Nearly 2,000 organizations are now listed as self-certified to the EU-U.S. Privacy Shield on the Department of Commerce’s (“Commerce”) Privacy Shield website. Given current developments on both sides of the Atlantic, there are likely to be significant Privacy Shield developments in the coming months.
EU Justice Commissioner Věra Jourová recently concluded her visit to the U.S. to meet with Trump Administration officials and others regarding the status of the Privacy Shield. During her visit, Commissioner Jourová spoke about the importance of the Privacy Shield as a framework with “enormous potential to strengthen the transatlantic economy and reaffirm our shared values.” She also met with Commerce Secretary Wilbur Ross to discuss the Privacy Shield, and announced that the first annual joint review will occur in September, which she indicated would be “an important milestone where we need to check that everything is in place and working well.”
During Commissioner Jourová’s visit, the European Parliament passed a resolution which was critical of certain elements of the Privacy Shield, and called on the EU Commission to review and address the critiques during the upcoming annual review. The resolution acknowledged that the Privacy Shield contains “significant improvements” compared to the prior Safe Harbor framework, but stressed that “important questions remains as regards commercial aspects, national security and law enforcement” under the Privacy Shield. Commissioner Jourová has indicated that the annual review will solicit input from companies about requests they have received from the U.S. government for data on EU citizens.
Prior to the annual review in September, there are a couple of important Privacy Shield dates to watch. First, the Swiss-U.S. Privacy Shield, which is nearly identical to the EU-U.S. Privacy Shield but covers data transfers from Switzerland as opposed to the EU, will begin accepting self-certifications on April 12. Second, the grace period for organizations that self-certified by September 30, 2016 to conform their contracts with third parties to the Privacy Shield’s onward transfer principles ends by June 30, 2017.
Finally, the U.S. International Trade Administration, the bureau within Commerce that administers the Privacy Shield, announced several upcoming Privacy Shield-related events and training opportunities, including a Privacy Shield panel with U.S. and EU government officials at the upcoming IAPP Global Summit.