Privacy, Uncategorized

The Early Days of the EU-U.S. Privacy Shield: Should Your Organization Self-Certify?

On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework.  In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.

Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them.  To answer that question, it is important to understand some basic facts about the Privacy Shield and the benefits (and detriments) of seeking its protection.

What is the Privacy Shield?

The Privacy Shield is a framework agreed to by the U.S. Department of Commerce and the EU Commission for movement of personal data from the European Union to the United States in a legally compliant manner.

Under the laws of the EU and its member states, data can only be transferred outside of the European Union to jurisdictions that are deemed to have an “adequate” level of data protection.  The U.S. is not deemed to have an “adequate” level of data protection by the EU.  However, the EU Commission has determined that compliance with the Privacy Shield meets the EU’s adequacy requirements for data transfers.  Consequently, personal data can be transferred from the EU to the U.S. to an entity that is complying with the principles of the Privacy Shield, and publicly certifies its compliance by making a filing with the U.S. Department of Commerce.

The Privacy Shield replaced the U.S.-EU Safe Harbor, which was an earlier accord between the Commerce Department and the EU Commission for data movement.  On October 6, 2015, the European Court of Justice struck down the Safe Harbor for various failings.  The Privacy Shield is designed to address some of the shortcomings that were present in the earlier Safe Harbor.

Who is Eligible to Participate in the Privacy Shield?

Not all U.S. entities are eligible to participate in the Privacy Shield.  Only companies subject to regulation by the Federal Trade Commission or the Department of Transportation are eligible to participate.   For instance, banks and telecommunication providers would not be eligible to participate in the Privacy Shield as they are not subject to FTC or DOT regulation.

What are the Requirements of the Privacy Shield

In order to participate in the Privacy Shield, an organization must (among other things):

  • Maintain a publicly available privacy policy that complies with the Privacy Shield.  Note, if only your organization’s human resources data will be subject to the Privacy Shield, only employees will need to have access to your privacy policy.
  • Self-Certify to Privacy Shield compliance annually (via a Commerce Department website).
  • Comply with seven core privacy principles and sixteen supplemental privacy principles.  The seven core principles address:
  1. Notice — e.g., the data subject is informed about the organization’s participation in the Privacy Shield and how their data is accessed and used;
  2. Choice — subject to exceptions, the data subject has an ability to determine whether third parties may access their data or whether their data may be used for purposes other than which it was originally collected;
  3. The organization’s accountability for onward transfers of data;
  4. Security — an organization must take reasonable and appropriate measures to protect data;
  5. Data Integrity and Purpose Limitation — personal information must be limited to information that is relevant for the purposes of processing, personally identifiable information may be retained only for as long as it serves a purpose for processing (subject to certain exceptions), and an organization must take reasonable measures to ensure that personal data is reliable, accurate, complete, and current;
  6. Access — an organization must allow individuals (subject to exceptions) to access their data for purposes of ensuring accuracy and compliance with the principles; and
  7. Recourse, Enforcement and Liability – an organization must be subject to free and accessible dispute resolution mechanisms regarding complaints from data subjects.

What are the Benefits of the Privacy Shield?

By complying with the Privacy Shield a company is deemed to have adequate measures in place to protect personal data in accordance with requirements of the law of the EU and its member states.  An organization that is compliant with the Privacy Shield can avoid other potentially more costly and time consuming mechanisms that are used for legally transferring data from the EU to the U.S., such as Binding Corporate Rules and Standard Contractual Clauses.   The use of the Privacy Shield also avoids the need to obtain data transfer approval from Data Protection Authorities of EU member states.

Are there any Drawbacks to the Use of the Privacy Shield?

An organization participating in the Privacy Shield will have to pay an annual fee to the Commerce Department.  The fees range from $250.00 to $3,250.00 depending on the size of the organization.

Failure to comply with the Privacy Shield may be deemed an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act, and a non-complying organization may be subject to an FTC enforcement action.

While the Privacy Shield has addressed many of the deficiencies that the European Court of Justice identified with the Safe Harbor, the Privacy Shield may still be subject to legal challenge in the EU.  Additionally, Data Protection Authorities in some EU member states have already expressed concerns about the Privacy Shield.

Should Your Organization Self-Certify Under the Privacy Shield?

The Privacy Shield may be appropriate for your organization if it works extensively with personal data originating from the European Union, and if it wants to avoid the time and expense of seeking approval for Binding Corporate Rules or negotiating with multiple parties with respect to contracts containing Standard Contractual Clauses.  If your organization already maintains Binding Corporate Rules or Standard Contractual Clauses, the Privacy Shield certification may not be worth pursuing.

If your organization is interested in pursuing self-certification under the Privacy Shield, be aware that any organization that self-certifies by September 30th has a nine-month grace period following their certification date to ensure that third parties with whom the organization shares EU personal data are subject to contracts meeting Privacy Shield requirements.


Articles to reference: 
US and EU “Privacy Shield” Framework for Cross-Border Data Transfers Submitted to Article 29 Working Party Today
EU Article 31 Committee Approves EU-US Privacy Shield

Todd Taylor

About Todd Taylor

Todd Taylor serves as a Member and co-leader of Moore & Van Allen's Commercial & Technology Transactions practice group, as well as its Privacy & Data Security group. Todd focuses his practice on outsourcing, licensing, data privacy and security, technology and supply chain matters.

Discussion

No comments yet.

Leave a comment

Your email address will not be published. Required fields are marked *

Welcome to Data Points!

The technology and regulatory landscape is rapidly changing, thus impacting the manner in which companies across all industries operate, specifically in the ways they collect, use and secure confidential data. Moore & Van Allen’s Privacy & Data Security Group recognizes the challenges clients face in the effort to stay abreast of such volatility. “Data Points” seeks to educate by providing transparent and cutting-edge insight on the most critical issues and dynamics. Our goal is to inform business decision-makers who are navigating these waters about the information they must protect, and what to do if/when security is breached.

Connect To Recent Authors

  • Karin McGinnis:  View Karin McGinnis' Bio View Karin McGinnis' LinkedIn profile
  • Todd Taylor:  View Todd Taylor's Bio View Todd Taylor's LinkedIn profile
  • Mindy Vervais:  View Mindy Vervais’ Bio View Mindy Vervais’ LinkedIn profile
  • Omari Sealy:  View Omari Sealy’s Bio View Omari Sealy’s LinkedIn profile
  • Brandon Gaskins:  View Brandon Gaskins' Bio View Brandon Gaskins’ LinkedIn profile
  • Robert Sumner:  View Robert Sumner’s Bio

  • Subscribe to Blog via Email

    Follow MVA

    Facebooktwitterlinkedinrss

    Blog Topics

    Archives

    Interested In Other Topics?

    Tell us what else you are interested in here.

    Our Privacy & Data Security Practice

    Moore & Van Allen has a Privacy & Data Security practice with the depth and breadth to advise the multitude of business industries and practices impacted, including sales, human resources, data maintenance and storage, IT, legal and compliance, labor and employment, health care, finance, cross-border transactions, energy and litigation. All require careful attention to protecting the privacy of personal information as well as preserving the integrity of company, customer or third party data. To help our clients successfully navigate their data security challenges and manage their risk in these areas, our multi-disciplinary team draws on their deep experience in addressing data privacy and information security obligations and disputes. Read More About Our Practice and Meet the MVA Privacy & Data Security Team.

    Disclaimer

    No Attorney-Client Relationship Created by Use of this Website: Neither your receipt of information from this website, nor your use of this website to contact Moore & Van Allen or one of its attorneys creates an attorney-client relationship between you and Moore & Van Allen. As a matter of policy, Moore & Van Allen does not accept a new client without first investigating for possible conflicts of interests and obtaining a signed engagement letter. (Moore & Van Allen may, for example, already represent another party involved in your matter.) Accordingly, you should not use this website to provide confidential information about a legal matter of yours to Moore & Van Allen.


    No Legal Advice Intended: This website includes information about legal issues and legal developments. Such materials are for informational purposes only and may not reflect the most current legal developments. These informational materials are not intended, and should not be taken, as legal advice on any particular set of facts or circumstances. You should contact an attorney for advice on specific legal problems. (Read All)