To Join Or Not To Join: Is The EU-U.S. Privacy Shield Right For You?

Author:Mr Aaron Tantleff
Profession:Foley & Lardner

With the Article 29 Working Party's position on the adequacy of the EU-U.S. Privacy Shield framework agreement (Privacy Shield) decision expected this week, U.S. businesses should be evaluating privacy options and preparing to make significant adjustments to internal procedures. In this newsletter, we cover key considerations for businesses weighing whether to join the Privacy Shield, what to expect from last week's leak, and the impact of a possible rejected decision.

Joining the Privacy Shield is completely voluntary, and is a decision that every U.S. organization should not take lightly, especially as there are other methods of transatlantic data transfers, such as the EU Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). The Privacy Shield introduces a lot of additional obligations and liability for U.S. organizations, including:

An annual registration and self-certification process Agreeing to the Privacy Principles, which include: Notice Choice Security Data Integrity and Purpose Limitations Access Accountability for Onward Transfers Recourse, Enforcement, and Liability Subjecting the organization to oversight by the U.S. Department of Commerce and the Federal Trade Commission (FTC) Including a declaration of the organization's commitment to comply with the Privacy Principles in their privacy policy, including a link to the Department of Commerce's Privacy Shield website for any online privacy policy A commitment to cooperating with the relevant Data Protection Authorities (DPA) for any organization that processes EU human resources data with respect to the investigation and resolution of complaints Accordingly, in addition to registering with the Privacy Shield, a U.S. organization must also publicly commit to comply with the Privacy Shield's requirements. Once publically committed, that commitment will become enforceable under U.S. law.

Unfortunately, failure to comply with the Privacy Shield requirements could result in sanctions or exclusion from the framework. Even if an organization determines that it no longer wants to participate in the Privacy Shield and elects to withdraw, it may remain subject to the Privacy Shield for a long time. Any U.S. organization that was part of the Privacy Shield and elects to withdraw, yet wishes to retain information collected while a part of the Privacy Shield, would be required to annually re-certify its commitment to apply the Privacy Principles to...

To continue reading