On July 12, 2016, the European Commission adopted the EU-US Privacy Shield, and as of August 1, companies can self-certify their compliance under the Privacy Shield. The Privacy Shield is the successor to the EU-US Safe Harbor Framework, which was invalidated by the Court of Justice of the European Union late last year. This article provides a high level summary of the EU-US Privacy Shield, the advantages and disadvantages of voluntary certification, and the certification process.
What is the EU-US Privacy Shield?
All companies located in the United States that receive personal data from the European Union must have a legal basis to do so. The self-certification mechanism under the Privacy Shield provides a basis. The Privacy Shield was designed by the European Commission and the US Department of Commerce to provide companies with a mechanism to comply with European data protection requirements.
It is important to understand that certification under the Privacy Shield is voluntary and only one legal means of receiving personal data from the European Union. Other legal bases include Model Clauses and Binding Corporate Rules. The Privacy Shield only applies to US companies and data transferred from the EU to the US. Each method has its own advantages and disadvantages to consider, however, certification under the Privacy Shield is generally the most efficient and cost conscious, particularly for SMBs.
Advantages of self-certification under the Privacy Shield
- The Privacy Shield is more flexible, convenient, and less costly than other data transfer mechanisms available.
- Compliance requirements are laid out clearly and are cost effective.
- All EU Member States are bound by the ‘adequacy’ finding of the European Commission. Companies that participate in the Privacy Shield are deemed to provide ‘adequate’ privacy protection, a requirement for the transfer of personal data out of the EU.
- There is no need to implement Binding Corporate Rules or enter into Model Clauses. For more information and resources on Binding Corporate Rules and Model Clauses, see Globig’s previous blog article titledEuropean Commission Issues Clarification and Guidance On Alternative Mechanisms For Transatlantic Data.
- EU Member State requirements for prior approval of personal data transfers are either waived or automatically approved.
Disadvantages to self-certification under the Privacy Shield
- Participation may require data gathering, manipulation, storing, transferring, and privacy policy and practice changes within a company.
- Participation requires ongoing obligations to ensure compliance and annual self-certification.
- Once joined, all personal data received under the Privacy Shield must be permanently protected by the Privacy Shield, or equivalent protection, which may be difficult with the prevalence of co-mingled data.
- The Privacy Shield has very detailed and strict compliance requirements, making implementation and ongoing compliance difficult.
- Self-certification could increase the likelihood of scrutiny or lawsuits.
- The Privacy Shield’s adequacy is likely to be challenged in court, although EU Privacy Watchdogs have agreed not to lodge any challenges for a year.
While participation in the Privacy Shield must be analyzed based on your company’s specific use of personal data, it is generally a great option for small and medium sized businesses. Furthermore, the above advantages and disadvantages are only a short list of the things you should consider when making the decision about how you will handle data transfers from the EU. We recommend you speak with an expert about your specific data protection obligations and compliance plan.
How to self-certify
To participate in the Privacy Shield, you must annually self-certify that you agree to adhere to the Privacy Shield Principles, including the Supplemental Principles. Certification must be done through the US Department of Commerce’s (DOC) newly launched Privacy Shield website. The self-certification steps are below:
- Confirm your company’s eligibility to participate in the Privacy Shield: Any US company subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield. Notable exclusions include: banks, federal credit unions, and savings and loan institutions, labor associations, and most nonprofit organizations.
- Develop a Privacy Shield-compliant privacy policy statement: Your company must develop a Privacy Shield-compliant privacy policy, which should be published on your website, before submitting your self-certification to the DOC.
- Identify your company’s independent recourse mechanism: Under the Recourse, Enforcement and Liability Principle, you must create an independent mechanism to investigate individuals’ unresolved complaints regarding your compliance with the Privacy Shield, at no cost to the individuals.
- Ensure your company’s verification mechanism is in place: Under Supplemental Principle 7 (Verification), you are required to have procedures in place to verify compliance. The procedure can be a self-assessment or you can work with an outside/third-party assessment program to verify your compliance.
- Designate a within your company regarding the Privacy Shield: Your company is required to provide a contact to handle questions, complaints, access requests, and any other issue the may arise.
- Review the information required to self-certify: Before you submit your self-certification, you should review and compile the information required as part of the DOC’s online self-certification process.
- Submit your company’s self-certification to the DOC: Submission of your self-certification requires that you pay a certification fee. The certification fee is determined by your company’s annual revenue.
Compliance with your data and privacy protection obligations is an important part of protecting your business. You should conduct the appropriate due diligence when deciding which data transfer mechanism to implement. You need to thoroughly review the Privacy Shield Principles, including the Supplemental Principles, to determine how you will comply with all of the obligations. Your due diligence likely includes working with an expert.