Many technology and digital media companies operate without borders in today's global economy. They have employees and customers on both sides of the Atlantic. Recent developments in the laws governing the transfer of personal information (also known as “personal data” or “personally identifiable information”) from the European Union to the United States has made such borderless operations more challenging.
For those who have not been following these developments: The uncertainty surrounding EU-U.S. data privacy relations culminated on October 5, 2015 when the European Court of Justice (ECJ) invalidated the Safe Harbor framework. Because the EU has decided that U.S. laws do not provide an "adequate level of protection" for EU personal data, self-certifying under the Safe Harbor framework was one of few legal methods available for companies to bring EU personal data to the U.S. “Personal data” has a broad definition under EU law and includes any information relating to a identified or identifiable natural person. In the aftermath of the ECJ’s invalidation of the Safe Harbor framework, officials in the U.S. (including the U.S. Department of State and the Federal Trade Commission) accelerated the pace of their negotiations with European Commission officials to reach a new Safe Harbor arrangement; a process that had begun a year before the invalidation decision.
The New Privacy Shield
These negotiations resulted in the new “Privacy Shield” framework. As of August 1, 2016, U.S. companies can self-certify their compliance with EU data privacy laws by filing with the U.S. Department of Commerce under the new Privacy Shield framework at www.privacyshield.gov. Companies that previously transferred data under the Safe Harbor framework or those that are subject to the jurisdiction of the Federal Trade Commission or Department of Transportation should take this moment to consider two fundamental questions:
- Do our business operations (including human resources management) involve the transfer of personal data from the EU to the U.S.? If your company is transferring data relating to individuals, from servers in the EU to servers in the U.S., you are likely implicating EU data privacy laws and, as such, are under an obligation to offer “adequate protection” for the data. Other types of transfer may also trigger the application of EU data privacy laws.
- Is the Privacy Shield the optimal means for complying with EU privacy law for our company? The Privacy Shield is not the only means of protecting personal data during transatlantic transfers. Other options include obtaining individual consent or implementing model contract clauses or binding corporate rules regarding data transfer. Each method has its benefits and its drawbacks. The appropriate type of protection will depend, in large part, on the size and complexity of a company, along with the nature and frequency of its transatlantic data transfers. More on each of these non-Privacy Shield options for transatlantic transfers of personal data can be found here.
Companies that answer “yes” to both of these questions should prepare for Privacy Shield certification sooner rather than later, as companies must take a number of actions before self-certifying, including:
- Adopting Privacy Policies that Reflect the Privacy Shield Principles.1 Such policies, among other things, must mandate certain safety measures for the handling of personal data, give individuals notice that their data will be transferred, and offer individuals a chance to opt-out of transfers of sensitive materials. These privacy policies must be published in a publically-available location, including a website.
- Creating an Independent Recourse Mechanism. Any company seeking to self-certify must provide free arbitration of any unresolved privacy complaints by an independent organization (e.g., TRUSTe, the American Arbitration Association, Judicial Arbitration and Mediation Service, or the Direct Marketing Association).
- Designating a Contact Person within the Organization. One person within the company must be designated to respond to privacy questions, complaints, access requests and other issues arising under the Privacy Shield.
- Establishing a Verification Mechanism. The company must provide plans for an internal or external “verification mechanism” — essentially, an audit — that monitors policies and their implementation for compliance with the Privacy Shield Principles.
For many companies, the preparation, filing and ongoing compliance required to participate in the Privacy Shield will constitute a significant investment. However, that investment may be worthwhile because it presents the most efficient means of maintaining compliance with EU data privacy law.
1 The Privacy Shield Principles are (1) Notice; (2) Choice; (3) Accountability for Onward Transfer; (4) Security; (5) Data Integrity and Purpose Limitation; (6) Access; and (7) Recourse. You can find more information on these principles and the sixteen supplemental Privacy Shield Principles at https://www.privacyshield.gov/EU-US-Framework