On July 16, 2020, the Court of Justice of the European Union (CJEU) issued a landmark judgement that Privacy Shield is “invalid” because it does not provide “adequate protection” under Article 45 of the General Data Protection Regulation (GDPR) for transfers of personal data of individuals located in the European Union to the United States. “Privacy Shield and the GDPR: Inadequate Protection for Cross-border Data Transfers”
Privacy Shield Framework
The EU – U.S. Privacy Shield Framework was designed in conjunction with the U.S. Department of Commerce and European Commission to provide European and US companies a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the U.S. when engaging in transatlantic commerce.
For U.S.-based organizations interested in joining the Privacy Shield Framework, they will be required to self-certify to the Department of Commerce, with August 1st marking the date when applications open for eligible organizations.
Self- Certification Process
An organization must confirm participation in Privacy Shield on an annual basis. Any organization under the jurisdiction of the U.S. Federal Trade Commission (FTC) or Department of Transportation (DOT) may participate. In order to self-certify, organizations must do the following:
- Identify the organization’s independent recourse mechanism available to investigate unresolved complaints: The recourse mechanism must be registered with, as necessary, and be in place prior to self-certification. A private sector dispute program can be used as the independent recourse mechanism. This must be available at no cost to the individual.
- Organizations can comply with the EU data protection authority (DPA) instead, but then the DPA must be adhered to with respect to all data:
- If the organization’s self-certification will cover human resource data (for example, personal information about employees, current and former) then the organization must comply with the EU DPA’s related to such data.
- Ensure organization’s verification process is in place: The organization can use a self-certification program or a third-party assessment program.
- Designate an individual within the organization who is responsible for addressing questions, complaints, access requests, and other issues that may arise: This individual can be a corporate officer or another official within the organization, and they must respond to all requests within 45 days of a complaint.
As a whole, Privacy Shield imposes more obligations in regard to data protection and privacy than what existed under the Safe Harbor framework. Due to the heightened standards, organizations that intend to certify should consider reviewing their existing policies and procedures, specifically those regarding notice, choice, access, onward transfers, and recourse, to ensure that they fit into the Framework.