As of August 1, 2016, U.S. companies can now self-certify compliance to the EU-U.S. Privacy Shield ("Privacy Shield") to the U.S. Department of Commerce (see https://www.privacyshield.gov/welcome). Privacy Shield is a new legal mechanism that provides "adequate protection" within the meaning of EU data protection laws for transatlantic data flows to the United States. Privacy Shield replaces the U.S.-EU Safe Harbor Arrangement ("Safe Harbor") as a key mechanism for EU to U.S. data transfers, as the European Court of Justice (“CJEU”) had invalidated the European Commission's finding of adequacy for Safe Harbor in its Schrems decision on October 6, 2015.
Privacy Shield provides U.S. organizations and their European business partners with a key additional option to address the EU restrictions on personal data flows. More fundamentally, Privacy Shield helps reduce the broader risks for all EU to U.S. data transfers in the wake of the Schrems ruling. Specifically, Schrems had invalidated the Safe Harbor adequacy decision primarily on the basis of the CJEU's privacy concerns about national security surveillance in the U.S. Although the CJEU's decision focused on the specifics of the adequacy decision itself, and its view that the EC decision itself did not adequately protect as a procedural matter against U.S. government surveillance, the CJEU's underlying concerns about U.S. government surveillance arguably would apply equally to other mechanisms for transfers that are subject to the same U.S. law and policy, such as model contracts and binding corporate rules, and also to many other countries' surveillance practices, including EU member states (for more see our Global Surveillance Law Survey). The Privacy Shield documents provide an updated description of the law and policy in the U.S. on government surveillance, which is more privacy-friendly than the prior circumstances contemplated by the CJEU at the time of Schrems. Privacy Shield also includes new procedural features, including the establishment of a U.S. State Department Ombudsperson to hear complaints about national security practices, to help address these concerns. Taken together, these elements assure a more robust framework of privacy protections in the context of U.S. government surveillance.
Since Schrems, many EU and U.S. organizations have made or are making important strategic decisions about how to approach EU to U.S. data transfers. In particular, many U.S. organizations participating in Safe Harbor have adopted model contracts, initiated the process of applying for binding corporate rules, and taken other approaches to addressing cross-border data transfers. Depending on the specific circumstances, these organizations may now consider the potential advantages and disadvantages of Privacy Shield. The analysis should take into account factors outside Privacy Shield, such as the challenges to the decisions on model contracts at the CJEU, as well as the increased compliance burden under the General Data Protection Directive (effective May 2018) and other factors.
For a full summary of the Privacy Shield decision, its commercial privacy requirements, the steps necessary to join, the benefits to early self-certification to Privacy Shield, some thoughts from a European perspective, and the next steps on the legacy Safe Harbor framework, please see our longer form client alert here. Below, we summarize key elements companies may wish to consider when evaluating whether to self-certify to Privacy Shield.
What factors should U.S. companies consider when deciding whether to join Privacy Shield?
As with other legal and risk decisions, there is no one-size-fits-all answer to whether a U.S. company should join Privacy Shield.
Factors that may generally support a determination to join would include elements such as:
- significant online collections directly from EU consumers that may be difficult to address reliably through model contracts or other mechanisms;
- the U.S. company already had a Safe Harbor program that could serve as a baseline for Privacy Shield program;
- the U.S. company is a service provider to EU corporate and commercial customers, such that Privacy Shield may help facilitate the customer contracting process and/or assure broader coverage for customer data transfers;
- the U.S. company is having difficulty assuring full coverage of its EU to U.S. transfers under model contracts or other mechanisms; and
- the U.S. company has regulatory disclosure obligations that could be challenging to meet under model contracts or other solutions; and other factors.
Factors that may generally support a determination not to join Privacy Shield, or to consider joining later, include elements such as:
- the U.S. company already has a complete model contract, binding corporate rules, or other solution in place for all of its EU to U.S. data transfers;
- the U.S. company is concerned that it may not be able to comply with the Privacy Shield rules; and
- the U.S. company has operations in Europe that engage in significant data transfers from the EU to non-U.S. rest of world (ROW) locations, such that the U.S. company will need implement other solutions in any event to cover the EU to ROW transfers, such as binding corporate rules.
For some U.S. companies, it may make sense to choose more than one data transfer mechanism, e.g., to cover different types of data flows or to help protect against ongoing risks of challenge to Privacy Shield, as well as model contracts, and other cross-border data transfer mechanisms.
As noted above, there is no single solution for all companies, and each organization should take into account its individual circumstances to arrive at the best approach for that organization. Please feel free to reach out to the contacts below or your usual Baker & McKenzie partner for assistance with these important cross-border data transfer issues.