On August 1, 2016, the U.S. Department of Commerce began accepting self-certification applications for the new EU-U.S. Privacy Shield Framework. In the month that has followed over 100 companies (including Microsoft, Oracle and Salesforce, among others) have self-certified that they are in compliance with the EU-U.S. Privacy Shield.
Now that that Privacy Shield is in effect and gaining acceptance, it is a good time for companies to examine whether the Privacy Shield makes sense for them. To answer that question, it is important to understand some basic facts about the Privacy Shield and the benefits (and detriments) of seeking its protection.
What is the Privacy Shield?
The Privacy Shield is a framework agreed to by the U.S. Department of Commerce and the EU Commission for movement of personal data from the European Union to the United States in a legally compliant manner.
Under the laws of the EU and its member states, data can only be transferred outside of the European Union to jurisdictions that are deemed to have an “adequate” level of data protection. The U.S. is not deemed to have an “adequate” level of data protection by the EU. However, the EU Commission has determined that compliance with the Privacy Shield meets the EU’s adequacy requirements for data transfers. Consequently, personal data can be transferred from the EU to the U.S. to an entity that is complying with the principles of the Privacy Shield, and publicly certifies its compliance by making a filing with the U.S. Department of Commerce.
The Privacy Shield replaced the U.S.-EU Safe Harbor, which was an earlier accord between the Commerce Department and the EU Commission for data movement. On October 6, 2015, the European Court of Justice struck down the Safe Harbor for various failings. The Privacy Shield is designed to address some of the shortcomings that were present in the earlier Safe Harbor.
Who is Eligible to Participate in the Privacy Shield?
Not all U.S. entities are eligible to participate in the Privacy Shield. Only companies subject to regulation by the Federal Trade Commission or the Department of Transportation are eligible to participate. For instance, banks and telecommunication providers would not be eligible to participate in the Privacy Shield as they are not subject to FTC or DOT regulation.
What are the Requirements of the Privacy Shield
In order to participate in the Privacy Shield, an organization must (among other things):
- Self-Certify to Privacy Shield compliance annually (via a Commerce Department website).
- Comply with seven core privacy principles and sixteen supplemental privacy principles. The seven core principles address:
- Notice — e.g., the data subject is informed about the organization’s participation in the Privacy Shield and how their data is accessed and used;
- Choice — subject to exceptions, the data subject has an ability to determine whether third parties may access their data or whether their data may be used for purposes other than which it was originally collected;
- The organization’s accountability for onward transfers of data;
- Security — an organization must take reasonable and appropriate measures to protect data;
- Data Integrity and Purpose Limitation — personal information must be limited to information that is relevant for the purposes of processing, personally identifiable information may be retained only for as long as it serves a purpose for processing (subject to certain exceptions), and an organization must take reasonable measures to ensure that personal data is reliable, accurate, complete, and current;
- Access — an organization must allow individuals (subject to exceptions) to access their data for purposes of ensuring accuracy and compliance with the principles; and
- Recourse, Enforcement and Liability – an organization must be subject to free and accessible dispute resolution mechanisms regarding complaints from data subjects.
What are the Benefits of the Privacy Shield?
By complying with the Privacy Shield a company is deemed to have adequate measures in place to protect personal data in accordance with requirements of the law of the EU and its member states. An organization that is compliant with the Privacy Shield can avoid other potentially more costly and time consuming mechanisms that are used for legally transferring data from the EU to the U.S., such as Binding Corporate Rules and Standard Contractual Clauses. The use of the Privacy Shield also avoids the need to obtain data transfer approval from Data Protection Authorities of EU member states.
Are there any Drawbacks to the Use of the Privacy Shield?
An organization participating in the Privacy Shield will have to pay an annual fee to the Commerce Department. The fees range from $250.00 to $3,250.00 depending on the size of the organization.
Failure to comply with the Privacy Shield may be deemed an unfair and deceptive trade practice under Section 5 of the Federal Trade Commission Act, and a non-complying organization may be subject to an FTC enforcement action.
While the Privacy Shield has addressed many of the deficiencies that the European Court of Justice identified with the Safe Harbor, the Privacy Shield may still be subject to legal challenge in the EU. Additionally, Data Protection Authorities in some EU member states have already expressed concerns about the Privacy Shield.
Should Your Organization Self-Certify Under the Privacy Shield?
The Privacy Shield may be appropriate for your organization if it works extensively with personal data originating from the European Union, and if it wants to avoid the time and expense of seeking approval for Binding Corporate Rules or negotiating with multiple parties with respect to contracts containing Standard Contractual Clauses. If your organization already maintains Binding Corporate Rules or Standard Contractual Clauses, the Privacy Shield certification may not be worth pursuing.
If your organization is interested in pursuing self-certification under the Privacy Shield, be aware that any organization that self-certifies by September 30th has a nine-month grace period following their certification date to ensure that third parties with whom the organization shares EU personal data are subject to contracts meeting Privacy Shield requirements.