Privacy Shield Approved, Self-Certifications to Begin
This week, the European Commission formally approved the EU-U.S. Privacy Shield data transfer agreement. Privacy Shield will replace the Safe Harbor agreement, which provided a self-certification framework for EU-U.S. data transfers for more than a decade before it was invalidated by Europe’s highest court in October 2015 in the landmark Schrems
decision. While there remain alternative legal mechanisms for data transfers, such as Model Contract Clauses or Binding Corporate Rules, the approval of Privacy Shield provides companies and organizations with a new and robust legal basis to legitimize data transfers from the EU to the U.S.
Also this week, the U.S. Department of Commerce announced that it will begin accepting Privacy Shield self-certification applications on August 1. Companies and organizations seeking self-certification may take immediate steps to prepare for this process, as discussed in further detail below.
Key Aspects of the New Privacy Shield
The self-certification process will require companies and organizations to commit to adherence to the Privacy Shield principles. This commitment requires companies and organizations to implement robust protections for personal data transferred from the EU, including, among other things:
Notice and Access. Provide notice to individuals regarding the types of data collected, the purposes for which data is collected, and their right to access their own data and limit its disclosure or use;
Opt-out Mechanism. Provide a mechanism for individuals to opt out if an organization plans to disclose personal data to a third party or use personal data for a purpose other than that for which it was collected;
Accountability for Transfers. For onward data transfers to third parties, develop policies to ensure that transferred personal data may only be processed in a manner consistent with the data subject’s consent and the Privacy Shield principles;
Data Security. Implement data security measures to protect against the loss or misuse of personal data.
The new Privacy Shield Framework also provides expanded redress mechanisms for individuals with complaints under the Privacy Shield framework, including:
What Your Company Can Do Now?
Company-Provided Dispute Resolution. Companies will be required to respond to individual complaints within 45 days and make available at no cost to the individual an independent dispute resolution process;
DPA Investigations. Individuals may also submit complaints to EU data protection authorities (DPAs), and under certain circumstances, companies may be required to submit to the jurisdiction of the relevant DPA; and
FTC Enforcement. Individual complaints may also be submitted or referred to the FTC for investigation and resolution, and enhanced FTC enforcement activity is expected under Privacy Shield.
With the final approval of Privacy Shield, companies can evaluate the requirements of the new framework to determine how, and whether, to self-certify. Companies that elect to seek self-certification should take a number of steps, as outlined in a guide
published this week by the U.S. Department of Commerce:
Confirm Eligibility. Generally, organizations that are subject to the jurisdiction of the FTC or the Department of Transportation are eligible for self-certification.
Verification and Designated Contact. Self-certifying organizations must have procedures in place for verifying compliance with the Privacy Shield principles and must designate an organizational contact for handling complaints and other issues that arise under Privacy Shield.
Ice Miller’s Data Security and Privacy practice
can assist your company or organization with each step in this process.
Stay up-to-date on the latest developments of transatlantic data transfers with us. Ice Miller's Data Security and Privacy practice advises clients on international data transfers and international data protection compliance. Nick Merker
, a former systems, network, and security engineer, is a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Merker can be reached at firstname.lastname@example.org
or (312) 726-2504. Eric McKeown
, a former software developer, is a member of Ice Miller's Data Security and Privacy Practice. McKeown can be reached at email@example.com
or (317) 236-2124.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.