On July 12th, the European Commission gave final approval to the EU US Privacy Shield program for the transfer of personal data from the European Union to the United States by companies that voluntarily choose to participate in the new program. The U.S. Department of Commerce, which negotiated the agreement with EU officials, is expected to begin accepting companies into the program beginning August 1st. The Department of Commerce has not yet announced what fees for participating in the new program will be.
The Privacy Shield program replaces the EU US Safe Harbor program, which effectively ceased to be a recognized basis for transferring personal data from the EU to the US following an adverse decision by the European Court of Justice in October 2015. Privacy Shield can be used by eligible participating U.S. organizations to facilitate the transfer of personal data from the 28 European Union Member States as well as Norway, Iceland and Liechtenstein to the United States.
Requirements for participation in the Privacy Shield program have been modified since the Privacy Shield was first announced in February 2016. The Privacy Shield program continues to be voluntary and continues to build on the old Safe Harbor program. The Privacy Shield program is organized around seven primary principles (Notice; Choice; Accountability for Onward Transfer; Security; Data Integrity and Purpose Limitation; Access; and Recourse, Enforcement and Liability) as well as a series of supplemental principles. Additional information can be found in our prior client alert following the announcement of the Privacy Shield program in February.
European data protection authorities and others, however, expressed concern that the original terms of the Privacy Shield program were not sufficiently rigorous. As a result, EU officials and the Department of Commerce made changes to the original Privacy Shield proposal. Among the changes are:
- additional requirements for the onward transfer of personal data from a Privacy Shield participating organization to third parties;
- a new data retention limitation which provides, with certain exceptions, that personal data may only be retained for as long as it serves a purpose of processing compatible with the purposes for which it was originally collected or for which processing was subsequently authorized by the individual; and
- changes to the Privacy Shield program’s governmental assurances regarding the bulk collection of data by the U.S. government and the independence of the ombudsperson created to handle complaints about government surveillance activities.
Companies that chose to self-certify for participation in the Privacy Shield program are expected, with one limited-time exception, to be in full compliance at the time they self-certify. Companies that self-certify for Privacy Shield during the first two months will have additional time (not to exceed nine months from the organization’s self-certification date) to bring their contracts involving the onward transfer of personal information to third parties into compliance with the new Privacy Shield requirements. During this transition period, however, certain interim steps must be taken, such as ensuring that contractors provide at least the same level of protection as required by the Privacy Shield Principles.
Companies considering participation in the Privacy Shield program will need to consider when to join the new program. For some organizations, the additional time to bring partner contracts into compliance with the new onward transfer requirements may be a significant incentive to sign up early for the new program. Other organizations may prefer to wait to see if the new program survives the expected legal challenges in the EU, although it may take several years for such challenges to work their way to the European Court of Justice, which was the court that effectively struck down Safe Harbor.
Whether it makes sense for an eligible organization to participate in the Privacy Shield program depends on a number of factors. AGG can assist clients in evaluating whether to participate in Privacy Shield program. AGG can help to prepare organizations that do want to participate in the Privacy Shield to develop a Privacy-Shield-compliant privacy statement, institute a program for handling any onward transfer needs and contracts, select an enforcement mechanism, develop employee training, and institute other elements of a Privacy Shield compliance program.
To review the entire document and formatting for this alert (e.g., footnotes), please access the original below: