Perspective: Kirton McConkie Law Blog

Privacy Shield: The New Safe Harbor

In the aftermath of the Safe Harbor invalidation, the European Commission and the U.S. Department of Commerce have agreed to a new draft of the “Privacy Shield”.

The first draft Privacy Shield was unveiled in February, but received widespread criticism in Europe. Like its predecessor (Safe Harbor), the new draft of the Privacy Shield allows organizations to efficiently move personal information from EU member states (as well as Iceland, Liechtenstein and Norway) to the United States. However, the Privacy Shield is more complex than Safe Harbor—it contains more provisions and introduces additional requirements.

Similar to the Safe Harbor framework, the Privacy Shield is based on a system of self-certification. U.S. organizations seeking to take advantage of the Privacy Shield may self-certify with the U.S. Department of Commerce and by doing so, commit to follow the Privacy Shield Principles. The Privacy Shield will be enforced by the Federal Trade Commission (“FTC”).

Key Updates

The most notable differences between Safe Harbor and the Privacy Shield are found in the Draft Commission Implementing Decision Regarding the Adequacy of the Protection Provided by the European Union-U.S. Privacy Shield (the “Implementing Decision”). The Implementing Decision provides that certified companies must contractually obligate the recipient of personal information (in onward transfer contracts) to notify the Privacy Shield-certified company if the recipient is unable to provide the level of protection required by the Privacy Shield Principles. Certified companies must also contractually obligate third parties to delete or de-identify personal information if such information is no longer relevant to the purposes for which it was initially processed.

Grace Period

To incentivize organizations to use the new Privacy Shield, the Implementing Decision also provides that if an organization files its self-certification within the first two months from the date the Privacy Shield becomes effective, it will be granted a nine month grace period to ensure that its contracts with third party processors conform to the new Privacy Shield requirements.

Clarification of Privacy Principles

The current EU Directive 95/46/EC (as well as the new General Data Protection Regulation (EU) 2016/679) sets forth a series of Privacy Principles, including lawful processing, fair processing, relevancy, accuracy, accountability, limited retention and recourse, enforcement and liability. The Implementation Decision clarifies its analysis of the Privacy Principles and how they should be implemented. For example:

        i.            Accountability—The Accountability Principle provides that transfers of personal information are permissible for limited and specified purposes, based in contract, and if such contract provides the same level of protection as required by the Privacy Principles. The Implementation Decision further states that the requirement to provide the same level of protection as guaranteed by the Privacy Principles applies equally to all parties involved in the processing, even when a third party recipient of personal information transfers such information to another third party (e.g., a sub-processor).

      ii.            Recourse, Enforcement and Liability—The Recourse, Enforcement and Liability Principle requires that organizations provide data subjects with recourse when personal information has been processed in violation of the relevant data protection law. The Implementation Decision further provides that organizations that fail to appropriately address complaints from data subjects will be subject to FTC investigations.  

What Now?

For those organizations taking the wait and see approach after the Safe Harbor was struck down, the wait is over and the Privacy Shield is the answer. Though more stringent than its predecessor, it should provide legal assurance to organizations that do not want to transfer personal from the EU to the U.S. via binding corporate rules or model contracts.

Kirton McConkie’s International section routinely advises clients on all aspects of data privacy regulation in the EU and in many other countries around the world.