On August 1st, the U.S. Department of Commerce will begin accepting applications for Privacy Shield certifications.

For US organizations collecting employee and customer data from the EU, the past year has been an anxious one, as the European Court of Justice invalidated the EU-US Safe Harbor program in October 2015 and the terms of a far-reaching General Data Protection Regulation (GDPR) have been finalized as a replacement of the European Data Protection Directive. Among other things, one of the major impacts of the GDPR – when it takes effect in May 2018 – is that it will apply to U.S. businesses who have no operations or entities in the EU, if they sell to, make services available to, or somehow target data subjects in the EU. So, with the GDPR looming, the issue of cross border data transfers and the significance of the Privacy Shield program for US businesses are likely to become even more relevant.

On July 12, the European Commission and the US Department of Commerce issued the final text of the replacement for the defunct Safe Harbor program. The new program, dubbed Privacy Shield, is effective immediately but will not become truly operational until the Commerce Department starts accepting certifications on August 1, 2016. The new program is also almost certain to be subject to a challenge before the European Court of Justice, and so the long-term viability of Privacy Shield is somewhat uncertain.

The main questions for US-based organizations are: first, how does this final version of Privacy Shield differ from the initial version; second, what practical steps can companies take to prepare for certification; and third, should companies certify to Privacy Shield or rely on an alternative data transfer mechanism, such as standard contractual clauses.

Key Differences Between Privacy Shield and Safe Harbor

As discussed in our prior blog posts about the new program, there are several ways in which Privacy Shield is more than simply an updated version of Safe Harbor.

First, the public-facing statements that companies must make (e.g., in their website privacy policy) must be significantly more detailed. No longer will a simple statement of participation be acceptable. Instead the statement must include clear explanation of compliance with the Privacy Shield principles. In these privacy statements, a company also must describe an individual’s rights under the program, such as how the enforcement body functions, a new arbitration right, and the company’s liability for non-compliant onward transfers.

Second, with respect to onward transfers, the conditions for such data sharing have been tightened. A company only will be able to transfer personal data to a third party for limited, specified purposes consistent with the purposes for collection that the company provided to the individual. Thus, companies will need to include more specific contractual obligations than required under Safe Harbor in their contracts with service providers and other third parties to whom they disclose or transfer personal data. The Commerce Department also has the right to require a company to provide for the Department’s review a summary of the company’s onward transfer contractual provisions. As an incentive to early adopters, those joining Privacy Shield within the first two months will have nine months from certification to bring their partner contracts into compliance.

Third, the Commerce Department and Federal Trade Commission will have greater vetting obligations for applicants, ongoing audit rights, and an FTC ‘wall of shame’ identifying those subject to Privacy Shield violations. This will also include continuing obligations for former Privacy Shield participants, as Commerce and the FTC will continue to monitor the compliant handling of data collected under the program, even after they withdraw from the program.

And fourth, there are new redress avenues for individuals complaining about either a company’s misuse of data collected under Privacy Shield or the US government’s access to or surveillance of personal data.

Changes in the Final Version of Privacy Shield

The European Commission and the Commerce Department negotiated several substantive changes to the Privacy Shield program in response to comments and feedback on the initial version. From a business perspective, some of the more notable changes are the following:

– The Privacy Shield principles have been expanded in some significant ways. For example, while the Data Integrity/Purpose Limitation principles now include details for data retention and compatible uses, the Accountability principle now makes sure that if a third party is unable to apply the same level of protection that the Privacy Shield certified organization has promised, that organization must provide notice of that fact to affected individuals.
– The Privacy Shield, like Safe Harbor before it, applies only to data transfers from the EU to the US and does not affect processing in the EU. This is important because of the 2018 implementation of the GDPR, as that rule will govern data processing within the EU. More to the point, an organization participating in Privacy Shield will still need to conduct a separate analysis of how its operations conform to the GDPR – especially with respect to the processing and transfer of employee data.
– The redress process has been explained in greater detail such that even though there are different avenues for an individual to initiate a complaint, the text makes clear that there is a certain logical order and individuals cannot simply bypass an initial approach to the company itself to discuss concerns.
– The Commerce Department’s role has been expanded, as discussed above, and key to this will be the ability to conduct ongoing audits of program participants. These reviews will typically be via questionnaires, although Commerce will also be able to audit on the basis of specific complaints or other evidence of non-compliance.

Steps to Take in Preparation for Privacy Shield

For Safe Harbor participants that truly treated the program as intended, there will be less proverbial heavy lifting than for those that had a “file it and forget it” mentality. But all companies considering Privacy Shield will benefit from the following steps:

– Develop, maintain and follow a meaningful and compliant privacy policy. The seven privacy principles are largely the same as under Safe Harbor, while the level of detail and content requirements of Privacy Shield will require operational attention to ensure consistency with the promises.
– Secure personal data and ensure the ability to restrict secondary uses. While Privacy Shield does not provide great detail on administrative, technical, or physical safeguards, there are numerous internationally recognized frameworks for doing this. The secondary use restrictions in Privacy Shield will require additional consideration, as any such information would need to be reasonably de-identified before being subject to data analytics or other secondary uses.
– Confirm that existing data sharing agreements with vendors, ecosystem partners and third parties limit data uses to specified purposes.
– Review internal training content to ensure that it reflects updated policy and procedures under the Privacy Shield program.
– Collect the full set of program documentation in preparation for a Privacy Shield application. Contrary to the Safe Harbor program in which application-stage vetting was quite limited, Commerce has committed that it will be significantly more involved to ensure that applicants not only have documentation fulfilling the requirements, but that the applicant properly applies those policies and procedures.

Potential Challenges and Momentum

As discussed in prior blog posts, the Schrems case not only struck down the validity of the European Commission’s adequacy determination approving Safe Harbor, but also bolstered the standing of EU DPAs to challenge the basis of other such mechanisms to transfer personal data from the EU. . In the preamble to the the Commission’s adequacy determination, the Commission made clear that its decisions are as a matter of law binding upon the EU member states, while acknowledging the role that DPAs can play in identifying imperfect implementation by Privacy Shield certificants.

Litigation challenging Privacy Shield is all but certain. Later this month, the Working Party 29 is expected to release its opinion on the final Privacy Shield Program.

But even if the Article 29 group’s issues a positive review, several DPAs – particularly in Germany – are likely to criticize the arrangement and might even argue in favor of invalidation in an ECJ hearing, as they did against the Safe Harbor. Furthermore, Mr. Schrems himself will likely initiate proceedings again.

Some organizations will find this uncertainty about the fate or validity of Privacy Shield to counsel in favor of a wait and see approach. They may, for example, prefer to adopt or continue to use model clauses (for example) over Privacy Shield. However, model clauses must still continue to be submitted to many EU DPAs for prior approval, slowing down their use, and require applying signatures of all affected parties (which can be operationally difficult in some circumstances). Privacy Shield, like Safe Harbor, will reduce this paperwork burden.

Several high-profile companies have already announced their support of and participation in Privacy Shield once it is operational. In the end, we expect that Privacy Shield will be successful if the Commission and the various DPAs work together with the Commerce Department toward the operational effectiveness of the program.