The manner in which U.S. companies are required to handle personal data is about to change dramatically for organizations that have customers, employees, or partners in Europe.  The United States and the European Union have recently published details of their highly anticipated new "Privacy Shield" agreement. The agreement is designed to ensure that personal information of Europeans is protected when U.S. companies import that data to the U.S.

The new scheme will require companies to implement revised privacy policies that conform to the new rules and, further, compel them to institute tighter restrictions on sharing data with third parties. The new law will also provide Europeans with expanded powers to mount legal challenges if they feel their data has been misused by U.S. companies.

This new deal is intended to replace the earlier "EU-US Safe Harbor" framework, which was struck down by the Court of Justice of the European Union (CJEU) in October 2015 following a complaint by privacy activist Max Schrems. That ruling invalidated the Safe Harbor framework as the basis for the secure transfer of personal data from the European Union to the United States. In an instant, the rules under which U.S. companies had operated for 15 years were suddenly gone. Since October, U.S. companies have been scurrying to conform with alternative EU data-transfer mechanisms, such as instituting  "binding corporate rules" and "model clauses" in their contracts, which companies complain are inflexible, onerous and ill-suited to address their business needs.  The new Privacy Shield promises to correct these issues, but it will also usher in a new more restrictive framework that may prove challenging to comply with.

How does it work? 

Generally, here is how the Privacy Shield will work. U.S. companies will register to be on the Privacy Shield List and self-certify that they meet its requirements. This certification procedure must be done each year. Companies will also have to pledge to not collect more personal information that what they need for their business purpose. The U.S. Department of Commerce will have authority to monitor and actively verify those companies' privacy policies. Privacy Shield participants must be prepared to respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield framework, including providing documentation of their compliance. Failure to comply with the new rules may result in  sanctions or exclusion from the Privacy Shield.

Under the new law, companies will also have to resolve complaints by European citizens within 45 days.  A no-charge Alternative Dispute Resolution solution will be available in the U.S. for the benefit of European citizens. Europeans will also be able to alert their local European Data Protection Authorities (DPAs), who will work with the Federal Trade Commission (FTC) to make sure their complaints are properly investigated and resolved. Companies will further have to update their privacy policies to explain how people can access these services. Ultimately, if none of this resolves the complaint, there will be a Privacy Shield Panel that can issue binding decisions against U.S. firms.

The new rules also tighten conditions for transfers to third-parties by U.S. companies. For many companies whose data storage and processing are often outsourced to vendors, this will require additional due diligence and safeguarding because the U.S. Companies serving European customers will remain responsible for the data, even when it is transferred to those subcontractors.

What's Next?

The Privacy Shield will not come into force until the European Commission has adopted an "adequacy finding"— a declaration that the safeguards provided under the new Privacy Shield scheme are equivalent to data protection standards in the EU. It is not a sure thing that EU regulators will give their final approval to the Privacy Shield as drafted. Any agreement must move through proper channels before it becomes binding law, and an increasing number of critics are already voicing displeasure, questioning whether the agreement will withstand scrutiny by the ECJ. European Commissioner for Justice Vĕra Jourová said that she believes the implementation of the Privacy Shield regime will take three months.

The Department of Commerce and other agencies have significant work to do to install the new framework, including creating new monitoring mechanisms.  Commerce Secretary Penny Pritzker said that the Commerce Department will soon be offering a series of briefings for companies on the details of the agreement, and that there will be a transition period to allow companies to undertake compliance efforts and implement any changes necessary under the new regime.

What Should You Do?

While U.S. companies anxiously await approval of the Privacy Shield, they should continue to abide by EU law.  Simply waiting for the Privacy Shield to become law may not be a wise strategy. Regulators in Germany have already started cracking down on U.S. companies that are continuing to transfer Europeans' data under the defunct Safe Harbor agreement.  Further, if the EU privacy regulators reject the Privacy Shield, or cause additional delay in its enactment, it will present a host of new challenges for U.S. companies that do business in Europe and that have not adapted to its changing legal landscape.     

Currently, neither the Safe Harbor framework nor the Privacy Shield program creates a legitimate basis for the transfer of personal data from the EU to the United States. While the announcement of the agreement may give some European regulators reason to hold off on enforcement or other measures, there is still the expectation that some will approach companies that have been using the Safe Harbor to assess whether alternative legitimate bases are now used for EU-to-U.S. data transfers. Consequently, companies that have been using the Safe Harbor need to analyze and implement alternative mechanisms going forward, at least until a new agreement is reached.  The primary alternatives include:

Model Contracts. The EU Model Contracts provide a set of standard clauses, approved and published by the EC, for the transfer of personal data between an EU data controller and a U.S. data controller or between an EU data controller and a U.S. processor (i.e., vendor). However, model contract clauses cannot be altered. The current advantage of this option is that the model clauses are based on a valid decision of the EC, which must be presumed to be lawful. Consequently, many companies have chosen this as the preferred approach.

Binding Corporate Rules ("BCRs"). BCRs are internal company regulations governing how the flow of personal data is organized and the rights of concerned individuals are protected. BCRs can be adapted to the specific needs of the company, but are subject to governmental approval, which is a complicated process that typically has taken years (as a result, only a small number of companies have adopted BCRs). Moreover, the German authorities are currently very reluctant to approve BCRs.

Notice and Consent. Providing clear notice and obtaining the unambiguous and explicit consent of the individuals whose personal data is being transferred remains a viable strategy for complying with data transfer rules. However, we recognize that this is not always the most practical solution, as consent can be difficult to obtain in certain circumstances, and some European DPAs (e.g., Germany) discourage use of consent in certain situations.

As described above, both the U.S. and the EU have significant work to do to finalize the EU-U.S. Privacy Shield regime and give it the force of law. These data privacy laws are complex and are ever-evolving. Over the coming months, we will continue to provide updates as developments warrant. Because the implementation of some form of the Privacy Shield is inevitable, we encourage you to sit down with us to map out an approach that will prepare you for this new law. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.