March 1, 2016

European Commission Releases Details of EU-U.S. Privacy Shield

The European Commission released its long-awaited draft adequacy decision for the EU-U.S. Privacy Shield, a major step towards the formal approval of the program that is to replace the invalidated Safe Harbors program. The release follows commitments by U.S. authorities to monitor and enforce the principles of the Privacy Shield. Adoption of a final decision could happen as early as Summer 2016. Once formally adopted, the program is likely to serve as an important data transfer mechanism option for the more than 4,000 U.S. companies that had been Safe Harbors participants, as well as for other American companies looking for a mechanism that will allow them to receive transfers of data from Europe.

On February 29, 2016, the European Commission and the U.S. Department of Commerce each released materials detailing the EU-U.S. Privacy Shield (the “Privacy Shield”), the program that will replace the Safe Harbor framework that was invalidated by the October 6 Schrems decision of the European Court of Justice.

Among the key differences between the Privacy Shield and Safe Harbors, the Privacy Shield will impose stronger obligations on companies in the U.S. to protect the personal data of residents of the countries that comprise the European Economic Area (“EEA”). It requires stronger monitoring and enforcement by U.S. authorities, including through increased cooperation with the data protection authorities (“DPAs”). This arrangement also includes commitments and assurance by the U.S. authorities that its access to personal data transferred under the new arrangement will be subject to clear conditions, limitations and oversight.

The Privacy Shield is based upon the following principles which are remarkably similar to the seven principles that formed the foundation of Safe Harbors:  notice; choice; accountability for onward transfers; security; data integrity and purpose limitation; access; and recourse, enforcement and liability. The Privacy Shield also introduces an additional 16 supplemental principles, which include principles regarding sensitive data, journalistic exceptions, human resources data and performing due diligence and conducting audits.

The European Commission released a draft adequacy decision, a communication presenting recent developments since it issued its 13 recommendations regarding the EU Safe Harbor in 2013, a fact sheet and a FAQ. The draft adequacy decision is the proposed determination by the European Commission that U.S. participants in the Privacy Shield provide an adequate level of protection of personal data. With the exception of Safe Harbors and now the Privacy Shield, all other adequacy determinations have been made with respect to particular countries. It is important to note that the United States itself still has not been determined to be a country that provides adequate protection to personal data. The Commission’s draft adequacy decision would only apply to American companies that are registered Privacy Shield participants.

The draft adequacy decision must be approved by the comitology procedure, which involves a non-binding opinion from the Article 29 Working Party (expected in the coming weeks), a binding opinion from the EU Member State representatives, and a formal adoption of the adequacy decision by the EU College of Commissioners, the last expected perhaps as early as June. The European Parliament and the European Council may request that the Commission amend or withdraw the adequacy decision at any time prior to its adoption. In the meantime, on this side of the Atlantic, U.S. officials will make the necessary preparations to put in place the new framework and requisite monitoring and ombudsperson mechanisms.

While the Commission’s release was met with criticism from some privacy advocates who have questioned whether the Privacy Shield adequately addresses the deficiencies in Safe Harbors that led to its invalidation, there is now strong momentum for a binding data transfer safe harbor for U.S. companies. Compliance with the new arrangement, however, will require greater privacy transparency for certified entities, enhanced dispute resolution mechanisms, and conformity of subcontracting agreements with the principles. Companies that expect to pursue certification should consult their privacy counsel to discuss the details of the Privacy Shield and analyze how it compares with the other options for legitimizing cross-border data transfers from the EEA to the United States. In addition, it seems that it will be at least several more months before companies will be able to register for the Privacy Shield. During that time, it will be essential to continue to ensure that data transfers are legitimized through other mechanisms, such as agreements based upon the model clauses.

Goodwin Procter’s data, privacy and cybersecurity team will continue to monitor developments as they occur and will provide updated information on the new Privacy Shield program as it becomes available. In the meantime, if you have any questions about the program, please feel free to reach out to any member of our privacy and cybersecurity team. You can also read our previous client alerts on the Privacy Shield framework and the invalidation of the Safe Harbor program.