The Privacy Shield is a new framework for the transfer of personal data from the EU to the US in compliance with EU privacy requirements.
European law restricts transfers of personal data to recipients in countries that have been found to have “adequate” privacy protections. The US is not one of those countries. Thus, US companies that transfer personal data from the EU to the US without using a lawful mechanism were violating EU law. In 2000, the European Commission and the US government established the “Safe Harbor” framework for these data transfers. Companies that self-certified adherence to the Safe Harbor framework could freely transfer personal data in the EU to companies in the US. Thousands of companies took advantage of the Safe Harbor.
After the Snowden revelations, the European Commission and US authorities discussed a new framework that would address the Commission’s demands that these transfers be adequately protected from access and use by the US Intelligence community. After the negotiations were well under way, a separate legal challenge to the Safe Harbor was mounted. On October 6, 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbor on the grounds that the original Commission’s adequacy decision (1) impeded member state Data Protection Authorities from investigating complaints involving data transferred under the Safe Harbor and (2) didn’t protect EU individuals’ personal data from surveillance by US intelligence agencies. The decision immediately created significant legal uncertainty and forced thousands of companies that relied on Safe Harbor to identify and implement an alternative legal data transfer mechanism.
As a result, the European Commission and the US negotiators broadened their discussions to address the ECJ ruling. On July 12, 2016, the European Commission ruled that the EU-US data transfers could proceed under the Privacy Shield, which ensures an adequate level of protection for these transfers.
The Privacy Shield only applies to EU-US data transfers. It does not apply to data processing in the EU.
Q: Is Privacy Shield open to any company?
The Privacy Shield is available only to companies subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT).
Q: What are the Privacy Shield’s key requirements?
Companies must self-certify to the US Department of Commerce their commitment to comply with the principles governing personal data handling. They include:
- abiding by enhanced restrictions on onward transfers of data to third parties;
- complying with specific data retention requirements and new accountability requirements for data security obligations;
- providing individuals with certain options regarding how their data will be handled and ensuring they can access their data; and
- offering new recourse mechanisms for complaints.
There are additional requirements for certain types of data, including human resources data and data collected by pharmaceutical and medical device companies.
Q: What are the key differences between the Privacy Shield and Safe Harbor?
It is important to understand that the Privacy Shield is not a repackaged version of the Safe Harbor. Key changes include greater transparency, accountability for sharing data with third parties, new dispute resolution mechanisms, and penalties for noncompliance. The Privacy Shield also has stronger monitoring and enforcement by US authorities, including increased cooperation with European Data Protection Authorities, and a joint annual review by the European Commission and the US Department of Commerce.
Q: Do companies have to use the Privacy Shield?
No. The decision to use the Privacy Shield is voluntary. Companies may use other data transfer mechanisms, such as model contractual clauses, that are approved by the European Commission However, the validity of model contract clauses is currently being considered by the Irish High Court, with a likely referral to the CJEU.
Q: What do companies need to do to join the Privacy Shield?
The Privacy Shield is a self-certification system. To join, companies must provide a submission to the US Department of Commerce. Once it is reviewed and approved, the Department of Commerce will add the company to the list of participants posted on the Privacy Shield website (www.privacyshield.gov).
Before self-certifying, companies should assess their ability to comply with the Privacy Shield’s requirements and carefully review their current data handling practices and programs.
Q: Why should companies care?
US businesses that seek to transfer personal data from the EU to the US must have a legal mechanism in place to do so. The Privacy Shield is a streamlined mechanism for these data transfers with greater flexibility compared to other options.
Nonetheless, the Privacy Shield imposes substantial requirements on participants and may not be a data transfer solution for all companies. Businesses should discuss the pros and cons of Privacy Shield with their privacy counsel.
Q: Could the Privacy Shield be challenged?
Yes. Irish and French privacy advocacy groups recently filed challenges with the General Court of the CJEU. The General Court may reject the complaints on the grounds that the advocacy groups have not been directly and individually harmed. It is likely that further challenges to the Privacy Shield will be brought before Data Protection Authorities and member-state courts, though only a decision of the CJEU could invalidate it. However, the EU & US negotiators, acutely aware of this possibility, made a concerted effort to integrate enhanced safeguards to minimize the potential that the Privacy Shield will suffer the same fate as the Safe Harbor.
About Goodwin’s Privacy & Cybersecurity Practice
Goodwin’s Privacy & Cybersecurity Practice, established formally in 2004, leverages the firm’s core strengths, collaborating across the firm’s highly regarded technology, financial industry, licensing, litigation, investigations, regulatory, and appellate practices. This unique approach, focusing on client needs and value, enables us to engage specialists whose experience and leadership is framed by a holistic understanding of the nature and importance of information to modern enterprises.For more information about this update, or for other assistance regarding privacy and data security matters, please contact Brenda Sharton (Co-Chair, Privacy & Cybersecurity), Lynne Barr (Co-Chair, Privacy & Cybersecurity), Karen Neuman (Privacy lead in the D.C. office), or any member of the Goodwin Privacy & Cybersecurity practice.