European Commission Approves Privacy Shield, Ushering in ‘Safe Harbor 2.0’

By JJ Bollozos, By Joseph D. McClendon, and Daniel L. Farris

For thousands of U.S. companies left in limbo after the invalidation of Safe Harbor last year, relief has finally arrived.  The European Commission (“EC”) formally approved and adopted the new trans-Atlantic Privacy Shield data transfer pact on Tuesday, opening the door for new certification and EU-US data transfers. 

The EC’s decision comes a week after EU member states approved the deal, and established that the Privacy Shield ensures an adequate level of protection for personal data transferred from the EU to the US.  The EC’s decision takes immediate effect.  In the United States, however, the framework will be published in the Federal Register, and companies will be able to begin self-certifying Privacy Shield compliance to the Department of Commerce on August 1st. 

The revised Privacy Shield deal was reached after the initial draft, released in February, was met with sharp criticism in Europe.  Since then, EU-US negotiators have since strengthened the independence and authority of the US ombudsman, clarified how and when “bulk” data collection may be permitted (and how it differs from mass surveillance), and added detail to the requirements placed on corporations, such as the obligation to delete personal data that is no longer necessary for processing purposes.  These changes cleared the way for EU member state and EC approval. 

Leaders in the US and Europe both lauded the new agreement.  "The EU-U.S. Privacy Shield has enormous potential," European Commissioner Vera Jourova said on Tuesday. "By protecting fundamental rights of individuals when their personal data is transferred from Europe to the U.S., and by giving renewed legal certainty to companies that rely on such transfers for their work, the Privacy Shield will strengthen the transatlantic economy and reaffirm our shared values."  Department of Commerce Secretary, Penny Pritzker, praised the deal as being “a milestone achievement” to protect privacy for consumers and create regulatory compliance certainty for companies in the US and Europe. 

Despite the fanfare, the deal is not without its critics.  Max Schrems, the Austrian law student whose lawsuit ultimately led to the invalidation of Safe Harbor, has already threatened a new legal challenge.  For companies left in limbo while the US and EU negotiated the Privacy Shield deal, utilizing the new framework is an obvious short-term solution.  Should a challenge to the Privacy Shield end up before the European Court of Justice, there is no guarantee that Privacy Shield will survive.  The ECJ could very well find the same adequacy failings with Privacy Shield as it did with Safe Harbor – a decision that was based less on company compliance and more on US surveillance programs. 

For companies that have not taken steps to implement model contract clauses or binding corporate rules, Privacy Shield is the only option for compliance.  And while model contract clauses or binding corporate rules tend to be more costly and do not provide absolute protection against claims or enforcement actions, regulators in both the EU and US have made clear that taking no action to counter the Safe Harbor's invalidation will not be viewed favorably.  The same may be true with Privacy Shield, so companies should consider whether a layered approach to compliance is appropriate. 

For a primer on just what the Privacy Shield is, and how it may affect your company, please read more below.  For assistance in understanding how the new EU-U.S. Privacy Shield may affect your company and its privacy and data security compliance programs, please contact the author or a Polsinelli Privacy and Data Security team member.

What is the EU-U.S. Privacy Shield?

The Privacy Shield is the new agreement that allows companies a legal basis to transfer personal data between the U.S. and the European Union (EU) for commercial purposes. The need for this agreement stems from the EU’s stringent data protection requirements that prohibit the transfer of personal data to countries outside of the EU, unless each country has “adequate” data protection laws. Further, the European Commission is the authoritative body that determines whether such a country’s laws are adequate. The adoption of the Privacy Shield is the determination that transfers of data to U.S. companies in compliance with the Privacy Shield provisions is adequate and, therefore, permitted under EU law.

What are the implications of the Privacy Shield on U.S. Companies?

The Privacy Shield has implications for, both, U.S. companies and the U.S. government. While the full text has not yet been published, the Department of Commerce and European Commission have provided some guidance as to what will be required from U.S. companies wishing to participate in the Privacy Shield:

  • Each company must register with the Department of Commerce to join the Privacy Shield Framework starting August 1, 2016:
    • They must publically self-certify that they meet and will continue to meet the data protection standards outlined in Privacy Shield;
    • They must renew their self-certification annually.
  • Each company must abide by the data protection standards in the agreement, such as:
    • Enhanced rights for individuals whose data they collect;
    • Limitations on what data can be transferred; and
    • Compliance with new data retention rules.
  • Each company must maintain an adequate privacy policy, which should contain:
    • Outlining its commitment to the Privacy Shield and other required language; and
    • Informing individuals of their right to access their personal data and how their data may be disclosed to third parties (including relevant authorities).
  • Each company will be subject to monitoring and enforcement by the Department of Commerce and the Federal Trade Commission.
  • Each company must establish procedures to receive and redress complaints from individuals, including:
    • Providing free avenues of recourse to individuals (including participating in binding arbitration).
  • Each company must institute additional safeguards and notice requirements with regard to transferring data to third parties.