On July 27, 2016, the Department of Commerce (DOC) finally released its Privacy Shield Website for U.S. organizations looking to enjoy the same protections that they previously enjoyed under the Safe Harbor program for EU-U.S. data transfers. The new Privacy Shield Website may be accessed here: https://www.privacyshield.gov/welcome.

For those that had previously utilized the Safe Harbor program, many of the requirements and principles will look familiar. Organizations may begin self-certifying as of August 1, 2016. As further discussed below, there is a nine-month "step-up" incentive for those that self-certify by September 30, 2016.

Before applying, all organizations should carefully and thoroughly review the new regulations and requirements. 1 In addition, applicants should keep in mind that compliance will only become even more rigorous with the EU's recent ratification of the General Data Protection Regulation (GDPR) (Regulation EU 2016/679), which is to be fully implemented by no later than mid-2018. 2

On a practical level, organizations should look at the following requirements immediately, particularly as implementation will likely be time-sensitive:

  1. Designating a corporate representative for "all things Privacy Shield" 3 – This requirement will surprise many organizations, and can be a real time-crunch as it may take substantial time to find data privacy competence in the current market.
  2. Detailed disclosures, including on 3rd party and automated processing – The notice and disclosure requirements are very specific, unlike what many U.S.-based organizations might be used to. For example, disclosures include "the type or identity of third parties to which it discloses personal information, and the process for which it does so." 4 This can be particularly problematic when third parties want to then use the data for something else, which would not be atypical in the U.S. 5
  3. More expansive definitions of "sensitive personal information (PI)," and more frequent need for "affirmative express consent" 6 – If the applicant is already entrenched in the generally more forgiving data practices in the U.S., changing the disclosure and consent process can be very time-consuming and expensive.
  4. Specific requirements for "Onward Transfers" & third party processors – There are increased accountability and documentation requirements for controllers, 7 including for when data is transferred to those who claim to be "mere processors." 8 If an organization applies by September 30, it will have nine months to get the third party contracts in order. But applicants should note that their own obligations are immediate. 9
  5. Subject access and rectification – Organizations will need to provide data subjects access to their data, and implement free-of-charge means for data subjects to correct and amend their data (i.e., Europe's infamous "right to be forgotten") where appropriate.10
  6. Audits for compliance – Organizations may choose in-house or outside audits for "verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those practices have been implemented as represented." 11 However, it appears that the in-house approach may subject the signing officer of the organization to personal liability. 12
  7. Applicants are agreeing to provide independent and free recourse mechanisms for disputing data subjects 13 – Organizations should carefully consider how the dispute process may work for them on a practical level, before selecting and designating the mechanism.
  8. Involvement of EU DPAs – Applicants will need to commit to "cooperat(ing) with European Union data processing authorities (DPAs)." 14 The full meaning of "cooperation" remains to be seen, although for employment data in an employment relationship, it appears that applicants will be subjecting themselves to the authority of the DPAs directly . 15
  9. Privacy Shield applies immediately – Even with the nine month step-up for third party contracts (as opposed to first-party obligations), the Privacy Shield program still requires the applicant to implement the Notice and Choice principles immediately, The applicant must also make sure that "(agents are) obligated to provide at least the same level of protection as is required by the Principles." 16
  10. There are additional requirements for certain types of information and industries.17

As implementing the Privacy Shield can be very expensive – particularly for those applicants who do not have procedures already in place from being previously certified pursuant to the Safe Harbor – applicants must take a hard look at the requirements. Given how hard both sides of the Atlantic fought for the new program, one should expect the DOC and the Federal Trade Commission to police Privacy Shield applicants rigorously, particularly during what the Article 29 Working Party has dubbed as the "trial period" in the next few months. The DOC will be eager to prove to the EU that it can do its part of enforcement of "equivalent safeguards." Trans-Atlantic organizations must act and adjust accordingly.

Footnotes

1 https://www.privacyshield.gov/article?id=Requirements-of-Participation.

2 See Article 29 Working Party, Press Release dated July 26, 2016, available at: http://ec.europa.eu/justice/data-protection/article-29/press-material/press-release/art29_press_material/2016/20160726_wp29_wp_statement_eu_us_privacy_shield_en.pdf.

3 U.S. Businesses, How to Join Privacy Shield, Self Certification Information: https://www.privacyshield.gov/article?id=Self-Certification-Information.

4 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (1) Notice: https://www.privacyshield.gov/article?id=1-NOTICE.

5 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (2) Choice, Subsections (a)-(b): https://www.privacyshield.gov/article?id=2-CHOICE.

6 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (2) Choice: https://www.privacyshield.gov/article?id=2-CHOICE.

7 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (3) Accountability For Onward Transfers: https://www.privacyshield.gov/article?id=3-ACCOUNTABILITY-FOR-ONWARD-TRANSFER.

8 U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, (10) Obligatory Contracts for Onward Transfers, Subsection (a): https://www.privacyshield.gov/article?id=10-Obligatory-Contracts-for-Onward-Transfers.

9 U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, (6) Self-Certification, Subsection (e): https://www.privacyshield.gov/article?id=6-Self-Certification.

10 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (8) Access: https://www.privacyshield.gov/article?id=6-ACCESS.

11 U.S. Businesses, Requirements of Participation, See Privacy Shield Supplemental Principles, (7) Verification, Subsections (a)-(b): https://www.privacyshield.gov/article?id=7-Verification.

12 See U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, (7) Verification, Subsection (c): https://www.privacyshield.gov/article?id=7-Verification.

13 U.S. Businesses, Requirements of Participation, Privacy Shield Principles, (7) Recourse, Enforcement, and Liability: https://www.privacyshield.gov/article?id=7-RECOURSE-ENFORCEMENT-AND-LIABILITY.

14 U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, The Role of Data Protection Authorities: https://www.privacyshield.gov/article?id=5-The-Role-of-the-Data-Protection-Authorities-a-b.

15 U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, (9) Human Resources Data, Subsection (e): https://www.privacyshield.gov/article?id=9-Human-Resources-Data.

16 U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles, (6) Self-Certification, Subsection (e): https://www.privacyshield.gov/article?id=6-Self-Certification.

17 See U.S. Businesses, Requirements of Participation, Privacy Shield Supplemental Principles.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.