By Everett L. Monroe
On Aug. 1, the Department of Commerce started accepting applications for United States businesses to subscribe to the EU-U.S. Privacy Shield. The new framework places new and more stringent requirements on U.S. companies seeking to receive personal information from European organizations. U.S. companies applying to the program should anticipate increased oversight as the program's administrators demonstrate its effectiveness to consumers and regulators.
European Union law regulates when EU organizations may transfer personal information about European citizens to non-EU companies in other countries. If the EU determines that a non-EU country's privacy regulations provide an essentially equivalent level of protection to EU law, EU businesses are permitted to transfer information to a business in that country. The EU did not find the protections for data privacy in U.S. law sufficient and, therefore, allowed only transfers to U.S. companies that made additional commitments to protect the privacy of EU data subjects.
That additional commitment requirement led to the establishment of the Safe Harbor program in 2000 which functioned as a self-certification framework. Over time, EU authorities found that U.S. regulators did not provide sufficient oversight and enforcement such that the program in their view failed to protect the privacy of EU data subjects. In 2013, EU regulators initiated discussions with U.S. regulators as to how to strengthen the Safe Harbor framework. Those negotiations accelerated when the European Court of Justice invalided the Safe Harbor program in Schrems v. Irish Data Protection Commissioner. When the Privacy Shield was announced in early 2016, it was met immediately with the same skepticism regarding the quality of U.S. privacy enforcement from both EU regulators and U.S. non-profit and civil liberties groups.
The Privacy Shield, like its predecessor, requires a company certify that it adheres to a series of principles and procedures to protect the privacy of data subjects in order to legally transfer personal information from EU businesses and other organizations. If the company fails to meet those commitments, the Federal Trade Commission can take action through its authority to regulate misleading or deceptive practices.
Businesses that seek to participate in the Privacy Shield need to take procedural and substantive steps to meet their commitments under the program. Many businesses will need to make further disclosures in their privacy policies that explain how it collects and uses the personal information it collects and provide additional information on its privacy obligations when transferring data to third parties. Businesses will also need to ensure that data is collected, used and retained only for the purposes that are clearly explained in their privacy notices.
New to the Privacy Shield is an added requirement that companies adopt additional recourse mechanisms to resolve complaints. In addition to informal and internal means of addressing issues, the Privacy Shield now requires businesses to contract with a dispute resolution service before being allowed to participate, and also to pay a fee to fund a last resort arbitration system in case other means of dispute resolution fail. If the business is transferring human resources data for its employees from Europe, they must also agree to be subject to limited EU data protection jurisdiction related to that data.
For companies not used to European data protection requirements, the most challenging requirement of the Privacy Shield may be to protect data transferred to its business partners. Privacy Shield companies must have contracts in place in which their vendors and business partners that they promise to adhere to the Privacy Shield commitments, including maintaining the original limitations on use, purpose and retention. Further, the businesses must remain accountable to the data subjects to ensure their business partners meet their contractual obligations. Recognizing that this could mean renegotiating some agreements, companies that commit to the Privacy Shield in the first two months of implementation will be given a nine-month grace period to bring existing data-sharing arrangements with their vendors and partners into compliance.
The Privacy Shield in practice must withstand legal challenges to the framework and earn the confidence of EU regulators skeptical as to whether the framework is being rigorously enforced. The Privacy Shield increases EU regulatory oversight, including implementing an annual joint review of the program and a formal exit procedure in the event EU regulators find the program deficient. The results of the first review will be critical to the viability of the Privacy Shield and the confidence of businesses to avail themselves of it, as EU authorities have declared their intent to carefully scrutinize the application and enforcement of the Privacy Shield in its first year. Failing to satisfy their concerns could result in future challenges of the framework.
Everett L. Monroe is an attorney at Hanson Bridgett LLP where his practice focuses on data privacy and intellectual property disputes and counseling. He is a Certified Information Privacy Professional-Europe with the International Association of Privacy Professionals.