The EU-US Privacy Shield Framework went into effect on August 1, 2016, providing a mechanism for US businesses to comply with EU data protection requirements when transferring personal data from the EU to the US. US businesses can self-certify to the Privacy Shield online to indicate they will follow the privacy principles. The Privacy Shield replaces the previous invalidated Safe Harbor Framework and has more restrictive requirements. To be certified, businesses must commit to following the Privacy Shield principles and complete an online application with the US Department of Commerce.

1. Data Privacy Alert
E.U.-U.S. Privacy Shield Goes Live August 1, 2016
The E.U.-U.S. Privacy Shield Framework was formally approved July 12, 2016 when
the E.U. Commission deemed the Privacy Shield Framework “adequate” to enable
data transfers under E.U. law. U.S. businesses that meet the Privacy Shield
requirements can self-certify online beginning August 1. U.S. businesses processing
E.U. customer or employee data, or with plans to do so in the near future, should
consider Privacy Shield certification.
What is the E.U.-U.S. Privacy Shield?
The E.U.-U.S. Privacy Shield Framework provides U.S. businesses with a mechanism
to comply with E.U. data protection requirements when transferring personal data
of E.U. customers or business partners from the E.U. to the U.S. The program is
operated by the U.S. Department of Commerce and includes data privacy Principles
that self-certifying organizations agree to follow when processing the personal data
of E.U. citizens. Certifying to Privacy Shield means your E.U. customers and business
partners will know that your organization provides adequate data privacy
protections.
Privacy Shield replaces the prior Safe Harbor Framework that was deemed “invalid”
in October 2015. Organizations that were certified under Safe Harbor must still
self-certify under Privacy Shield. In comparison to Safe Harbor, Privacy Shield is
more restrictive. For example, under Privacy Shield, participants must include more
detail in their privacy policies on data processing, must provide free and accessible
dispute resolution for privacy complaints, must cooperate with the Department of
Commerce by responding to inquiries and requests for information when asked,
must limit data collection to the information relevant to the purposes stated in the
privacy policy, and are accountable for data transferred to a third party.
How Does Certification Work?
To join the Privacy Shield Framework, a U.S.-based organization will be required to
self-certify to the Department of Commerce (via website) and publicly commit to
comply with the Framework’s requirements. While joining the Privacy Shield
Framework is voluntary, once an eligible organization makes the public
commitment to comply with the Framework’s requirements, the commitment will
become enforceable under U.S. law.
In order to be certified under Privacy Shield, U.S. businesses should follow these
steps, with the assistance of privacy counsel if necessary:
1. Review the Privacy Shield Principles and Supplemental Principles;

2. 2. Assess internal privacy practices and procedures and public-facing privacy
policy for compliance with Privacy Shield Principles;
3. Update and revise privacy policy and internal practices and procedures, as
necessary;
4. Create a separate privacy policy for transferring employee data to the U.S., if
necessary;
5. Choose and apply for participation with a dispute resolution mechanism;
6. Complete the online certification application with the U.S. Department of
Commerce;
7. Review and revise third party vendor contracts to meet Privacy Shield
requirements.
Companies that certify to Privacy Shield in the first two months will have a nine
month “grace period” to update third party contracts to comply with Privacy Shield.
Companies certifying after the first two months will be expected to use compliant
third party contracts immediately upon certification.
Are There Alternatives to Privacy Shield?
As an alternative to Privacy Shield, U.S. businesses processing E.U. data may still use
the E.U. Model Clauses (for certain B2B transactions), Binding Corporate Rules (for
internal transfers), or obtain individual user consent (for B2C), but at least one of
the available mechanisms should be in place to legally transfer E.U. citizen data to
the U.S. Since Privacy Shield requires downstream vendors to follow the Principles,
Companies choosing to forgo Privacy Shield may still have to agree to the Principles
in contracts with Shield-certified businesses.
Regardless of the mechanism selected, the new E.U. General Data Protection
Regulation (GDPR) as of May 2018 will cover all businesses processing E.U. data or
doing business with E.U. consumers, even if the business is based outside the E.U.
So, adhering to E.U. data protection requirements will soon become a regular cost of
doing business for U.S. business with E.U. customers and business partners.
For More Information
If you are considering self-certifying to Privacy Shield, or need additional
information on data privacy requirements, please contact our privacy counsel,
Christine Zebrowski. Christine regularly advises clients on U.S. and E.U. data
privacy requirements, privacy policies, and Privacy Shield. You can reach Christine
by email at czebrowski@outsidegc.com or by phone at 202-425-6711.