U.S. businesses that have been anxiously awaiting the draft of the new Privacy Shield, the successor to the EU-US Safe Harbor, now have some reading to do. On February 29, 2016, the Department of Commerce (DOC) and the European Commission released the terms of the Privacy Shield. The 132-page draft of the Privacy Shield is the successor to the Safe Harbor which was invalidated in October, 2015 by the Court of Justice of the European Union in what is referred to as the Schrems decision.
The Privacy Shield is similar to the Safe Harbor in that it sets forth seven privacy principles to which companies must certify. The seven primary principles are: Notice; Choice; Security; Data Integrity and Purpose Limitation; Access, Accountability for Onward Transfer; and Recourse, Enforcement and Liability.
The Privacy Shield differs from the Safe Harbor in that it includes new detailed supplemental principles that address specific topics and types of data, such as terms regarding Sensitive Data, Journalistic Exceptions, Secondary Liability Performing Due Diligence And Conducting Audits, The Role Of The Data Protection Authorities, Self-Certification, Verification, Access, Human Resources Data, Obligatory Contracts For Onward Transfers, Dispute Resolution And Enforcement, Choice-Timing Of Opt-Out, Travel Information, Pharmaceutical And Medical Products, Public Record And Publicly Available Information, Access Requests By Public Authorities. The new Privacy Shield also differs from its defunct predecessor the Safe Harbor in specifying much more detailed terms for compliance in the areas outlined above. The Privacy Shield is far more detailed especially around verification and enforcement mechanisms.
With oversight from the DOC and a new Privacy Shield Ombudsman, individuals whose privacy rights have been violated under the Privacy Shield will have various access to levels of dispute resolution procedures. An individual may first bring a claim directly with the U.S. entity and provide the entity with an opportunity to resolve the claim. If the claim is not resolved within the proscribed time period of 45 days, the individual may seek redress through the entity’s independent recourse mechanism. If the independent recourse mechanism still does not resolve the matter, the individual may raise the matter to the DOC through the individual’s Data Protection Authority and allow the DOC to resolve the matter within set timelines established in a Letter from the International Trade Administration of the DOC. If the matter is still not resolved through the use of the first three dispute resolution mechanism levels, then an individual may invoke its rights to binding arbitration with arbitration ruling decisions reviewable and enforceable in the Federal District Court with jurisdiction over the U.S. entity. With respect to human resources data, companies will be required to cooperate with the EU Data Protection Authorities.
Companies should approach the Privacy Shield with optimistic skepticism and patience. Companies cannot immediately rely on the Privacy Shield but may only begin certifying to the Privacy Shield only if and when: (i) the full body of EU privacy regulators (the Working Party 29) review the Privacy Shield and recommend it for approval by the European Commission and (ii) the European Commission formally adopts a decision recognizing the Privacy Shield as a means of legitimizing the transfer of EU citizen data from the EU to the U.S. and (iii) formal adoption by the College of EU Commissioners. It is difficult to know when a formal decision may be made, but we expect a decision before June, 2016. Simultaneously the U.S. will need to implement the new Privacy Shield framework and develop a certification process for participating companies. The Privacy Shield will be reviewed annually by the EU Commission and will also need to withstand any potential challenges from EU citizens similar to the court challenge that lead to the invalidation of the Safe Harbor. It would not surprise us if the Privacy Shield suffers legal challenges immediately on its implementation.
We will continue to analyze the new Privacy Shield and publish further updates and guidance as things progress.