The U.S. Department of Commerce (DOC) and European Commission (EC) designed the Privacy Shield program to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the EU to the U.S. for commercial purposes. The Privacy Shield program became operational in August 2016. Per estimates about 700 U.S. companies have secured self-certification status, agreeing to maintain processes to uphold the privacy principles agreed to by the U.S. and the EU on such things as notice, choice, access and accountability for the onward transfer of personal European data to the U.S.
The Privacy Shield replaces the former Safe Harbor framework, which was invalidated in the 2015 Schrems-Facebook case. Since then, businesses have experienced enormous uncertainty around data transfers, not to mention legal bills. Companies weighed alternatives while European authorities continued to pursue investigations of U.S. internet behemoths under EU and national data protection laws. A London privacy attorney sees Max Schrems, who filed the action against Facebook, as “as big of a disrupter as [Edward] Snowden. What [Schrems has] done has had a considerable impact on business,” says Robert Bond, a veteran privacy attorney at Charles Russell Speechlys LLC. Some 5,534 organizations signed up to Safe Harbor before the court ruling came.
Early Participants
Companies from Dunn & Bradstreet to Northrop Grumman to the marketing automation company Marketo now appear on the new Privacy Shield list as active participants. Oracle, Workday, Microsoft and Google are listed too. Facebook is, so far, conspicuously absent (as of September 30).
The U.S. administration reports that it is checking applications more than it did under Safe Harbor, resulting in a longer process. By mid-September, 200 companies had been certified, according to U.S. officials. EU commissioner Věra Jourová, a chief architect of the Privacy Shield, said that the U.S. is reviewing the privacy policies of an additional 190 companies and that another 250 are completing their applications. Many of the over 5,500 Safe Harbor companies have yet to appear on the Privacy Shield list.
The Privacy Shield Website
The Privacy Shield website presents information on each company, descriptions of the human resources (HR) and non-HR data they process and for what purpose, and dispute resolution contacts. Google, for example, provides their privacy chief’s name, a general number and the data protection office’s email address. Other companies list what appear to be direct phone numbers and email addresses for their chief privacy officers and general counsels. Let’s hope the latter have good email filters, once sales people get ahold of their information.
How to Self-Certify
Participants transferring data across the Atlantic under the Privacy Shield have to self-certify that they are adhering to the Privacy Shield principles. Self-certification has five requirements.
First, confirm Federal Trade Commission (FTC) or Department of Transportation (DOT) jurisdiction over the organization seeking to join the Privacy Shield program. FTC, for instance, covers general commerce, but not banks or telecommunications. Second, participants must have a publicly available privacy policy that complies with the Privacy Shield principles and specifically states that it complies with the Privacy Shield. (HR privacy policies need not be made public.) Third, an independent recourse mechanism must be available so that data owners can get unresolved complaints investigated. Alternatively, a participant can agree to resolve issues cooperatively with the EU Data Protection Authorities (DPAs). Regardless, working with the DPAs is a requirement for all HR data. The fourth self-certification requirement mandates the establishment of annual compliance verification procedures. Fifth, participants must publicly name a contact to respond to questions or complaints from individuals or authorities.
Companies that submitted self-certification filings before September 30 earned a nine-month grace period to get existing third parties’ agreements in line regarding the onward transfer of personal data.
Privacy Shield Costs
The DOC established what they call a cost recovery annual fee for self-certification. The fee is based on the participant’s annual revenue (shown here) The money will help Privacy Shield operational and administrative costs.
Organization’s Annual Revenue |
Annual Fee |
$0 to $5 million |
$250 |
Over $5 million to $25 million |
$650 |
Over $25 million to $500 million |
$1,000 |
Over $500 million to $5 billion |
$2,500 |
Over $5 billion |
$3,250 |
Source: www.privacyshield.gov/program-overview
There are additional fees as well. One is an annual fee to fund the arbitration of complaints with the dispute resolution partner chosen by the participant to ensure that the process is free of charge for the EU citizen. Participants will be notified of their arbitral fee following U.S. and EU officials’ agreement on arbitration procedures, expected in a few months. Participants using the DPAs for arbitration and any participant processing HR data must also pay a $50 annual fee to cover these costs.
DPAs’ Role
DPAs’ advice on the Privacy Shield will be delivered through an informal panel of DPAs established at the European Union level. The panel will provide advice to U.S. organizations related to unresolved individual complaints about the handling of personal information transferred from the EU to the U.S. under the Privacy Shield. This advice will be designed to ensure that the Privacy Shield principles are being applied correctly and will include any remedies for individual concerns that the DPAs consider appropriate. U.S. companies will be very keen to see what this means in practice.
Will Companies Opt for Alternatives?
Many companies have chosen a wait and see approach with the Privacy Shield. Rather than sign up under a new program that is very likely to be challenged, they have spent enormous effort getting third-party contracts in line with model contract clauses (MCCs), an EU-approved data protection mechanism for personal data transfer. The EU permits the data controller or processor to use standard data protection clauses adopted by the commission or by a supervisory authority. The other alternative to the Privacy Shield is for companies to have tight protections over intracompany data transfers, such as sending EU HR data to a U.S. office for data roll ups, reporting, etc. Known as binding corporate resolutions (BCRs), this approach is akin to having strong information governance protocols across your organization to protect personal information, including EU data stored in the U.S.
Privacy Shield Challenges Loom
The Privacy Shield will no doubt be dragged into court and placed under regulatory scrutiny. Earlier this year, the Hamburg DPA, Johannes Caspar who has initiated many investigations against U.S. internet giants, proclaimed that he will challenge the Privacy Shield. Yet Caspar faces at least two barriers. One, the DPAs group agreed in August that no action would be taken until after the program’s first annual review. Two, he must wait until his petition to amend German law to let DPAs bring actions directly to the EU Court of Justice (EUJC) is passed.
In May, the Irish Data Protection Authority referred the Safe Harbor–killer Schrems-Facebook case to the EUCJ once again. This time for a ruling on the legal status of Facebook’s data transfers under MCCs. Though the sole focus is Facebook’s MCCs, this ruling could eventually have a broader impact as precedent. The ruling could take months, creating some uncertainty for EU businesses with U.S. offices or those that use U.S. service providers. Similarly, U.S. companies transferring data to the U.S. from EU offices or service providers under MCCs will want to track this case.
As the months go by, we’ll all watch to see if more companies join the Privacy Shield and what kinds of challenges the new program faces. Early startup reports seem to indicate a trend toward the wait and see approach. This is especially true for companies whose primary business is not internet-based or heavily dependent on personal data transfers.
Published November 4, 2016.