EU Adopts New Privacy Shield for Data Transfers to U.S.

On July 12, 2016, the European Union announced that it had formally adopted the long-awaited EU-U.S. Privacy Shield to permit the transfer of personal data from EU countries to the United States. Until late 2015, U.S. companies could receive transfers of personal data (defined very broadly to include any identifiable data) about EU citizens in three ways: by signing up for the U.S. Department of Commerce’s Safe Harbor Program, by obtaining the consent of the data subjects, or by using (without any variation) the protective contractual provisions approved by the EU. Then, in its October 2015 Schrems decision, the Court of Justice for the European Union struck down the Safe Harbor. The Privacy Shield is intended to replace the Safe Harbor. The other two means of data transfer remain available.

In Schrems, the CJEU was not concerned about the behavior of private businesses. The issue, rather, was U.S. government snooping in the wake of the Snowden revelations. Consequently, most of the EU-U.S. negotiations have concerned limiting and monitoring governmental access to data. Private businesses that have used the Safe Harbor will see few significant changes in what they have to do to comply.

The Privacy Shield mechanism will be the same as under Safe Harbor: U.S. businesses must certify annually to the U.S. Department of Commerce that their privacy practices comply with Privacy Shield principles. Companies may begin self-certifying on August 1. In response to EU complaints about lax Safe Harbor oversight, the Department of Commerce is supposed to conduct regular compliance reviews of self-certifying companies, with defaulters facing removal from the list and as-yet unspecified sanctions. As under the Safe Harbor, participating U.S. companies must be under the jurisdiction of the Federal Trade Commission (or one of a few other specified federal agencies), so nonprofits are generally ineligible.

Substantively, the Privacy Shield principles amount largely to a stronger statement of their Safe Harbor counterparts. U.S. companies must display their privacy policies on their website. Among other things, a Privacy Shield-compliant company must offer people the opportunity to opt out of disclosure to third parties or use of their data for purposes other than that for which it was originally collected; must take reasonable and appropriate security measures; must take reasonable steps to ensure that the data is reliable; and must offer data subjects access to their data and the ability to correct or delete inaccurate data.

A few things are new. Most significantly, a U.S. Privacy Shield company that receives EU data can transfer it to a third party (regardless of whether the recipient is Privacy Shield-compliant) only under a contract that ensures Privacy Shield-level protections for the data after transfer. In addition, Privacy Shield companies must offer EU citizens free alternative dispute resolution by an independent provider in the EU or United States.

A couple of post-Privacy Shield uncertainties loom. The EU’s new General Data Protection Regulation is expected to take effect in two years. Since the GDPR’s privacy protections are stricter than those of the Privacy Shield, U.S. Privacy Shield companies should expect more onerous privacy obligations when the GDPR comes into force. Another possible variable is what the United Kingdom will do with its privacy laws—currently governed by EU law—once Brexit is final. Presumably, the UK will maintain EU-level protections to facilitate commerce with the continent, but that remains to be seen.

This alert is intended only as a summary of the most significant provisions of the Privacy Shield. Robinson Bradshaw's Intellectual Property and Technology Practice Group members are available to help companies work through the many details.