Skip to site navigation Skip to main content Skip to footer content Skip to Site Search page Skip to People Search page

Alerts and Updates

Is Your Company Registered for the New EU-U.S. Privacy Shield?

August 12, 2016

Is Your Company Registered for the New EU-U.S. Privacy Shield?

August 12, 2016

Read below

Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.

Following the July 12, 2016, adoption by the European Commission of the EU-U.S. Privacy Shield (the “Privacy Shield”), companies engaging in trans-Atlantic data sharing can now register for the Privacy Shield. It replaces the prior Safe Harbor Program, which was invalidated by the European Court of Justice on October 6, 2015, when it ruled that the data of European citizens was not safe when stored on U.S. computer servers given the U.S. government’s ability to access information through its intelligence services.[1]

The new Privacy Shield provides transparency in how companies use personal data, robust U.S. government oversight and increased cooperation with EU data protection authorities (the “DPA”). It includes more rigorous monitoring and enforcement by the U.S. Department of Commerce (the “Department”) and the Federal Trade Commission (“FTC”). Because the Privacy Shield is enforceable as U.S. law against a registered company, it is essential to ensure its compliance before registering.

Key provisions of the Privacy Shield include:

  • Informing Individuals About Data Processing: The Privacy Shield requires more heightened notice standards than under the Safe Harbor, including additional requirements for participants’ privacy policies.
  • Providing Free and Accessible Dispute Resolution: The Privacy Shield outlines several dispute resolution mechanisms and specific timelines for handling disputes.
  • Cooperating with the Department of Commerce: Participants should promptly respond to Department inquiries and requests for information relating to the Privacy Shield.
  • Ensuring Accountability for Data Transferred to Third Parties: Participants must enter into written agreements with third parties to ensure that data is processed for limited and specified purposes consistent with the consent provided by the individual, that the third party will provide the same level of protection and that the third party will provide notification if it can no longer meet its obligation.
  • Transparency Related to Enforcement Actions: The Privacy Shield seeks to create greater transparency for enforcement actions by making public any Privacy Shield-related sections of any compliance or assessment reports submitted to the FTC as a result of an FTC or court order based on non-compliance.
  • Potential Additions in the Future: The Privacy Shield is designed to be updated with time to address evolving issues and accommodate the General Data Protection Regulation (effective in 2018).

To join the Privacy Shield, a U.S.-based company must first develop a Privacy Shield-compliant privacy policy. Thereafter, a company can self-certify and publicly commit to comply with the Privacy Shield’s requirements.[2] Once publicly committed, the provisions of the Privacy Shield are enforceable as U.S. law against the company. If a participant chooses to leave the Privacy Shield, it will be required to annually certify its commitment to apply the principles of the Privacy Shield to, or provide “adequate” protection for, any information it retains that was received while operating under the Privacy Shield.

The requirements of the Privacy Shield are different than its predecessor Safe Harbor. It may be prudent for companies engaging in the cross-border transfer of data to consult legal counsel experienced with the Privacy Shield to ensure compliance.

For Further Information

If you have any questions about the information addressed in this Alert, please contact Sandra A. Jeskie, any member of Duane Morris’ Information Technologies and Telecom team or the attorney in the firm with whom you are regularly in contact.

Notes

[1] EU-U.S. Privacy Shield, U.S. Dep’t of Commerce, available at: https://www.commerce.gov/page/eu-us-privacy-shield; 2000/520/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, available at: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32000D0520:EN:HTML.

[2] EU-U.S. Privacy Shield: Frequently Asked Questions (Feb. 29, 2016), available at: http://europa.eu/rapid/press-release_MEMO-16-434_en.htm.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.