As we have previously written, the EU-US Safe Harbor was struck down by the European Court of Justice (ECJ) in the wake of a legal challenge based on what was learned from the Edward Snowden affair. For the past few months, the European Commission and the U.S. have been working on a replacement framework for transatlantic data flows: the so-called EU-U.S. Privacy Shield.
Under the previous Safe Harbor framework, companies in the EU could legally transfer data to U.S. companies assuming certain conditions were met. The ruling of the ECJ however had the effect, that EU companies could no longer rely on the Safe Harbor framework, but had to refer to other means in order to legally transfer data to U.S. organizations instead (i.e standard contractual clauses, SSCs).
On July 12, 2016 the European Commission formally approved and adopted the EU-U.S. Privacy Shield. This new framework imposes stronger obligations on businesses in the U.S. to protect the personal data of individuals as well as stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission, including an increased cooperation with the European Data Protection Authorities.
The Privacy Shield framework is a voluntary program. It provides U.S. organizations with a mechanism for complying with EU data protection requirements when personal data is transferred from the EU to the U.S. However, once an eligible organization publicly commits to comply with the Privacy Shield Principles, that commitment is enforceable under U.S. law. The EU-U.S. Privacy Shield has the effect, that data transfers from a controller or processor in the EU to organizations in the U.S. that have self-certified their adherence to Principles of the EU-U.S. Privacy Shield and have committed to comply with them are considered to be adequately protected from a EU point of view and therefore allowed to receive data.
Since August 1, 2016 U.S. organizations can apply for a Privacy Shield certification with the Commerce Department under the following link: https://www.privacyshield.gov/welcome.
Before applying, organizations must:
- Confirm the eligibility to participate in the Privacy Shield;
- Develop a Privacy Shield-compliant Privacy Policy Statement;
- Identify an independent recourse mechanism;
- Ensure that the organization has a verification mechanism in place; and
- Designate a contact within the organization regarding Privacy Shield.
All organizations that have self-certified will appear on a public list: https://www.privacyshield.gov/list.
TAKEAWAY: U.S. companies receiving data from EU Member States (incl. the three European Economic Area Members Norway, Liechtenstein and Iceland) are recommended to carefully assess the extent and type of data flows from the EU and whether they are eligible for the EU-U.S. Privacy Shield. If a company is not eligible for the EU-U.S. Privacy Shield, we recommend consider possible alternatives (i.e. standard contractual clauses). For detailed information on how to apply for a Privacy Shield certification, the requirements and answers to FAQ refer to https://www.privacyshield.gov/Program-Overview.
* Alessa Waibel, a Corporate Intern, researched and assisted with the drafting of this post. *
PartnerMarketers, advertisers, agencies and suppliers, among others, regularly seek Andy’s counsel regarding legal aspects of their advertising and promotional marketing businesses. He’s pragmatic and always looks for ...