EU-U.S. Privacy Shield Now in Effect, Ending Months of Uncertainty
On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield, a new transatlantic data transfer pact that will allow U.S. companies to transfer personal data about EU consumers and employees consistent with EU privacy laws. The Privacy Shield offers much-needed predictability and reliability for multinationals, and companies now must work to figure out how to apply the new framework to their particular business. U.S. companies will be able to self-certify their compliance as of August 1.
The Privacy Shield is the successor agreement to the Safe Harbor, which was struck down last year by the European Court of Justice over concerns about intrusive U.S. surveillance. The new agreement seeks to address the Court’s concerns by imposing greater obligations on U.S. companies to safeguard personal data, implementing stricter oversight and enforcement, and providing EU citizens several redress possibilities. Another change—perhaps symbolic—under the Privacy Shield is the creation of a U.S. “ombudsperson” to whom European citizens can bring privacy complaints, including complaints about mass surveillance. The Privacy Shield also provides for a new level of cooperation between U.S. authorities and EU data protection authorities to investigate and resolve complaints. Following criticism from various EU bodies, including the Article 29 Working Party, the European Parliament, and the European Data Protection Supervisor, the final text of the agreement was strengthened to provide additional clarifications on mass surveillance powers, the role of the ombudsperson, and on the onward transfer of EU citizens’ data.
A Good Opinion for Companies
The Privacy Shield likely will be the most cost-effective way for eligible U.S. companies to support transatlantic data transfers. Former Safe Harbor companies that took steps to implement an alternative data transfer mechanism—such as model contracts or binding corporate rules—may consider transitioning to the new agreement. Companies still without a legal basis for their transfers also should give the Privacy Shield serious consideration, given the substantial legal risk of transferring data without any mechanism in place. While the new agreement imposes stronger obligations on U.S. companies, the requirements generally follow the Safe Harbor requirements. Companies that self-certified under the Safe Harbor, therefore, should find it relatively easy to meet the requirements under the Privacy Shield.
Ultimately, the decision to certify under the Privacy Shield will differ for each company, based on a variety of factors. The Privacy Shield holds many benefits, but it too likely will face a legal challenge in European courts. Whether or not the new agreement will be upheld where the Safe Harbor was struck down remains to be seen—some regulators in the EU have been highly critical of the new agreement in the lead up to adoption. In fact, the EU’s Article 29 Working Party already announced that it is analyzing the final text of the Privacy Shield at a meeting on July 25. The Working Party was critical of an earlier draft of the agreement, stressing its complexity and lack of clarity. Companies that transitioned to alternative data transfer mechanisms may be able to take a “wait and see” approach, others may have no choice but to embrace the new agreement.
Wiley Rein Webinar
After months of uncertainty, the Privacy Shield’s adoption is a landmark moment for privacy both in the EU and in the U.S. The European Commission’s adequacy decision is unilateral and takes immediate effect. Companies will be given until August 1 to review the Privacy Shield to enable a smooth transition to the new framework. To assist companies reviewing the new framework and planning their data transfers, Wiley Rein LLP will host a webinar on the Privacy Shield on July 20 from 12:00 p.m. to 1:00 p.m. The webinar will review in detail the changes from the previous Safe Harbor and cover how companies can prepare for the additional requirements and scrutiny under the new Privacy Shield framework. To register for the webinar, click here or contact Leslyn Parks at 202.719.4472 or firstname.lastname@example.org.