March 21, 2016 -

Always Be Prepared: Privacy Shield Is Near

By Mary Kate Bonner and Andrew Baer

The United States government and the European Union are moving forward with the framework to enable transfers of personal data from the EU to the U.S. On February 29, the U.S. Department of Commerce released a draft of the EU-U.S. Privacy Shield Framework, which includes the Privacy Shield Principles that U.S. organizations must comply with if they want to receive personal data from the EU. On the same day, the European Commission released a draft of its adequacy decision, which is needed to establish that the Privacy Shield ensures an adequate level of protection for personal data transferred to participating organizations. While the adequacy finding is still under review and is yet to be approved, U.S. companies should prepare now to implement necessary measures to comply. The Commerce Department plans to accept submissions from organizations to self-certify their compliance as soon as the framework is approved across the Atlantic. This is expected some time mid-2016.

While those familiar with the now-invalidated Safe Harbor Framework will recognize many of the principles and requirements, there are several new provisions as well. The State Department, Commerce Department, and Federal Trade Commission each have implementing work ahead of them. U.S. organizations can prepare now to participate in the new Framework.

Transfers of personal data from the EU to the U.S. are currently permitted if the parties have agreed to Standard Contractual Clauses (SCCs) or, in the case of transfers between affiliates within multinational organizations, Binding Corporate Rules. SaaS providers hosting data, for example, would need to execute the SCCs with every client that has data transferred from the EU. The Privacy Shield Framework, like Safe Harbor before it, simplifies the legal process for data sharing. U.S. organizations that comply with the requirements of the Framework, including the Privacy Principles, listed below, can self-certify their compliance with the Commerce Department, and the parties will not need to execute the SCCs to permit the transfer. Before self-certifying, U.S. organizations should review their technical and organizational measures for data security to ensure that they can comply with the Privacy Principles, and implement any necessary changes, including updating privacy policies.

Self-certification requires annual re-certification. If a participating organization subsequently is removed from the list (whether voluntarily or as a result of U.S. administrative enforcement), it must delete all EU personal data received under Privacy Shield or annually affirm its continued commitment to the Privacy Principles.

Privacy Principles

1.  Notice – Organizations must provide individuals with information about the processing of personal data. This is typically found in privacy policies, often online or in employee handbooks or other human resources documents. The policy should specify what data is collected, how and why it is used, who else can access it, and what options individuals have. Privacy policies must also include links to the Commerce Department, the Privacy Shield list of participating organizations, and an appropriate dispute resolution provider to settle complaints concerning personal data (detailed below in the 7th Principle).

2.  Choice – Individuals can choose not to allow their personal data to be disclosed to third parties, to be used for a purpose other than the purpose it was collected for, and/or to be used for direct marketing. Organizations need to have a mechanism in place to allow individuals to opt out, and can notify individuals of this, along with contact information, in privacy policies. 

3.  Security – An organization’s data security practices must be “reasonable and appropriate” in light of both the data itself (including the sensitivity of the type of data) and processing activities (e.g., storage, onward transfer, modification, or merging with other data). 

4.  Data Integrity and Purpose Limitation – Following up from the first principle, requiring that individuals be notified about the purposes for processing their personal data, organizations may only process personal data for those stated purposes. Organizations must also continuously ensure the accuracy and completeness of the data. 

5.  Access – Organizations must provide individuals with access to their personal data and correct, amend, or delete it as appropriate. 

6.  Accountability for Onward Transfer – Organizations that use subcontractors to process data must contractually require that the subcontractors ensure that personal data is provided a level of protection at least as robust as the protection in the Privacy Principles. If a subcontractor is non-compliant, the organization will be liable for the non-compliance unless it can overcome such presumption and prove that it was not responsible. This is a shift in the presumption from the Safe Harbor Framework. Organizations should continuously monitor their subcontractors and maintain up-to-date records of any audits and other monitoring and enforcement measures. 

7.  Recourse, Enforcement and Liability – Organizations are responsible for ensuring their own compliance with the Privacy Principles. This includes ongoing training of employees about the organization’s privacy policies and engaging in periodic reviews, either through self-assessment or outside compliance reviews. In the event that an individual objects to the organization’s processing of such individual’s personal data, the organization must have in place effective mechanisms to address such complaints. All complaint resolution mechanisms provided by an organization must be specified in the organization’s privacy policy.

  • The first point of contact for handing complaints is an individual, typically within the organization, designated as handling complaints. When a complaint is submitted to the designated contact, such contact must provide a substantive response within 45 days. Under Safe Harbor, there was no deadline to respond.
  • If the complaint continues unresolved, the individual may turn to the independent dispute resolution body or self-regulatory privacy organization that the organization has designated for handling such unresolved complaints. This must be provided at no cost to the individual.
  • Individuals also have the option of turning to the Data Protection Authority (DPA) in the applicable country. The DPA will work with the Commerce Department or FTC, each with responsibilities to regulate organizations and enforce Privacy Shield, to resolve the complaint.
  • Organizations can choose to cooperate with DPAs in the EU, though if the data at issue is human resources data in the context of an individual’s employment, this is not optional; the organization, as the employer, must cooperate with the DPAs for resolution. Organizations that cooperate with the DPAs for resolution (regardless of the category of data) must follow their guidance and recommendations. DPAs have authority to suspend transfer of the data, if necessary, and the organization will be subject to EU jurisdiction for legal challenges to the processing of such data in the U.S.
  • If no other route resolves a complaint, individuals may opt for binding arbitration in front of a Privacy Shield Panel. The Commerce Department and European Commission will have a pool of designated arbitrators, and the unresolved complaint will be heard by a panel of three arbitrators. The Commerce Department will establish a fund for arbitral cost, which will be paid into annually by organizations participating in Privacy Shield. The amounts to be paid by each organization will vary based on, in part, the size of the organization, and may be modified as a result of annual review. This fund will not cover attorneys’ fees, and the arbitration will only provide non-monetary equitable relief, such as requiring the correction of data.

While many of the changes from the Safe Harbor Framework found in the Privacy Shield Framework are in oversight and enforcement, organizations can prepare themselves now to comply with these requirements to receive personal data from the EU. Organizations compliant with Safe Harbor may not have too much work ahead, but this time before Privacy Shield goes into effect is an opportunity to review policies and practices, update them as needed, and ensure the organization’s compliance.

For any questions on how this may impact your business, or for assistance with Privacy Shield, such as updates to privacy policies or self-certification, you can contact Mary Kate Bonner ( or Andrew Baer ( Baer Crossey McDemus will present a free webinar on April 19, 2016, so stay tuned for more information.