Next week the EU-U.S. Privacy Shield goes into effect, providing a streamlined program for American companies to efficiently – and legally – transfer user data from the EU. Here’s everything you should know about how it came to be, and how to participate:

The Backstory

In 1998, the European Commission forbade the transfer of personal data outside the European Union (EU) to countries that failed to meet “adequate” privacy protections. This directive impacted every American company that transferred user data from EU member countries to the United States.

To streamline compliance with this directive, the U.S. and EU governments developed the EU-U.S. Safe Harbor for U.S. organizations under the jurisdiction of the Federal Trade Commission (FTC) or Department of Transportation (DOT). The Safe Harbor assured companies that publicly attested to meeting its requirements that they could legally collect and use data originating in the EU and store this data in the United States. Approximately 4,500 U.S. companies relied on this legal framework to conduct business and provide services to more than 800 million people on two continents.

But in 2015, the Court of Justice of the European Union (CJEU) found that the U.S. government’s approach to privacy did not meet the adequate standards required by European Commission’s directive. This led to the collapse of the Safe Harbor, leaving thousands of companies in limbo as to whether their data practices complied with EU law.

Since then, governments on both sides of the Atlantic have worked to find a new construct that would meet the adequacy requirement outlined by the European Commission. These efforts resulted in the EU-U.S. Privacy Shield, which was shared publicly in early 2016. Earlier this month, the European Commission deemed the Privacy Shield adequate to enable data transfers under EU law.

What is the EU-U.S. Privacy Shield?

The EU-U.S. Privacy Shield is a set of principles that allow U.S. companies subject to FTC or DOT jurisdiction to self-certify their compliance with EU data protection rules.

Why Participate in the EU-U.S. Privacy Shield?

If a company is doing business (or planning to do business) in the EU, the Privacy Shield provides a streamlined, less expensive means to comply with EU data protection laws. Once a company joins the Privacy Shield it will likely avoid complex contract negotiations with potential EU business partners that it would otherwise face. Participating in the Privacy Shield also clarifies a company’s commitment to data security and privacy.

What Does the EU-U.S. Privacy Shield Require?

To participate in Privacy Shield, a company must self-certify its commitment to the seven Privacy Shield principles. These include:

  1. Notice – clear language for the public stating what data a company collects, why it collects it, and that it is participating in the Privacy Shield
  2. Choice – clear and obvious means to opt out of the disclosure of personal data to the use of data or the transfer of data to a third party
  3. Accountability for Onward Transfer – data transfer contracts with third parties must provide the same level of privacy protection as required by the Privacy Shield
  4. Security – take reasonable steps to prevent data loss or misuse
  5. Data Integrity and Purpose Limitation – data collected should be limited to the purposes of intended use
  6. Access – individuals must be provided with access to their personal data, and be able to correct or delete it when it is inaccurate or processed counter to the Privacy Shield
  7. Recourse, Enforcement, and Liability – implement processes for (a) complaints from individuals about their data, (b) verifying compliance with the Privacy Shield, and (c) addressing failures to comply with the Privacy Shield

Even if a company self-certified under the (now-invalid) EU-U.S. Safe Harbor, it should ensure compliance with the Privacy Shield’s seven principles before going through the self-certification process. Failure to comply with the principles after self-certifying will leave companies open to enforcement by the FTC or DOT.

Some key steps companies should take include:

  • Ensure eligibility
  • Develop a privacy policy statement that complies with (and references) the Privacy Shield
  • Put processes into place to comply with this privacy policy, including means to address complaints from EU citizens
  • Pay an annual cost recovery fee to the U.S. Department of Commerce

The Department of Commerce has issued a guide to self-certification with more details that can be accessed here.

When Can I Self-Certify to the EU-U.S. Privacy Shield?

The Department of Commerce will begin accepting certifications on August 1, 2016. 

Does Participating in the EU-U.S. Privacy Shield Cost Money?

Yes. The Department of Commerce requires an annual cost recovery fee from companies that participate in the Privacy Shield. The amount depends on an organization’s annual revenue but ranges from $250 to $3,250.

Where Can I Learn More about the EU-U.S. Privacy Shield?


Image: Stuart Chalmers / license / cropped