The manner in which U.S. companies are required to handle personal data is about to change dramatically for organizations that have customers, employees or partners in Europe. The United States and the European Union (EU) have recently published details of their highly anticipated new Privacy Shield agreement. The agreement is designed to ensure that personal information of Europeans is protected when U.S. companies import that data to the United States.
The new scheme will require companies to implement revised privacy policies that conform to the new rules and further, compel them to institute tighter restrictions on sharing data with third parties. The new law will also provide Europeans with expanded powers to mount legal challenges if they feel their data has been misused by U.S. companies.
This new deal is intended to replace the earlier EU-US Safe Harbor framework, which was struck down by the Court of Justice of the European Union (CJEU) in October 2015 following a complaint by privacy activist Max Schrems. That ruling invalidated the Safe Harbor framework as the basis for the secure transfer of personal data from the EU to the United States. In an instant, the rules under which U.S. companies had operated for 15 years were suddenly gone. Since October, U.S. companies have been scurrying to conform with alternative EU data-transfer mechanisms, such as instituting “binding corporate rules” and “model clauses” in their contracts, which companies complain are inflexible, onerous and ill-suited to address their business needs. The new Privacy Shield promises to correct these issues, but it will also usher in a new, more restrictive framework that may prove challenging to comply with.
Broadly speaking, here is how the Privacy Shield will operate. U.S. companies will register to be on the Privacy Shield list and self-certify that they meet its requirements. This certification procedure must be done each year. Companies will also have to pledge to not collect more personal information than they need for their business purpose. The U.S. Department of Commerce will have authority to monitor and actively verify those companies’ privacy policies. Privacy Shield participants must be prepared to respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield framework, including providing documentation of their compliance. Failure to comply with the new rules may result in sanctions or exclusion from the Privacy Shield.
Under the new law, companies will also have to resolve complaints by European citizens within 45 days. A no-charge alternative dispute resolution will be available in the United States for the benefit of European citizens. Europeans will also be able to alert their local European Data Protection Authorities (DPAs), who will work with the Federal Trade Commission (FTC) to make sure their complaints are properly investigated and resolved. Companies will further have to update their privacy policies to explain how people can access these services. Ultimately, if none of this resolves the complaint, there will be a Privacy Shield panel that can issue binding decisions against U.S. firms.
The new rules also tighten conditions for transfers to third parties by U.S. companies. For many companies whose data storage and processing are often outsourced to vendors, this will require additional due diligence and safeguarding because the U.S. companies serving European customers will remain responsible for the data, even when it is transferred to those subcontractors.
The Privacy Shield will not come into force until the European Commission has adopted an “adequacy finding,” a declaration that the safeguards provided under the new Privacy Shield scheme are equivalent to data protection standards in the EU. It is not a sure thing that EU regulators will give their final approval to the Privacy Shield as drafted. A formal announcement from the EU is expected soon, but none had been made by the time of publication.
While U.S. companies anxiously await approval of the Privacy Shield, they should continue to abide by EU law. Simply waiting for the Privacy Shield to become law may not be a wise strategy. Regulators in Germany have already started cracking down on U.S. companies that are continuing to transfer Europeans’ data under the defunct Safe Harbor agreement. Further, if the EU privacy regulators reject the Privacy Shield, or cause additional delay in its enactment, it will present a host of new challenges for U.S. companies that do business in Europe and that have not adapted to its changing legal landscape.
These data privacy laws are complex and ever-evolving. Clients and lawyers alike should consult with specialized counsel to ensure that they are prepared for these changes. Jon Breyer