The Likely Demise of the EU-U.S. Privacy Shield & Its Impact on U.S. Companies
The future of the EU-U.S. Privacy Shield data-sharing arrangement is shaky at best. On June 12, 2018, a resolution was passed by the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs (LIBE) calling for the suspension of the Privacy Shield, unless the U.S. demonstrates full compliance with the requirements of the program by September 1, 2018. And today, following the recommendation of the LIBE, Parliament itself voted 303 to 223 (with 29 abstentions) in favor of suspension “unless the U.S. is fully compliant” by September 1st.
The European Parliament took this action in response to a number of recent data breaches affecting Privacy Shield Certified-U.S. companies, causing concern over the effectiveness of the regulatory oversight of the framework, as well as well as over the sufficiency of the Shield’s certification requirements which are designed to protect the personal data of EU residents. If suspended, certified U.S. companies will no longer be able to leverage the benefits afforded to them by the Privacy Shield, forcing them to find new compliance mechanisms by which to transfer data from the EU in order to satisfy the requirements of the GDPR.
Specifically, the EU identified three major deficiencies with the current Privacy Shield Certification framework: (1) a lack of institutional support for the regulatory agencies overseeing U.S. certified companies, including the Privacy and Civil Liberties Oversight Board (PCLOB), the Federal Trade Commission (FTC), and the Privacy Shield Ombudsperson; (2) a failure to investigate and remove false claims of Privacy Shield Certification by U.S. organizations; and (3) a general concern about U.S. surveillance practices and the redress available under those circumstances.
The Privacy Shield and GDPR: How they work together
The GDPR (General Data Protection Regulation) was adopted in May 2016 and came into effect on May 25, 2018, effectively replacing the earlier EU Privacy Directive of 1995. GDPR governs a wide range of issues impacting the protection of personal data of EU residents, including how such data may be safely transferred outside the EU. Specifically, Chapter V, Articles 44-50 of the GDPR provides three main avenues for valid transfers: (a) incorporation of standard clauses in the contracts involving international data transfers, (b) binding corporate rules intended for multinational organizations which provide safeguards for the protection of data within such large organizations, and (c) by an “adequacy finding” of the European Commission, whereby the Commission deems that the protections afforded to the EU personal data when transferred to certain territories outside the EU are sufficient enough that further authorization is not required.
The EU-U.S. Privacy Shield framework is a product of the 3rd permitted avenue and applies specifically to transfers of EU data to the U.S. To be considered Privacy Shield certified, a U.S. organization must follow seven requirements of the Privacy Shield framework and be approved by the U.S. Department of Commerce. These requirements include providing notice of data collection practices, using an opt-in mechanisms for data collection, and implementing sufficient safeguards for the protection of the data.
Privacy Shield certification is therefore only a means for the valid transfer of EU personal data to the U.S. It does NOT replace the need for U.S. companies to comply with the GDPR nor the need to document such compliance.
What happens if the Privacy Shield is suspended?
The second annual review of the EU-U.S. Privacy Shield by the executive arm of the European Union, the European Commission, is set to take place this Fall, where the adequacy of this mechanism will be reviewed to determine if identified deficiencies have been corrected. In the event the Privacy Shield is suspended in its entirety, U.S. companies will no longer be able to rely on a Privacy Shield certification for data transfers and will be required to reevaluate their EU-specific data transfer practices. Although we are monitoring how this decision unfolds, we recommend that companies who are already Privacy Shield certified (or have been considering such certification) begin exploring alternative mechanisms for legitimizing their transfers of EU data to the U.S., in addition to ensuring general compliance with the GDPR.
If you have any questions about the EU-U.S. Privacy Shield framework, as it currently stands, the GDPR, or privacy compliance in general, we would be happy to assist you. Our team includes U.S. and EU-trained attorneys experienced with data privacy requirements in the EU and well-versed in the EU-U.S. Privacy Shield self-certification process and the GDPR, as well as other data privacy laws and regulations in individual EU Member States not covered by the GDPR.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape.
Mark Johnson has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C.
Lakshmi Sarma Ramani served as the lead global attorney for privacy matters at The Nature Conservancy, where she also managed a wide range of legal and regulatory compliance matters, including cybersecurity, tax, finance, technology, marketing, membership and fundraising.
Feel free to reach out directly to Stephan (firstname.lastname@example.org), Mark (email@example.com) or Lakshmi (firstname.lastname@example.org), or request more information by visiting our Contact Us page.
*For the EU Parliament press release about this resolution: http://www.europarl.europa.eu/news/en/press-room/20180611IPR05527/eu-us-privacy-shield-data-exchange-deal-us-must-comply-by-1-september-say-meps.