EU-US Privacy Shield Adoption Announced: Steps to Take Now | Practical Law

EU-US Privacy Shield Adoption Announced: Steps to Take Now | Practical Law

US and EU officials have announced the adoption of the EU-US Privacy Shield Framework. The Privacy Shield replaces the invalidated US-EU Safe Harbor Framework and supports cross-border personal information data transfers by businesses from EU member states to the US. Companies may soon begin submitting their self-certifications to the US Department of Commerce.

EU-US Privacy Shield Adoption Announced: Steps to Take Now

Practical Law Legal Update w-002-7730 (Approx. 5 pages)

EU-US Privacy Shield Adoption Announced: Steps to Take Now

by Practical Law Intellectual Property & Technology
Published on 12 Jul 2016USA (National/Federal)
US and EU officials have announced the adoption of the EU-US Privacy Shield Framework. The Privacy Shield replaces the invalidated US-EU Safe Harbor Framework and supports cross-border personal information data transfers by businesses from EU member states to the US. Companies may soon begin submitting their self-certifications to the US Department of Commerce.
On July 12, 2016, US and EU officials announced the adoption of the EU-US Privacy Shield Framework. The Privacy Shield replaces the US-EU Safe Harbor Framework that was invalidated by the European Court of Justice (ECJ) last October. The Privacy Shield supports cross-border personal information data transfers by businesses from EU member states to the US. Companies may begin submitting their self-certifications to the US Department of Commerce on August 1, 2016.

How We Got Here

The EU Data Protection Directive defines personal information as any information relating to an identified or identifiable natural person. European privacy rules restrict the transfer of personal information from organizations operating within the European Economic Area (EEA) and Switzerland to organizations in countries outside the EEA that do not provide sufficient privacy protection. Countries currently considered inadequate by the EU include the US, based primarily on its lack of a comprehensive federal data protection law.
To transfer personal information, such as information relating to customers, vendors, and employees, from the EEA and Switzerland to affiliates or service providers in inadequate countries, organizations must either:
  • Put an EU-approved transfer mechanism in place.
  • Qualify for a statutory exception.
In July 2000, the EU Commission approved the US-EU Safe Harbor Framework as a method of providing adequate protection for data transfers to the US under Commission Decision 2000/520/EC. Thousands of US companies used the Safe Harbor to support cross-border data transfers from the EU. However, on October 6, 2015, the ECJ issued an opinion in Maximillian Schrems v. Data Protection Commissioner, in which it declared Decision 2000/520/EC invalid and therefore invalidated the Safe Harbor Framework (Case C-362/14). For more information on the Schrems decision, see Legal Update, So Long, Safe Harbor (For Now, Anyway).
Prior to the Safe Harbor's invalidation, US and EU officials had begun a review and negotiations to update the regime. Following the Schrems decision, those negotiations continued, and in February, US officials and the EU Commission agreed on a new approach: the EU-US Privacy Shield. As the agreement worked its way through EU review processes, some officials and others expressed concerns related to:
  • Bulk data collection for government mass surveillance purposes.
  • Redress mechanisms for EU citizens, especially regarding data disclosures made to government agencies for national security purposes.
  • Data retention.
US officials provided additional materials and assurances, and on July 12, 2016, the European Commission announced that it had reached an adequacy decision, clearing the way for the Privacy Shield's adoption.

Privacy Shield Key Elements

The EU-US Privacy Shield Framework consists of four main elements:
  • Privacy Shield Principles. Detailed in the full text provided by the Department of Commerce, the Principles create a code of conduct and require companies that choose to participate in the voluntary program to take actions in seven consumer-focused areas, including:
    • notice;
    • choice;
    • accountability for onward transfer;
    • security;
    • data integrity and purpose limitation;
    • access; and
    • recourse, enforcement, and liability.
    Companies must also adhere to 16 supplemental principles, where applicable, that define additional requirements and processes.
  • Oversight and enforcement. The Privacy Shield will be administered by the Department of Commerce, which has committed to stepping up compliance and oversight activities compared to those under the previous Safe Harbor regime, and conducting regular reviews of participating companies. The Federal Trade Commission (FTC) and Department of Transportation are responsible for enforcement, according to their jurisdictions. Most participating companies fall within the FTC's scope, based on its authority to take action against unfair or deceptive trade practices under Section 5 of the FTC Act. The Privacy Shield also leaves open the potential for additional regulators to enforce compliance, based on their statutory authority.
  • Ombudsperson. A new ombudsperson, within the US State Department and independent from the intelligence services, will help EU citizens address complaints and issues related to government access to personal information transferred under the Privacy Shield for national security purposes.
  • Safeguards and limitations. Various US agencies have made specific written assurances regarding the safeguards and limitations that will be imposed on government access to personal information transferred under the Privacy Shield for national security and law enforcement purposes.

Steps to Take Now

The Department of Commerce will begin accepting self-certification applications from companies on August 1. In its initial guide to self-certification, the Department of Commerce urged interested companies to begin taking specific steps now, including:
  • Confirming their eligibility to participate in the Privacy Shield program.
  • Developing a Privacy Shield-compliant privacy notice, which for most companies means reviewing and updating their current privacy policy to:
    • conform with the Privacy Shield Principles;
    • state that the organization complies with the Privacy Shield Principles;
    • identify an independent recourse mechanism; and
    • ensure the privacy notice is publicly available.
  • Selecting, and if necessary, registering with an independent dispute mechanism provider, such as the Council of Better Business Bureaus, TRUSTe, the American Arbitration Association, or others. Companies may instead choose to resolve disputes by committing to cooperate and comply with EU data protection authority (DPA) panels.
  • Committing, for any human resources (employee-related) personal data transfers under the Privacy Shield, to comply and cooperate with DPA dispute resolution, guidance, and panel decisions.
  • Ensuring the organization establishes effective procedures to verify and maintain compliance.
  • Designating a contact within the organization for Privacy Shield matters.
For additional materials, details, and guidance, see US Department of Commerce: EU-US Privacy Shield. For more information on initial Privacy Shield requirements, other mechanisms to support EU-US cross-border data transfers, and other recent developments in EU data protection law, see Expert Q&A: EU-US Personal Information Data Transfers.