The EU-U.S. Privacy Shield has passed its first test: the first joint annual review. If your organization has been waiting for a positive review of the Privacy Shield to join, now is a good time to consider moving forward.
The European Commission and the U.S. Department of Commerce conducted the first joint annual review of the Privacy Shield in September. The joint annual review helps ensure that the Privacy Shield remains “adequate” under EU data protection law over time. The European Commission’s published report following the review generally expresses support for the Privacy Shield—with some noted opportunities for improvement, including increased enforcement activity and efforts to raise awareness among EU residents of their Privacy Shield rights.
The Privacy Shield’s positive review is welcome good news during a time of uncertainty for the long-term future of EU-U.S. data transfers. On October 3, the Irish High Court decided to forward the question of the lawfulness of EU-U.S. transfers under Standard Contractual Clauses to the Court of Justice of the EU (“CJEU”). The Irish High Court’s decision is part of the second act in the Schrems dispute with Facebook that previously resulted in the CJEU invalidating the U.S.-EU Safe Harbor in October 2015. While waiting for a decision from the CJEU, organizations that are concerned about the long-term usefulness of Standard Contractual Clauses should begin considering alternatives, such as the Privacy Shield and Binding Corporate Rules as appropriate.
The positive review does not mean that the Privacy Shield is unassailable going forward, and legal challenges to the Privacy Shield are still expected. However, the Commission’s continued endorsement of the Privacy Shield is a good sign for currently participating organizations and for other organizations planning to use the Privacy Shield to meet cross-border transfer obligations by May 25, 2018, when the GDPR and its maximum fines (up to 20 million EUR or 4% worldwide annual turnover, whichever is higher) take effect.
For participating companies or those considering participation, the Commission’s report also underscores the importance of taking the Privacy Shield’s requirements seriously, as the Commission signaled its intent to continue putting pressure on the U.S. to enforce the Privacy Shield. The report calls for the Department of Commerce to proactively search for false claims of participation in the Privacy Shield and to increase U.S. efforts to monitor the compliance of participating organizations with the Privacy Shield. Increased compliance monitoring may range from sending a sample of participants a compliance questionnaire, focused on a particular area of concern (e.g., data retention, onward transfers), to mandating annual compliance reports from participating organizations.
Privacy Shield applicants, as well as existing participants, should also be aware of the recently mandated arbitral fund contribution. The required contribution, the amount of which is determined based on revenue, will help fund arbitrations under the Privacy Shield. New Privacy Shield applicants have been required to pay the contribution since September. Existing participants are also required to pay the new fee, but on October 30, the International Trade Administration extended the deadline for payment by current participants to December 1, 2017.