On July 12, after negotiating certain modifications with the U.S., the European Commission approved the new Privacy Shield framework, which will replace the Safe Harbor framework invalidated by the European Court of Justice in 2015. The elimination of Safe Harbor cast into doubt the legality of storing, accessing and using the personal data of E.U. residents (e.g., companies’ customers, users, and employees located in the European Economic Area) in the U.S., where the permissive privacy laws and risk of indiscriminate surveillance by national security agencies are thought to conflict with fundamental rights recognized under the E.U. charter. During the interim period while Privacy Shield was being developed and negotiated, many companies with U.S. vendors and partners relied on the Standard Contractual Clauses (SCC’s) (which must be annexed to third-party contracts without modification) to provide legal grounds for the transfer of European data to the U.S. Now that Privacy Shield has been approved, self-certification of Privacy Shield compliance with the U.S. Department of Commerce (DOC) should establish the legality of data transfers without the need to use the SCC’s. The DOC will start accepting self-certifications on August 1, 2016. However, due to the fact that Privacy Shield will likely be challenged in European courts just as Safe Harbor was, some companies may prefer to continue to rely on the SCC’s or adopt a layered approach by using both the SCC’s and Privacy Shield self-certification.
With the advent of Privacy Shield, U.S. companies will be able to file with the DOC self-certifications of their compliance with the Privacy Shield principles, which include notice of data processing, disclosure and usage practices (including limitation of data processing to certain purposes), personal access to data and choice, security, measures for verifying compliance, limited data retention, limitation and controls on data transfers to third parties, and recourse and liability for unauthorized processing. These principles and an explicit reference to Privacy Shield compliance must be reflected in the U.S. company’s publicly available privacy policies, which must also include links to the DOC Privacy Shield website and the website or online complaint submission form of the independent dispute resolution mechanism the U.S. company selects to resolve complaints from the E.U. that are not successfully resolved internally. Each Privacy Shield-certifying organization must designate (i) an internal contact for the handling of questions and complaints regarding Privacy Shield, who must respond to an individual within 45 days of receiving an inquiry, and (ii) an independent dispute resolution mechanism (which may be a private organization such as TRUSTe, the Direct Marketing Association, the American Arbitration Association, JAMS, or the Council of Better Business Bureaus) to resolve remaining complaints at no cost to the individual. (As an alternative to (ii), the U.S. company may state its intent to comply with inquiries and directives from European data protection authorities with respect to all types of data, but this approach could involve a heavy regulatory burden.)
Additionally, if the U.S. company transfers the personal data of E.U. individuals onward to vendors and other third parties, it must conclude a contract with each third party containing certain minimum terms, such as terms limiting the processing of the data to what the individuals have consented to, holding the third party to the same privacy standards promised by the Privacy Shield-certifying company, and requiring the third party to notify the certifying company if it can no longer meet its obligations. Thus, Privacy Shield self-certification may require updating not only a company’s privacy policies but also its third-party contracts. NOTE: organizations that self-certify within the first two (2) months will have nine (9) months to bring existing third-party contracts into compliance. If a company self-certifies outside of this two-month window, then it must have updated its existing contracts by the date of certification.
U.S. companies with operations, employees, customers or users in the E.U. (for example, a SaaS vendor servicing either a European company or a U.S. company with European offices) should seriously consider self-certifying to Privacy Shield. However, as discussed above, some preparation and self-assessment will be necessary prior to certification, such as assessing the company’s current practices and verifying its ability to comply with Privacy Shield, updating its privacy policies and vendor contracts, and selecting and registering with an independent dispute resolution provider. Companies with international connections or relationships should consult with privacy counsel regarding the requirements, benefits and costs of Privacy Shield compliance. For more information, please contact Andrew Baer at firstname.lastname@example.org.