen specific data points including information about the type of data collected, the purposes of processing, redress options and onward transfers.
- Choice Principle. Organizations must offer individuals the opportunity to opt out of the disclosure of their personal data to third parties or the use of such data for a materially different purpose than that for which it was collected.
- Onward Transfer Principle. Onward transfers to third party controllers must only take place for limited and specified purposes and on the basis of a contract pursuant to which the transferee commits to provide the same level of protection as afforded by the Privacy Shield principles.
- Security Principle. Organizations must implement reasonable and appropriate security measures.
- Data Integrity and Purpose Limitation Principle. Organizations must adhere to the concept of data minimization and further ensure that personal data is accurate, complete and up-to-date.
- Access Principle. Organizations must give individuals access to personal data and enable them to have data corrected, amended or deleted.
- Recourse, Enforcement and Liability Principle. Organizations must implement readily available independent recourse mechanisms to resolve complaints. They must also verify periodically that their published privacy policies conform to the Privacy Shield Principles and are in fact complied with.
U.S. Government Access
The protections provided by the Privacy Shield on the issue of U.S. government access to European personal data include:
- written assurances by the Office of the Director of National Intelligence and the Department of Justice regarding access and use of data for national security and law enforcement purposes; and
- the establishment of a Privacy Shield Ombudsperson.
These protections will be complemented by the Judicial Redress Act recently signed into law.
Redress Mechanisms
EU residents will be able to resort to various redress mechanisms under the Privacy Shield, including lodging a complaint with the U.S. company, making a complaint to their local data protection authority, submitting the issue to an alternative dispute resolution body or, as a last resort, invoking binding arbitration.
Transition Period
The Privacy Shield is generally silent regarding a transition period or mechanism for Safe Harbor certified companies to transfer to the Privacy Shield. There is, however, a limited (nine months) transition period regarding third party contractual relationships for organizations certifying to the Privacy Shield within two months of its effective date.
What next?
Companies need to think about their short-term as well as medium to long-term EU/U.S. data transfer strategy. In the short term, companies will need to rely on alternative transfer mechanisms, while considering what might be the best medium to long-term option and whether the Privacy Shield (as perhaps a less formal or easier-to-implement transfer mechanism compared to alternative mechanisms) might be a feasible option. Given the uncertainty in this space, organizations may find it beneficial to establish more than one mechanism to address cross-border transfer restrictions.
Contributors: Brian Hengesbaugh, Michael Schmidl, Amy de La Lama & Anna von Dietze
