What is the E.U.-U.S. Privacy Shield Framework & How Does Certification Work?

The E.U.-U.S. Privacy Shield Framework was formally approved July 12, 2016 when the E.U. Commission deemed the Privacy Shield Framework “adequate” to enable data transfers under E.U. law. U.S. businesses that meet the Privacy Shield requirements can self-certify online beginning August 1. U.S. businesses processing E.U. customer or employee data, or with plans to do so in the near future, should consider Privacy Shield certification.

 

What is the E.U.-U.S. Privacy Shield?

The E.U.-U.S. Privacy Shield Framework provides U.S. businesses with a mechanism to comply with E.U. data protection requirements when transferring personal data of E.U. customers or business partners from the E.U. to the U.S. The program is operated by the U.S. Department of Commerce and includes data privacy Principles that self-certifying organizations agree to follow when processing the personal data of E.U. citizens. Certifying to Privacy Shield means your E.U. customers and business partners will know that your organization provides adequate data privacy protections.

Privacy Shield replaces the prior Safe Harbor Framework that was deemed “invalid” in October 2015. Organizations that were certified under Safe Harbor must still self-certify under Privacy Shield. In comparison to Safe Harbor, Privacy Shield is more restrictive. For example, under Privacy Shield, participants must include more detail in their privacy policies on data processing, must provide free and accessible dispute resolution for privacy complaints, must cooperate with the Department of Commerce by responding to inquiries and requests for information when asked, must limit data collection to the information relevant to the purposes stated in the privacy policy, and are accountable for data transferred to a third party.

How Does Certification Work?

To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law.

In order to be certified under Privacy Shield, U.S. businesses should follow these steps, with the assistance of privacy counsel if necessary:

1. Review the Privacy Shield Principles and Supplemental Principles;
2. Assess internal privacy practices and procedures and public-facing privacy policy for compliance with Privacy Shield Principles;
3. Update and revise privacy policy and internal practices and procedures, as necessary;
4. Create a separate privacy policy for transferring employee data to the U.S., if necessary;
5. Choose and apply for participation with a dispute resolution mechanism;
6. Complete the online certification application with the U.S. Department of Commerce;
7. Review and revise third party vendor contracts to meet Privacy Shield requirements.

Companies that certify to Privacy Shield in the first two months will have a nine month “grace period” to update third party contracts to comply with Privacy Shield. Companies certifying after the first two months will be expected to use compliant third party contracts immediately upon certification.

Are There Alternatives to Privacy Shield?

As an alternative to Privacy Shield, U.S. businesses processing E.U. data may still use the E.U. Model Clauses (for certain B2B transactions), Binding Corporate Rules (for internal transfers), or obtain individual user consent (for B2C), but at least one of the available mechanisms should be in place to legally transfer E.U. citizen data to the U.S. Since Privacy Shield requires downstream vendors to follow the Principles, Companies choosing to forgo Privacy Shield may still have to agree to the Principles in contracts with Shield-certified businesses.

Regardless of the mechanism selected, the new E.U. General Data Protection Regulation (GDPR) as of May 2018 will cover all businesses processing E.U. data or doing business with E.U. consumers, even if the business is based outside the E.U. So, adhering to E.U. data protection requirements will soon become a regular cost of doing business for U.S. business with E.U. customers and business partners.

If you are considering self-certifying to Privacy Shield, or need additional information on data privacy requirements, please contact our privacy counsel, Christine Zebrowski. Christine regularly advises clients on U.S. and E.U. data privacy requirements, privacy policies, and Privacy Shield. You can reach Christine by email at [email protected] or by phone at 202-425-6711.