Under the EU Data Protection Directive, all transfers of personal data from the European Economic Area (EEA) to the United States are considered prima facie unlawful unless there is an appropriate level of protection for the rights and freedoms of data subjects.
From 2000 through 2015, an agreement between the U.S. Department of Commerce and the European Commission, known as the “Safe Harbour Principles,” provided this “appropriate level of protection.” In other words, U.S. organizations that participated in the Safe Harbour Framework could import personal data from the EEA without violating EU Data Protection Law.
On October 6, 2015, however, the European Court of Justice (CJEU), responding to privacy concerns, effectively invalidated the Safe Harbour Framework. On February 2nd, 2016, the European Commission announced that it had reached a new agreement to replace Safe Harbour. This agreement, called the “EU-US Privacy Shield,” took effect on July 12, 2016.
Reasons to Join the Privacy Shield
U.S. organizations that regularly import personal data from EEA entities should strongly consider joining the Privacy Shield Framework. A U.S. subsidiary of a German parent, for instance, may wish to regularly receive data from the German parent that constitutes “personal data.” By joining the Privacy Shield, the U.S. subsidiary will be able to receive personal data from the EEA without fear of violating EU Data Protection Law and without the need to execute a new contract for each individual transaction.
The benefits of joining the Privacy Shield vastly outweigh the costs. In exchange for undergoing a relatively simple “Self-Certification” process and paying relatively low initial and annual fees, a U.S. organization will obtain “peace of mind” (i.e., the knowledge that it can freely receive personal data from the EEA without fear of legal repercussions) and greater efficiency (i.e., there will no longer be a need to execute a contract for each individual transaction). In this sense, the time and costs associated with joining the Privacy Shield should be thought of as a minor investment with a great return.
The “Self-Certification” Process
U.S. organizations are not required to join the Privacy Shield. If they choose to join, however, they will be obligated to abide by its strict terms regarding data protection and privacy.
To gain the protections of the Privacy Shield, U.S. companies must “Self-Certify” annually to the U.S. Department of Commerce that they will adhere to the “Privacy Shield Principles,” a detailed set of requirements based on the principles of: Notice; Choice, Access; and Accountability for Onward Transfer.
Specifically, organizations should take the following steps:
- Confirm the organization’s eligibility to participate in the program;
- Develop a Privacy-Shield compliant “Privacy Statement;”
- Identify an “Independent Recourse Mechanism;”
- Ensure that this mechanism is in place;
- Designate a contact within the organization for Privacy Shield-related matters; and
- Submit the organization’s “Self-Certification” through the ITA website.
As an incentive for U.S. organizations to quickly join the new framework, the ITA determined that organizations that self-certified on or before September 30th, 2016 would be given an additional nine-month grace period to bring pre-existing contracts with third parties into compliance with “Onward Transfer” requirements.
As of the publication of this InfoDOC, the September 30th deadline has passed. Even though the September 30th deadline has passed, U.S. organizations may still self-certify to the Privacy Shield and gain full advantage of its protections.
The only practical difference is that, before organizations can upload their self-certification, they must ensure that existing contracts with third parties are in compliance with the “Onward Transfer” Principle.
At legitimis, we have the knowledge and experience to guide U.S. organizations though the Self-Certification process. If you are ready to take the next step in meeting your data privacy needs, we are ready to help.