By Peter Guffin, Visiting Professor of Practice
It’s been almost one year since the EU-U.S. Privacy Shield (Privacy Shield) came into existence. Its upcoming annual review in September by the European Commission (Commission) and the U.S. Department of Commerce (DOC) – its first such review – is being viewed by many as a pivotal test for the framework. Success will boost confidence in the Privacy Shield’s durability, a vulnerability often cited by its critics. Even if it passes, however, the Privacy Shield is likely to continue to face challenges going forward.
Thus, for U.S. companies presently considering self-certification, the timing is right to ask the question whether the Privacy Shield is here to stay, and if so, how it might change going forward. To answer these questions, I think we need to recall the Privacy Shield’s origins and the context in which it arose, as well as fully understand its requirements and what compliance entails.
It is also important for U.S. companies to consider the costs and difficulty of implementing the Privacy Shield in an organization; the durability of the Privacy Shield in view of the legal challenges to its existence and other vulnerabilities; and the uncertainties about how it will work (or not) with the General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018.
I will be exploring this subject in a series of posts in an effort to illuminate the issues and to try to answer the questions above.
First, a quick refresher on the Privacy Shield and some figures regarding its current adoption in the U.S.
The Privacy Shield was designed by the DOC and the Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) to the U.S. in support of transatlantic commerce. Personal data means data about an identified or identifiable individual that falls within the scope of the Data Protection Directive. On July 12, 2016, the Commission deemed the Privacy Shield adequate to enable data transfers under EU law, and on August 1, 2016 the DOC began accepting self-certifications from U.S. companies to join the program, which is voluntary.
To be eligible to participate in the Privacy Shield program, the organization must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT). While many U.S. companies will qualify, some will not. For example, neither the FTC nor DOT has jurisdiction over certain organizations such as depository institutions, telecommunications companies, air carriers, labor associations, and non-profit organizations, so these organizations are not eligible to participate. By self-certifying, a company is committing itself publicly to complying with the Privacy Shield Principles (including Supplemental Principles), which commitment is enforceable under U.S. law through either the FTC or DOT.
As of July 2017, approximately 2,200 companies had self-certified through the DOC. About sixty percent of these organizations are small to mid-sized companies, and they range across all areas of commerce. The filing fees for certification are nominal and based on the total revenue of the organization applying, but generally are less than $1,000.
The Privacy Shield Principles are comprehensive and detailed, and there’s some subtlety, ambiguity and complexity in them which may not be well understood. Some of the terminology and requirements will be new and may seem strange to U.S. companies. This U.S. perception should not come as a surprise, since the Privacy Shield serves as a bridge between two very different data protection regimes influenced by significant cultural differences in their conception of privacy. The Privacy Shield Principles incorporate many core EU data protection principles and some of them go far beyond generally accepted and customary privacy practices in the U.S.
Many U.S. companies will likely view the requirements of the Privacy Shield as burdensome and onerous. Some of them will likely decide that the Privacy Shield is too costly and difficult to implement within their organizations, and they will look for an alternative solution to address their transatlantic commerce needs. Before signing on, companies are well-advised to review carefully the Privacy Shield Principles to make sure they are a good fit for the organization and worth the investment.