EU-U.S. Privacy Shield Framework Text Published: Imposes New Obligations on U.S. Entities that Seek Data Transfers from the EU

Edward McAndrew, Daniel McKenna, Roshni Patel, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

The European Commission (EC) has released details of the EU-U.S. Privacy Shield, a new framework under which personal data may be transferred from the European Union (EU) to the United States. The Privacy Shield replaces the Safe Harbor framework, which was invalidated by the Court of Justice of the European Union in October 2015. To join the Privacy Shield framework, U.S. companies must self-certify that they are compliant with a set of privacy principles. These principles are more granular than the principles set forth in the Safe Harbor and, for many companies, will require significant work to ensure compliance.

Under the Privacy Shield, participating U.S. companies must provide a detailed disclosure of their collection and use of information collected from individuals, including:

  • The purposes for which personal information is disclosed to third parties
  • The right of individuals to access their personal data
  • The independent dispute resolution body designated to address complaints
  • The fact that the company is subject to the investigatory and enforcement powers of the FTC or any other U.S. authorized statutory body
  • The fact that the company is required to disclose personal information in response to lawful requests by public authorities and the company's liability in cases of onward transfers to third parties
  • The possibility for individuals to invoke binding arbitration.

If requested in the course of a regulatory investigation, U.S. companies will be required to make available their records on the implementation and compliance with Privacy Shield requirements. U.S. companies transferring data to a third-party processor must have contracts in place that protect personal data of EU citizens. The Privacy Shield also includes provisions to ensure continuity of privacy protections in the event of a corporate merger or takeover.

In addition to being more granular than the Safe Harbor, the Privacy Shield includes increased mechanisms for ensuring compliance. More specifically:

  • Under the Privacy Shield, companies are obligated to respond to individuals’ complaints within 45 days and to comply with advice from the relevant EU data protection authorities (DPAs)
  • Companies must also provide free-of-charge alternative dispute resolution mechanism for resolving individuals' complaints
  • The Federal Trade Commission (FTC) will make enforcement of the Privacy Shield a high priority and will enforce violations of the Privacy Shield requirements as an "unfair or deceptive act or practice" under Section 5 of the FTC Act
  • The Department of Commerce (DOC) will monitor false claims regarding participation in the Privacy Shield and issue warnings and other corrective actions, including pursuing legal recourse and referring matters to the FTC, Department of Transportation, or other enforcement agencies;
  • DOC will conduct periodic compliance reviews and assessments of the Privacy Shield program
  • DOC will establish a dedicated contact for EU DPA complaints, and must respond to such complaints within 90 days
  • DOC will also establish an arbitration mechanism to be conducted by a Privacy Shield Panel whose decisions will be binding against certified companies
  • DOC, FTC, and other agencies will hold annual meetings with the European Commission and DPAs to discuss the Privacy Shield
  • The Department of State will appoint an independent ombudsman to address complaints and inquiries regarding any access of personal data for national security purposes.

Before it goes into effect, the Privacy Shield will need to be approved by the Article 29 Working party (expected to occur in mid-April) and by the EU College of Commissioners, which will likely not occur until at least summer of 2016. Companies that transfer personal information from the EU to the United States and intend to use the Privacy Shield should consider taking steps now to comply with the framework, as such steps may require significant work. One such step is amending existing privacy policies to comply with the enhanced notice requirement. In addition, companies that do not have written policies and procedures that could be used to attest compliance with the Privacy Shield principles should consider drafting such policies now, or amending existing policies.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Ballard Spahr LLP

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide