Self-Certification Under EU-U.S. Privacy Shield to Commence from August 2016
Following the formal approval of the EU-U.S. Privacy Shield by the European Commission on 8 July 2016, the arrangement will come into force in the U.S. commencing 1 August 2016 and will provide a convenient framework to allow U.S.-based companies to store, process and access personal data originating from the EU in the U.S. and using servers and staff located in the U.S..
Any company can independently join the program by self-certifying to the Department of Commerce that it agrees to comply with the Privacy Shield Principles. The commitment is then enforceable by the Federal Trade Commission or (where relevant) by the U.S. Department of Transportation. Participants are required to publish the participant’s Privacy Shield Policy on their websites.
The Privacy Shield Principles are similar to those under the Safe Harbor regime and include familiar requirements such as notice, choice, access, security, accountability for onward transfer and purpose limitation. There are specific detailed provisions on the use of data in connection with medical research and clinical trials for pharmaceuticals and medical devices, a journalism exemption and provisions in relation to audit and due diligence activities in connection with investment activities.
There are some important specific provisions in relation to transfers of personal data to third parties. These require imposing the Privacy Shield principles through contractual arrangements on any third party that receives personal data from the participating company and a requirement to ensure that agents and service providers that process personal data for the participants must do so in compliance with those principles.
A key new element introduced through the program is a set of provisions for additional recourse options to be available to individuals. Participating companies will be required to investigate complaints and respond to individuals within 45 days. Complaints can also be made by EU individuals to their national data protection regulators which can take up the issue with the U.S. Department of Commerce. Participating companies have to choose recourse mechanisms to which they would be subject (such as private dispute resolution mechanisms or direct accountability to European data protection regulators). The scheme offers flexibility but one or other effective recourse mechanism, which must be free of charge to individuals making complaints, must be adopted by the participating entity. There is also a last resort arbitration option.
The main change that the new program promises is that compliance will be more closely monitored by the Department of Commerce and enforced through the recourse mechanisms and consequently the regulatory burden on participating companies is likely to be more intense.
Still, the adoption of the Privacy Shield is great news for U.S. companies and for the restoration of legal certainty in this area of great practical significance. Companies that put in place data transfer agreements or ‘binding corporate rules’ (either in response to the invalidation of the Safe Harbor or as a long standing policy) can continue to rely on these measures to make lawful data transfers of personal data from the EU to the U.S., but the Privacy Shield is designed to allow more flexibility for any business that process EU personal data on a significant or regular basis.