Following European Commission adoption of the Privacy Shield on July 12, 2016, and with Privacy Shield self-certification poised to open for business organizations on August 1, 2016 as a replacement for the invalidated EU-U.S. Safe Harbor mechanism, U.S. businesses are actively evaluating the commitments they will need to make to self-certify (and to annually re-certify) under the Privacy Shield in order to receive personal data from the EU. There are important considerations in evaluating self-certification under the Privacy Shield, including the financial and time costs for self-certification. For example, a Privacy Shield-compliant privacy policy statement must be effective and publicly available before certification, and other oversight and enforcement mechanisms must be in place to ensure compliance with the Privacy Shield’s privacy principles. Furthermore, U.S. organizations must have written agreements with onward recipients of personal data guaranteeing the same level of protection as they self-certify to under the Privacy Shield Principles, requiring negotiation of those separate agreements. A nine month grace period is available to organizations that self-certify within the first two months of the Privacy Shield effective date, a powerful incentive for organizations with a substantial number of pre-existing third party commercial relationships to self-certify early.
Still, despite the additional burdens imposed upon self-certifying businesses, the Privacy Shield is likely to face legal challenge from privacy advocates in the EU who consider the Shield inadequate protection for personal data in response to the European Court of Justice (“ECJ”) decision in October 2015 invalidating the Safe Harbor. In the meantime, the EU Standard Contractual Clauses (the “Model Clauses”), another mechanism by which personal data can be lawfully transferred outside the EU, are the subject of a complaint being reviewed by the ECJ. With that backdrop, should companies with Model Clauses already in place self-certify under the Privacy Shield? Should the Privacy Shield replace or instead buttress the use of Model Clauses? There are also steps EU organizations can take to protect themselves against a successful challenge, either to the Model Clauses or to the Privacy Shield. Finally, for businesses operating in the UK, the Brexit vote creates uncertainty about whether the Privacy Shield mechanism will be available to them depending upon when and how UK withdrawal from the EU occurs. Certain actions will likely need to be taken by the UK to benefit from the Privacy Shield on an ongoing basis following withdrawal from the EU.
Bruce Buchanan contributed to this article.