Photo of Sheila MillarPhoto of Tracy Marshall

The European Commission (EC) approved the EU–U.S. Privacy Shield on Tuesday, July 12, after European Union member states, through the Article 31 committee, approved the pact the previous week (more on the draft adequacy decision back in March here and the earlier agreement laying out the Privacy Shield here). The decision will allow U.S. companies that have self-certified to process the data of European citizens, while giving EU citizens greater privacy protections and the ability to file suit in U.S. courts to redress alleged privacy invasions. The Privacy Shield took immediate effect upon notification to Member States on July 12, and will be published in the Federal Register within 30 days of the Article 31 committee approval. Companies who want to self-certify compliance with the Privacy Shield can do so starting August 1, 2016, and will be required to pay a cost recovery fee according to a fee schedule dependent on annual revenues (the fee ranges from $250 to $3,250, for companies from $0 to over $5 billion in annual revenues).

The EC’s approval is the culmination of months of negotiations between EU and U.S. authorities on data transfer mechanisms in the wake of the European Court of Justice’s (ECJ) Schrems v. Data Protection Commissioner decision in October 2015 (Case C-362/14) invalidating the EU–U.S. Safe Harbor Agreement. The Schrems decision deemed the previous Safe Harbor Framework inadequate and concluded that Data Protection Authorities (DPAs) could independently evaluate whether EU citizens’ right to privacy would be protected by the Safe Harbor.

The Privacy Shield imposes more robust obligations on participating U.S. companies to protect the personal data of Europeans than the prior Safe Harbor as the basis to continue to transfer data between the U.S. and the EU. New requirements include the following:

  • Companies handling employee data must commit to comply with EC and DPAs’ decisions in their privacy policies;
  • Companies processing individuals’ data must commit to following the Privacy Shield Principles in privacy policies, making the commitment enforceable under U.S. law;
  • Companies must include a link to the U.S. Department of Commerce’s (DOC) Privacy Shield website;
  • Companies must inform individuals of:
    • their rights to access their own personal data,
    • the requirement that the company must disclose information in response to lawful requests from government authorities, and
    • the company’s liability where data is transferred onward to third parties; and
  • Companies must respond promptly to requests and inquiries from the DOC, and must make public any Privacy Shield–related Federal Trade Commission (FTC) or court orders based on non-compliance with the Privacy Shield.

European citizens will also have redress for alleged misuse of their data through new obligations of companies to respond to complaints and through no-charge alternative dispute resolution, among other routes. They will also be able to enforce privacy rights against U.S. government entities in U.S. courts based on the Judicial Redress Act, passed earlier this year and signed by President Obama on February 24, 2016. Adoption of a law recognizing this right was a key element in the negotiation process.

The deal also requires the DOC and FTC to engage in more robust monitoring and enforcement. U.S. law enforcement and national security access to EU citizens’ personal data will have to be the exception, and “must be used only to the extent necessary and proportionate.” An annual joint review of the Privacy Shield will also be conducted.

The FTC remains committed to enforcing representations about compliance with public privacy promises and privacy self-regulatory or certification programs. The FTC announced late last week (on July 14, 2016), for example, that it sent warning letters to 28 companies that claimed to be participating in the certification program under the Asia-Pacific Economic Cooperative’s (APEC) Cross-Border Privacy Rules (CBPR) system. Companies can be certified as compliant with the CBPR program if they comply with nine data privacy protection principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.

The FTC’s actions to enforce U.S. companies’ promises about adhering to the APEC CBPR align with its obligation to take enforcement actions under the Privacy Shield. Regulatory scrutiny of representations about cross-border privacy practices are likely to increase in coming months and years as both the FTC and EU regulators have every reason to establish the Privacy Shield as a reliable and safe way to that personal data transferred to the U.S. is handled appropriately.

Proliferating laws and regulations governing privacy and data security make the compliance challenge ever more complex for global businesses. The new regime under the EU General Data Protection Regulation (GDPR) coming into force in 2018 adds an extra-territorial twist, requiring all companies doing business internationally to become familiar with the new requirements and begin now to implement new compliance measures. (See our GDPR compliance checklist here as a starting point.) Staying on top of privacy is more important than ever in an ever-changing landscape.