On July 12, 2016, the European Commission announced its final approval of the EU-US Privacy Shield (the “Shield”). Once signed by both the EU Minister of Justice and the US Secretary of Commerce, the Shield will replace the US Department of Commerce Safe Harbor Program, one of several mechanisms that allowed companies in the EU to transfer personal data from the EU to the US. Previously, the Safe Harbor registration created a comparatively streamlined way for US companies to import and use HR and customer data from Europe. By registering, a US company was able to self-certify its promise to manage and treat the data consistent with listed basic principles of EU data protection law.
Last fall, however, the Court of Justice for the European Union (the “CJEU”) invalidated the existing Safe Harbor Program in light of revelations by Edward Snowden about surveillance practices of the US Government. That Court concluded that the laws constraining US surveillance were not sufficient to justify the adequacy of the Safe Harbor to protect personal data of EU citizens transferred to the US. Negotiations between representatives of the EU and the US Government resulted in a number of stronger obligations on companies and assurances from US authorities. A process of debate over the proposed changes within the EU has now culminated in the formal approval of the proposed Shield by the Commission.
The Shield adds substantive data protection obligations for the companies that register for it, creating an aggressive set of requirements to assure greater transparency, to meet more detailed standards, to respond to individual complaints and to resolve disputes. The agreement provides for stronger sanctions against companies that do not meet their obligations. In addition, the US government has made a number of promises to address the CJEU’s concerns about surveillance including limits on mass and indiscriminate surveillance, the creation of an independent privacy ombudsperson and participation in a number of reports and a joint EU-US review mechanism. You can find a clear summary of the new requirements here, http://europa.eu/rapid/press-release_IP-16-2461_en.htm. We are reviewing the Commission’s implementing decision for further detail.
Will The New Shield Matter to You?
The newly approved Shield may matter to you if
- Your company routinely imports (or accesses) more than a relatively small amount of personal data about EU citizens, most commonly if you manage a global work force, client data base, or marketing programs from the US or if you provide services to US companies that do.
- Your vendors, including companies that process and manage personal data on your behalf, claim the Safe Harbor program as a means to cover transferred data.
The Shield will take on added importance if the Standard (or Model) Contractual Clauses are invalidated. Notably, the Standard Contractual Clauses, a popular and much used transfer mechanism, have already been forwarded to the CJEU, the same court that invalidated the Safe Harbor Program, to be judged under the same standards that resulted in the end of the Safe Harbor.
It is important to understand that the EU need not come to the US to enforce its transfer rules. Enforcement actions lie against the company in the EU that allows the transfer. A Data Protection Authority may fine a local company, the “controller” of the personal data, or order the transfer blocked. EU regulators do not regard Safe Harbor as valid. German Data Protection Authorities have already begun levying fines on international companies that rely on it.
The structures that the EU has created to regulate transfers of personal data beyond its borders often seem complex and confusing at the very least, even more so with the recent transatlantic commercial and political wrestle over the Safe Harbor program and with the Brexit vote.
Questions about the ultimate legal effect of the Shield as well as the Standard (or Model) Clauses will remain open in the near term. We cannot predict what the outcome of these highly contentious challenges will be. Two questions, however, can guide your next steps:
- First, ask yourself whether your company transfers personal data from the EU (or accesses data in the EU) to operate your businesses or if you process data on behalf of other companies that do. What mechanisms do you have in place to cover that data transfer? Will the Shield be the best course of action for you?
- Second, ask whether vendors that process EU personal data for you have an up to date mechanism in place.
If we can help you answer these questions or evaluate the Shield’s use for your company, please feel free to contact us.
Compliments of DeVore & DeMarco LLP – A member of the EACCNY