After much negotiation between the U.S. and European authorities, the Department of Commerce (DOC) began accepting applications to the EU-U.S. Privacy Shield Framework on August 1, 2016.  Although there was considerable speculation about whether U.S. companies would participate in the program due to the possibility of legal challenges in Europe and the more stringent requirements of Privacy Shield over Safe Harbor, more than 75 companies have already completed the self-certification process, and many more have submitted their applications and are awaiting approval from the Department of Commerce.  

This list will almost certainly continue to grow, particularly over the next month, because companies that apply to Privacy Shield before September 30, 2016, will be able to avail themselves of a limited”grace period”. Specifically, this grace period will provide companies a ninth month transitional period to bring their commercial relationships with third parties into line with the Privacy Shield requirements. Otherwise, companies must achieve compliance with the Accountability for Onward Transfer Principle by revising relevant third party contracts before completing the certification process – a step that may significantly delay a company’s certification. Nevertheless, companies will still need to meet all other Privacy Shield requirements before self-certifying (e.g., requirements to develop a Privacy Shield policy statement, identify the independent recourse mechanism, identify a Privacy Shield contact).

As companies begin to transition to Privacy Shield, a logical next question is what does the DOC intend to do with the legacy EU-U.S. Safe Harbor program? To this end, the DOC stopped accepting new Safe Harbor applications as of August 1, 2016, and as of October 31, will stop accepting Safe Harbor annual re-certifications. An organization that joins Privacy Shield will be automatically withdrawn from Safe Harbor, and the Privacy Shield team will also adjust the organization’s Safe Harbor record so that the “certified through” date displayed in the record reflects the date of certification to the Privacy Shield. In anticipation of automatic withdrawal  from Safe Harbor and/or the eventual shuttering of the program as a whole, organizations will need to continue to take steps to update references to Safe Harbor on websites, privacy statements or contracts to reference Privacy Shield (or other appropriate cross-border transfer vehicle).

As the Privacy Shield program continues to hit its stride, U.S. companies that are currently considering the self-certification process should continue to evaluate whether and when Privacy Shield makes sense for them. Although there is no one size fits all answer to that question, it is clear that Privacy Shield is already a preferred solution for a number of companies across a range of industry sectors.

 

Author