Beginning August 1, U.S.-based companies that self-certify their compliance with the EU-U.S. Privacy Shield will be able to import data under the new data transfer framework. But how can your company best prepare?
Companies in the United States may be excited that the EU-U.S. Privacy Shield – the new trans-Atlantic data transfer compact approved by the European Commission on July 12 – is now live, opening a new avenue to import personal data from the European Union in accordance with EU data protection laws. Starting August 1, companies can begin self-certifying their compliance with the Privacy Shield’s Privacy Principles (Privacy Shield Principles) to the U.S. Department of Commerce, which administers the Privacy Shield. Companies will be able to import data under the Privacy Shield after Commerce verifies their self-certification and places them on the department’s publicly-available Privacy Shield List, a roster of all self-certifying U.S. companies participating in the new framework.
The Privacy Shield is the successor to the U.S.-EU Safe Harbor Framework, which the Court of Justice of the European Union (CJEU) invalidated last October. Since the Safe Harbor’s invalidation, U.S. companies had been limited to using model contractual clauses or Binding Corporate Rules (BCRs) to import EU residents’ personal data to the United States.
But companies eager to take advantage of the Privacy Shield to meet their data importation needs may be unsure of how to enroll in the Privacy Shield and meet the compliance requirements under the new regime. Davis Wright Tremaine has prepared the following “how-to” guide for companies hoping to participate in the Privacy Shield, outlining the major steps that they must take before they can self-certify with the Commerce Department. Please note that participating companies will face other compliance requirements as participants in the framework.
Enrolling in the Privacy Shield: A “How-To” Guide for U.S. Businesses
- First Things First: Can You Participate in the Shield? While the Commerce Department administers and oversees participants’ compliance with the Privacy Shield, the Federal Trade Commission (FTC) and the U.S. Department of Transportation (DOT) enforce the Privacy Shield’s requirements. Therefore only organizations that are subject to either the FTC’s or DOT’s authority can participate.
- Review, Revise, and Implement. Once your company determines its ability to participate in the Privacy Shield, it will need to take steps to comply with the Privacy Shield Principles. Though many parts of the Privacy Shield are similar to the Safe Harbor Framework, companies that previously participated in Safe Harbor should not treat the new arrangement as essentially Safe Harbor 2.0.
Instead, if your company participated in Safe Harbor, we strongly encourage you to thoroughly review the Privacy Shield Principles and the obligations under the new framework, and revise all internal policies and procedures to ensure that they adhere to the Privacy Shield.
- Select an Independent Dispute Resolution Mechanism. Participating companies must choose an independent dispute resolution program to handle complaints and investigate and resolve disputes free-of-charge to the individual, as required under the Privacy Shield’s Recourse, Enforcement, and Liability Principle. Your company must participate in a dispute resolution program when its self-certification is filed.
Participating companies may either use private-sector vendors that offer Privacy Shield dispute resolution services, or voluntarily commit themselves to cooperate with EU Data Protection Authorities (DPAs) to resolving individuals’ complaints. Companies should note that cooperation with DPAs is mandatory where a company processes human resource data transferred from the EU in the employment relationship context.
- Implement “Reasonable and Appropriate” Data Security Measures. Privacy Shield participants must take measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Third party data security vendors can help assess your company’s data security posture and implement measures to address any security gaps.
- Implement Contracts for Onward Transfers to Third Parties. Privacy Shield participants are accountable for onward transfers of personal data to third parties, and face different requirements if the third party acts as a controller or service provider/agent. All transfers to third parties must contractually restrict data processing to the purposes consistent with the individual’s consent, and require the third party to give the same level of protection under the Privacy Shield’s Principles. Participants that self-certify within two months of the Privacy Shield’s effective date will have nine months after certification to bring contracts with existing third party relationships into compliance.
- Implement Verification Procedures. Privacy Shield participants are required to have follow-up procedures in place to verify that their statements about their privacy practices are true, and have been implemented as represented and according to the Privacy Shield’s Principles. Your company can verify either via a self-assessment or use a third-party self-assessment program.
- File Self-Certification Form. If your company already meets all of the above, it likely can submit its self-certification to the Commerce Department on August 1. Note that your company will have to annually re-certify its Privacy Shield compliance with the Commerce Department. The Commerce Department will also assess a certification processing fee every year based on your company’s annual revenue: businesses with annual revenues up to $5 million will be assessed a fee of $250, while companies that earn more per year will be charged higher fees at varying amounts (the maximum possible fee is $3,250 for companies that earn more than $5 billion annually).
- Prepare to Respond. One of the Privacy Shield’s major provisions is that participants must respond to inquiries and complaints raised by individuals, U.S. authorities, and EU DPAs. Participants must respond to non-compliance complaints made by EU residents within 45 days. As part of any response, you will need to address the complaint’s merits and, if applicable, how you will address the underlying issue. Responses to inquiries by U.S. authorities must be made “promptly,” while responses to complaints referred by DPAs must be made “expeditiously.”
Going Forward: Privacy Shield OK for Now, but WP29 Signals a “Wait-and-See” Approach
American companies may be able to self-certify their compliance with the Privacy Shield, but the future of the new data transfer framework may depend on how well it functions over the next year. On July 26, the Article 29 Working Party (WP29) issued its response to the European Commission’s July 12 decision formally approving the Privacy Shield, in which Europe’s DPAs reiterated a number of their misgivings but vowed to wait to raise any objections until a review of the first year’s performance of the Shield, which will take place next year. In the interim, WP29 will provide guidance to data controllers and citizens about their rights and obligations under the Privacy Shield. The WP29’s statement means that U.S. companies will now be able to rely on the Privacy Shield to ease their EU data protection compliance burdens, but European privacy regulators will be watching to see if U.S. companies live up to their Privacy Shield commitments.