The European Commission (EC) has released details of the EU-U.S. Privacy Shield, a new framework under which personal data may be transferred from the European Union (EU) to the United States. The Privacy Shield replaces the Safe Harbor framework, which was invalidated by the Court of Justice of the European Union in October 2015. To join the Privacy Shield framework, U.S. companies must self-certify that they are compliant with a set of privacy principles. These principles are more granular than the principles set forth in the Safe Harbor and, for many companies, will require significant work to ensure compliance.

Under the Privacy Shield, participating U.S. companies must provide a detailed disclosure of their collection and use of information collected from individuals, including:

  • The purposes for which personal information is disclosed to third parties

  • The right of individuals to access their personal data

  • The independent dispute resolution body designated to address complaints

  • The fact that the company is subject to the investigatory and enforcement powers of the FTC or any other U.S. authorized statutory body

  • The fact that the company is required to disclose personal information in response to lawful requests by public authorities and the company's liability in cases of onward transfers to third parties

  • The possibility for individuals to invoke binding arbitration.

If requested in the course of a regulatory investigation, U.S. companies will be required to make available their records on the implementation and compliance with Privacy Shield requirements. U.S. companies transferring data to a third-party processor must have contracts in place that protect personal data of EU citizens. The Privacy Shield also includes provisions to ensure continuity of privacy protections in the event of a corporate merger or takeover.

In addition to being more granular than the Safe Harbor, the Privacy Shield includes increased mechanisms for ensuring compliance. More specifically:

  • Under the Privacy Shield, companies are obligated to respond to individuals’ complaints within 45 days and to comply with advice from the relevant EU data protection authorities (DPAs)

  • Companies must also provide free-of-charge alternative dispute resolution mechanism for resolving individuals' complaints

  • The Federal Trade Commission (FTC) will make enforcement of the Privacy Shield a high priority and will enforce violations of the Privacy Shield requirements as an "unfair or deceptive act or practice" under Section 5 of the FTC Act

  • The Department of Commerce (DOC) will monitor false claims regarding participation in the Privacy Shield and issue warnings and other corrective actions, including pursuing legal recourse and referring matters to the FTC, Department of Transportation, or other enforcement agencies;

  • DOC will conduct periodic compliance reviews and assessments of the Privacy Shield program

  • DOC will establish a dedicated contact for EU DPA complaints, and must respond to such complaints within 90 days

  • DOC will also establish an arbitration mechanism to be conducted by a Privacy Shield Panel whose decisions will be binding against certified companies

  • DOC, FTC, and other agencies will hold annual meetings with the European Commission and DPAs to discuss the Privacy Shield

  • The Department of State will appoint an independent ombudsman to address complaints and inquiries regarding any access of personal data for national security purposes.

Before it goes into effect, the Privacy Shield will need to be approved by the Article 29 Working party (expected to occur in mid-April) and by the EU College of Commissioners, which will likely not occur until at least summer of 2016. Companies that transfer personal information from the EU to the United States and intend to use the Privacy Shield should consider taking steps now to comply with the framework, as such steps may require significant work. One such step is amending existing privacy policies to comply with the enhanced notice requirement. In addition, companies that do not have written policies and procedures that could be used to attest compliance with the Privacy Shield principles should consider drafting such policies now, or amending existing policies.

Attorneys in Ballard Spahr's Privacy and Data Security Group regularly work with American and multinational companies with businesses in Europe on structuring and properly documenting their cross border data transfers. We also assist in drafting privacy policies, third party vendor agreement and information security policies and procedures as may be necessary to comply with the requirements of the Privacy Shield.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.