United States: EU And U.S. Release Terms Of Privacy Shield

The European Commission ("EC") and U.S. Department of Commerce ("DOC") recently released the full text of the EU–U.S. Privacy Shield framework. This release follows the February 2, 2016, announcement that EU and U.S. officials had reached an agreement to replace the recently invalidated Safe Harbor program (the "Safe Harbor") with a more robust and comprehensive transatlantic data transfer scheme.1

The details of the Privacy Shield were released as part of a 128-page package that includes an enumeration of the Privacy Shield Principles (the "Privacy Principles"), the terms of the new "Arbitral Model" that will be used to address certain unresolved data protection claims, and letters from various U.S. regulators.2 The EC also released a draft "adequacy decision" concluding that the Privacy Shield ensures an adequate level of protection for personal data transferred under its ambit and meets the standards of Directive 95/46/EC (the "EU Directive").3 Although the draft adequacy decision did not conclude as such, it can be legally assumed that the Privacy Shield meets the standards of the General Data Protection Regulation ("GDPR"), which will replace the EU Directive in two years after it is adopted. In particular, the EC emphasized the strengthened Privacy Principles, the increased transparency obligations imposed on participating companies, the new oversight and recourse mechanisms, and commitments from the U.S. government that surveillance will be limited to what is strictly necessary.

The Privacy Shield is the result of lengthy negotiations between EU and U.S. policymakers aimed at developing an alternative to the Safe Harbor, in which more than 4,000 U.S. companies participated in order to receive personal data from the EU. In October 2015, the European Court of Justice ("ECJ") issued a decision invalidating the EU Commission decision underlying the 15-year-old Safe Harbor. The ECJ concluded that the Safe Harbor failed to provide an adequate level of protection to personal data transferred from the EU to the U.S., largely due to concerns regarding the U.S. government's ability to access transferred personal data as well as the lack of judicial redress afforded to EU citizens.4

The new Privacy Shield maintains the annual "self-certification" system of the Safe Harbor. However, companies signing onto this voluntary framework must now certify their adherence to stricter, more extensive Privacy Principles, while also submitting to more robust transparency obligations and oversight mechanisms. A detailed overview of the new framework and its Privacy Principles is discussed below; however, the following highlights some of the key aspects of the Privacy Shield to which companies will be expected to adhere:

  • Publicly declare compliance with the Privacy Shield's Privacy Principles (discussed below) and publish their privacy policies that reflect the Privacy Principles;
  • Provide a suitable mechanism for data subjects to opt out if an organization plans to (i) disclose their personal data to third parties (other than processors/agents acting on the organization's behalf), (ii) use their personal data for a materially different purpose than for which it was originally collected, or (iii) use their personal data for direct marketing purposes;
  • Obtain data subjects' express consent before sharing their sensitive data with third-party recipients or using their sensitive data for a materially different purpose than for which it was originally collected;
  • Execute contracts with third-party processors obligating them to process data only for limited and specified purposes;
  • Develop policies to ensure that third-party processors handle personal data in accordance with the Principles and to correct any unapproved processing;
  • Have in place reasonable and appropriate data security measures that take into account the relevant risks and nature of the data;
  • Provide a suitable mechanism for data subjects to access their personal data and the ability to correct, amend, or delete such data; and
  • Establish a mechanism for organizations to respond within 45 days to complaints lodged by data subjects regarding their personal data.

Privacy Principles

Under the Privacy Shield's self-certification system, organizations must commit to a largely familiar set of Privacy Principles adopted from its Safe Harbor predecessor. The Privacy Shield, however, elaborates upon and strengthens the obligations contained in several Privacy Principles. In particular, organizations must commit to the following:

Notice. The Privacy Shield greatly expands the certifying organizations' obligation to notify individuals about their data collection practices. For example, organizations transitioning to the Privacy Shield must revise their privacy policies to notify individuals of new details, including, inter alia,

  • Whether the company is subject to the investigatory and enforcement powers of the FTC or other U.S. agencies;
  • That it will adhere to an independent dispute resolution body to address individual complaints;
  • The right of individuals to invoke binding arbitration against the company under certain circumstances;
  • Its obligation to disclose personal data to public authorities in compliance with lawful requests; and
  • Its responsibility and potential liability in cases of onward transfers to third parties.

Organizations must also make public their newly revised privacy policies, which must address and reflect the framework's Privacy Principles, while also providing individuals with links to the DOC's Privacy Shield website, the list of participating organizations the DOC publishes, and the website of the independent dispute resolution provider the organization utilizes. Because most consumer-facing U.S. organizations will comply with the Notice Privacy Principles through their online privacy policies, those companies seeking to participate in the Privacy Shield will need to revise their policies to reflect these new changes. Even if participating organizations do not collect consumer personal data, companies seeking to transfer their HR data or other non-customer data via the Privacy Shield must still comply with the publication requirement.

Choice. In addition to the enhanced notification requirements, participating organizations also must implement mechanisms that provide data subjects with varying levels of choice regarding the use and disclosure of their data. Organizations must offer data subjects the opportunity to opt out if the company plans to: (i) disclose their personal data to third parties (other than processors/agents acting on the organization's behalf); or (ii) use their personal data for a materially different purpose than that for which it was originally collected.

In the employment context, EU employers are ultimately responsible, under relevant national law, for providing their employees with choice when collecting their personal data. Once a U.S. organization has received employee data from the EU under the Privacy Shield, that participating organization may disclose it to a third party or use it for a different purpose only in accordance with the Choice and Notice Privacy Principles.

Organizations also must obtain individuals' "explicit" (i.e., opt-in) consent before disclosing their sensitive data to any third parties (including processors) or using their sensitive data for a materially different purpose. While there was some ambiguity with respect to the definition of "sensitive data" under the Safe Harbor, the Privacy Shield adopts the EU Directive's broad definition of "sensitive data."5 Thus, a data subject's affirmative, explicit consent is required, absent certain limited conditions, including, inter alia, when the processing of sensitive data is in the vital interests of the data subject or another person, necessary to establish legal claims or defenses, or required to provide medical care or carry out an organization's employment law obligations. Lastly, special rules apply to direct marketing, which generally allow data subjects to opt out at any time from the use of their personal data.

Accountability for Onward Transfers. The Privacy Shield tightens the permissible conditions for onward transfers to any third parties and holds self-certified organizations responsible for the conduct of their third-party processors/agents. Unlike the Safe Harbor, participating companies must now enter into contracts with third-party data recipients—whether that party is a separate data controller or a data processor (vendor)—obligating them to process data only for limited and specified purposes and to provide the same level of protections guaranteed by the Privacy Principles. The Onward Transfer Principle also effectively requires mechanisms for oversight of third-party processors by requiring participating organizations to: (i) take steps to ensure the processor handles the data in accordance with the Privacy Principles; and (ii) remediate any unauthorized processing by the processor.

Participating organizations now face potential liability for the processing actions of their processors (and sub-processors) unless organizations can prove they were not responsible for any damaged caused. Organizations should also be prepared to make available summaries or copies of the relevant privacy provisions in their contracts to the data subjects or the DOC upon request.

The Privacy Shield provides a carve-out for the "occasional employment-related operational needs" of a participating U.S. organization, "such as the booking of a flight, hotel room, or insurance coverage." In these situations, Privacy Shield companies need not enter into a contract with the third-party controller for transfers of data of a small number of employees (as is otherwise required by the Onward Transfer Principle), provided that the company complies with the Notice and Choice Privacy Principles.

Security. As they did in compliance with the Safe Harbor predecessor, organizations will need to demonstrate that they have in place "reasonable and appropriate" data security measures.

Data Integrity and Purpose Limitation. As noted above, organizations must ensure that data is (i) relevant and reliable for its intended purpose, and (ii) accurate, complete, and current. Absent consent, an organization may not process personal data in a way that is incompatible with the purpose for which it was originally collected or subsequently authorized by an individual.

Access. Organizations must implement mechanisms that provide data subjects with (i) access to the personal data processed about them, and (ii) the ability to correct, amend, or delete their personal data where it is inaccurate or has been processed in violation of the Privacy Principles. In the employment context, EU employers will typically provide such access as is required by law in their home countries, regardless of the location of the data. However, the Privacy Shield nonetheless requires participating U.S. organizations processing such data to cooperate with the EU employer in providing employees with access to their data.

Recourse, Enforcement, and Liability. This new Privacy Principle requires robust mechanisms to ensure compliance with the Privacy Principles and afford recourse to EU citizens whose personal data was processed in violation of the Privacy Principles. In particular, as more fully described below, organizations will be required to appoint an independent dispute resolution body that can resolve individual complaints, provide appropriate recourse, and even sanction noncompliant organizations.

As a practical matter, participating organizations must not only self-certify their compliance with these Privacy Principles but must also meet annual verification requirements either through self-assessment or outside compliance reviews. Under the self-assessment approach, organizations must attest in writing that their published privacy policies on EU personal data are accurate and have been fully implemented and that the company meets other obligations, including employee training on the privacy policies. Alternatively, organizations may elect to engage a third party to verify their compliance with and implementation of their published privacy practices, through auditing, periodic checks, or use of technology tools where appropriate. In either case, organizations must be prepared to supply their written verification statements to the DOC or EU data subjects upon request.

Individual Redress and Oversight Mechanisms

The new Privacy Shield requires participating organizations to put in place an effective redress mechanism for EU data subjects to lodge complaints directly with the organizations. The Privacy Shield specifically requires companies to establish a contact—either within or outside the organization—that will respond to any received complaint within 45 days and provide an assessment of the merits of the complaint and the actions taken to resolve it.

Most notably, organizations must designate an independent dispute resolution body that will not only be able to investigate and resolve individual complaints and provide appropriate recourse, but also sanction noncompliant organizations in a way that either provides for a reversal or correction of the noncompliant behavior or requires the termination of further processing and/or deletion of the personal data. If the organization fails to comply with the ruling of a dispute resolution body, the body must report this noncompliance to a U.S. authority with jurisdiction (e.g., the DOC and FTC) or a competent court.

Beyond the independent dispute resolution procedure discussed above, organizations are further required to respond to inquiries and other requests for information from the DOC, and possibly EU national data protection authorities ("DPAs"), relating to their adherence to the Privacy Principles. In this regard, participating entities must retain all records related to their implementation of the Privacy Principles and their privacy policies and make them available upon request of a government agency or independent recourse body in the context of an investigation or complaint about noncompliance.

Moreover, the DOC will conduct compliance reviews of self-certified organizations—including by sending detailed questionnaires—to verify that companies' privacy policies and practices conform to the Privacy Principles. In addition to general compliance assessments, these reviews will also be undertaken in response to specific complaints or when there is evidence that a participating organization is not complying with the Privacy Principles. Also, the Privacy Shield will allow EU data subjects to raise complaints of noncompliance by participating U.S. organizations directly with their national DPA, which can then channel those complaints to the DOC. Through this special procedure, the DOC will follow up with companies to facilitate resolution and liaise directly with the referring DPA on ongoing compliance issues.

Perhaps most remarkably, the Privacy Shield requires participating U.S. organizations to submit directly to the jurisdiction of foreign DPAs under certain circumstances. Specifically, when an EU citizen refers a complaint to his or her national DPA regarding noncompliance with the Privacy Principles, U.S. participating organizations are obligated to comply with the DPA's investigation and resolution of the complaint if: (i) it concerns processing of human resources-related data collected in the context of the employment relationship; or (ii) the company has otherwise voluntarily submitted to oversight by DPAs under the Privacy Shield.

In particular, these companies will be required to respond to any DPA inquiries, comply with advice given by the DPA (including remedial and compensatory measures), and provide the DPA with written confirmation of compliance with DPA orders. The inquiries and advice will be handed down by an informal panel of multiple DPAs in order to promote a more unified approach to compliance. The panel is expected to deliver advice within 60 days of receiving a complaint; if a company fails to comply with this advice within 25 days and has offered no satisfactory explanation for the delay, the panel will either (i) submit the matter to the FTC (or other competent authority) for a possible enforcement action, or (ii) inform the DOC that there has been a persistent failure to comply with the Principles, in which case the organization will be removed from the Privacy Shield.

Importantly, as highlighted by the ECJ when it invalidated the Safe Harbor, the Privacy Shield text also makes it clear that a DPA is entitled to suspend certain data transfers if it believes that an EU citizen's personal data transferred to an organization in the U.S. is not being afforded adequate protections. Moreover, even if a DPA to which a complaint has been addressed does not take any action where a complaint has been lodged, the individual data subject may challenge the DPA's decision (or lack thereof) in the national courts of his or her EU Member State.

Participating organizations also can expect increased FTC enforcement actions under the Privacy Shield. Past Safe Harbor-related enforcement actions were mainly limited to companies that continued to reference their participation in the Safe Harbor despite a certification that had lapsed. Under the Privacy Shield, the FTC will create a standardized referral process that gives priority consideration to referrals of noncompliance by independent dispute resolution bodies (or self-regulatory bodies), the DOC, and a relevant DPA (whether acting on its own initiative or upon individual complaints). The FTC will also accept complaints directly from individuals. Following an enforcement action, any settlement between the FTC and a Privacy Shield organization must include mandatory self-reporting provisions, and organizations will be required to make public any Privacy Shield-related compliance reports or assessments submitted to the FTC.

Finally, as a mechanism of "last resort," when an individual believes that none of the other available methods of redress have satisfactorily resolved his or her complaint, an EU data subject may compel a Privacy Shield-participating organization to submit to binding arbitration in the U.S. in front of a Privacy Shield Panel. The parties will be allowed to select a panel of one or three arbitrators from an available pool of arbitrators designated by the DOC and the EC. This Privacy Shield Panel will have the power to impose equitable (non-monetary) relief to remedy noncompliance with the Principles, and all decisions by the Panel will be enforceable by U.S. courts in the event a company fails to comply with its ruling. It should be noted, however, that arbitration may not be invoked against companies that have submitted to the jurisdiction of the relevant DPA—namely, those organizations that have either voluntarily committed to cooperating and complying with the advice of a DPA or are obligated to do so with respect to the processing of HR data collected in the employment context.

Increased Transparency

The DOC aims to be more rigorous in identifying companies that are noncompliant with the new framework's provisions and the self-certification requirements. As with the Safe Harbor, the DOC will make available a list of self-certified organizations. However, unlike the Safe Harbor, the DOC will: (i) publish a record of entities that have been removed from the list, along with the reason for such removal, and (ii) provide a link to a list of Privacy Shield-related FTC enforcement actions and cases, which will be maintained on the FTC website.

Further, when an organization is no longer a member of the Privacy Shield (e.g., voluntary withdrawal or failure to recertify), the DOC will be responsible for monitoring the organization to:

  • Ensure it has deleted any public statements to the Privacy Shield that imply its continued participation;
  • Refer the matter to the competent authority (e.g., the FTC) for possible enforcement actions if such organization continues to make false claims; and
  • Verify, through use of questionnaires, whether the data received under the Privacy Shield will be returned, deleted, or retained.

If the data will be retained, the organization must continue to apply the Privacy Principles to the data that was collected under the Privacy Shield even though it is no longer a participant. Moreover, the organization is required to appoint an individual to serve as an ongoing contact point for Privacy Shield-related questions. Note that in cases where the DOC has removed an organization from the Privacy Shield due to a "persistent failure" to comply with the Privacy Principles, that organization will be obliged to return or delete the personal data received under the Privacy Shield. In other cases of removal, the organization may retain such data if it annually affirms to the DOC its commitment to continue to apply the Privacy Principles to the previously collected data or otherwise provide adequate protection for the personal data by other authorized means such as EU standard contractual clauses.

Access by Public Authorities and Privacy Shield Ombudsman

In response to the perceived overreach of U.S. government surveillance, the Privacy Shield contains written assurances that government access to EU personal data for national security purposes is subject to clear conditions, limitations, and active oversight. In particular, the Privacy Shield incorporates Presidential Policy Directive 28 ("PPD-28"), which has a binding effect on U.S. intelligence agencies. PPD-28 requires collection and access to EU personal data by U.S. intelligence agencies to be "as tailored as feasible" rather than carried out on a "generalized basis." The U.S. has further agreed to limit bulk collection of personal data to what is strictly necessary and proportionate in order to achieve specific national security objectives.

EU citizens concerned about potential breaches of these binding commitments by the U.S. government can now refer their concerns to a newly appointed Privacy Shield Ombudsman, who will ensure that complaints have been properly investigated and will provide individuals with independent confirmation on whether U.S. laws have been complied with, or whether noncompliance has been remedied. EU citizens may even contact the Ombudsman about data transfers mechanisms other than the Privacy Shield, such as the standard contractual clauses or Binding Corporate Rules.

Access to the Ombudsman is just one of multiple redress possibilities now afforded to EU data subjects seeking to ensure their data privacy rights are protected in the event of U.S. government access. For example, the Judicial Redress Act6—signed into law just five days prior to the release of the terms of the Privacy Shield—allows EU citizens access to U.S. courts to bring certain civil actions against U.S. government agencies under the U.S. Privacy Act7 for violations of their data protection rights. Moreover, EU data subjects can assert (limited) claims regarding electronic surveillance under the Foreign Intelligence Surveillance Act,8 the Computer Fraud and Abuse Act,9 and the Electronic Communications Privacy Act.10 In addition, they can seek access to existing federal government records under the Freedom of Information Act,11 subject to certain exceptions. All of these redress possibilities are intended to assure the EU Commission that U.S. law affords EU data subjects appropriate protection.

Annual Reviews

Once the Privacy Shield is finalized, the European Commission and the U.S. will conduct joint annual reviews to monitor all aspects of the Privacy Shield and to ensure that access to data for law enforcement and national security purposes remains necessary and proportionate. Following each annual review, the Commission will submit a public report to the European Parliament and Council. Should the Commission determine that there are clear indications of U.S. noncompliance with the Privacy Principles or otherwise conclude that the national security exception does not ensure adequate protection, the Commission will notify the DOC and request that appropriate measures be taken within a reasonable timeframe to remedy noncompliance. If the U.S. cannot satisfy the Commission's requests within the time allotted, the Commission will initiate steps to partially or completely suspend the adequacy decision underlying the Privacy Shield. Alternatively, the Commission may amend the adequacy decision to impose additional requirements on organizations before they can transfer European data under the Privacy Shield.

The entry into force of the GDPR should not affect the validity of the Privacy Shield nor require an extensive review of the Principles, which to a large extent reflect (or sometimes even go beyond) the rules in the GDPR. For example, the annual review foreseen in the Privacy Shield goes beyond what is the new GDPR, which requires such reviews only at least every four years.

Next Steps for Implementation

The Privacy Shield does not yet have the force or effect of law in either the U.S. or the EU. In the EU, the full terms of the Privacy Shield will soon be subject to scrutiny by the Article 29 Working Party, which consists of representatives from all EU DPAs. The Working Party issued a statement on March 1, 2016, that it would publish its nonbinding opinion on the adequacy decision during its plenary meeting scheduled April 12–13, 2016. The adequacy decision would then be considered by the Article 31 Committee, a regulatory committee of EU Member State Representatives, which must approve the decision by a qualified majority before the Commission can finalize and adopt it.

Within 30 days of the Commission's final approval of the adequacy decision, the 128-page package containing the terms of the Privacy Shield will be published in the U.S. Federal Register, and soon after will become fully effective.

Practical Implications for Companies

The implementation of the Privacy Shield is still months away. Until its enactment, companies considering transitioning to the Privacy Shield still need to identify alternative methods to legally transfer personal data across the Atlantic, including the EU's standard contractual clauses or Binding Corporate Rules. Companies face considerable risk by taking a wait-and-see approach with the Privacy Shield without replacing the now-defunct Safe Harbor as their preferred data transfer mechanism. DPAs in Europe have threatened to take action against companies continuing to use the Safe Harbor for data transfers to the U.S.12

Organizations previously certified under the Safe Harbor will need to carefully assess the new terms of the Privacy Shield as well as their own privacy policies in order to determine how—and whether—to make their own privacy practices compliant with the new regime requirement. Organizations previously relying on the Safe Harbor also need to consider whether it makes good business sense to invest in the Safe Harbor recertification process pending implementation of the Privacy Shield. Although the transition from the Safe Harbor to Privacy Shield remains unclear, companies maintaining their Safe Harbor certifications may find an easier transition to the Privacy Shield once the new framework becomes effective. Given the overlap in Privacy Principles and the resemblance between the two frameworks, companies recertifying that they meet the obligations of the less-onerous Safe Harbor may be able to more quickly pivot to the Privacy Shield as a basis to transfer EU data outside of Europe, provided they can meet the Privacy Shield's more stringent requirements. Companies recertifying compliance with the Safe Harbor, however, will remain subject to FTC enforcement notwithstanding that they cannot rely on the old framework to legally transfer EU personal data across borders.

Once the Privacy Shield takes effect, the Privacy Principles apply immediately upon self-certification, and self-certifying companies can reasonably expect heightened regulatory oversight. Organizations that certify to the Privacy Shield within the first two months following the framework's effective date will be given a grace period of up to nine months to "bring existing commercial relationships with third parties into conformity with the accountability for onward transfer principle." However, during this grace period, organizations that transfer data to third parties must still apply the Notice and Choice Privacy Principles and must further ensure that third-party recipients can provide the same level of protection guaranteed by the Privacy Principles.


See Jones Day Commentary, " 'EU-U.S. Privacy Shield' to Replace 'Safe Harbor'" (Feb. 2016).

See U.S. Department of Commence EU-U.S. Privacy Shield.

3 See EU Commission Press Release (Feb. 29, 2016).

See Jones Day Commentary, " EU–U.S. Data Protection Safe Harbor: Not Safe Anymore" (Oct. 2015).

5  Article 8 of the Data Protection Directive 95/46/EC defines "sensitive data" as personal data revealing racial origin, political opinions, or religious or philosophical beliefs; trade-union membership; and data concerning health or sex life. At some point, this is likely to be extended to genetic data, biometric data, and data about sexual orientation, as those are also qualified as sensitive data in Article 9 of the GDPR.

6  Pub. L. No. 114-126 (2016).

7  5 U.S.C. § 552a.

8  50 U.S.C. § 1801 et seq.

9  18 U.S.C. § 1030.

10  18 U.S.C. § 2510 et seq.

11 5 U.S.C. § 552.

12  See Statement of the Article 29 Working Party on the Consequences of the Schrems Judgment (Feb. 3, 2016).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Mauricio F. Paez
Laurent De Muyter
Undine von Diemar
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Reed Smith
Lewis Brisbois Bisgaard & Smith LLP
Frankfurt Kurnit Klein & Selz
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions